Ceph
Cephcloud2 credentials
CephX Client Keyring
ceph / cephx-keyring
Ceph users authenticate with secret keys stored in keyrings. Ceph documents that clients specify a user name and a keyring containing the secret key, and that client.admin is assumed if no user is specified.
Looks like
patternkey\s*=\s*[A-Za-z0-9+/=]{20,}Location
/etc/ceph/*.keyring, ceph.client.*.keyringCeph client keyring files containing user names and secret keys
CEPH_ARGScan specify user and keyring arguments for Ceph clients
Kubernetes Secrets, Rook secrets, cloud secret managers, and deployment vaults
accidentally committed keyrings, test clusters, and deployment manifests
host backups, VM images, and container images containing /etc/ceph
command history, debugging output, and CI traces
Notes
Keyrings are bearer-like secrets for Ceph capabilities. client.admin keys are highly privileged.
RADOS Gateway S3 Access / Secret Key
ceph / radosgw-s3-key
Ceph Object Gateway users can have S3-style access keys and secret keys. These credentials authenticate S3 clients to RGW and are managed as Ceph object gateway user credentials.
Looks like
patternAKIA[0-9A-Z]{16}Location
s3 client config, rclone config, application .env files, and deployment manifests
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, RGW_ACCESS_KEY, RGW_SECRET_KEYKubernetes Secrets, cloud secret managers, CI/CD variables, and object-store vault entries
S3 client scripts, tests, and accidentally committed configs
S3 client debug logs and CI output
AuthorizationS3 Signature authentication headers derived from access and secret keys
Notes
RGW key blast radius depends on the user's bucket and capability grants.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.