Enforcing Least Privilege Cross-Cloud Resource Access for Cloud Orchestrators

Alec Li

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2025-61

May 14, 2025

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2025/EECS-2025-61.pdf

As cloud computing systems evolve over time, there has been an increased dependency on systems that span across multiple cloud providers, leading to the increased usage of workload orchestrator services, to assist with the deployment and management of workloads among multiple clouds. However, the workload orchestrators that exist today all require the end user to disclose their cloud credentials—this means that an adversary that compromises a workload orchestrator can access resources in the user's cloud.

Recently, Skydentity solves one aspect of this security issue, by introducing a system that protects against orchestrator compromise, ensuring that workload orchestrators never hold any cloud credentials, and utilizing proxies that enforce fine-grained user-specified authorization policies. However, VMs created through Skydentity do not have the ability to request resources across clouds, limiting the scope of workloads that can utilize Skydentity.

We introduce an extension of Skydentity that allows for VMs created by workload orchestrators to access resources across clouds, while maintaining the security guarantees of Skydentity, protecting against orchestrator compromise. Our prototype introduces an added latency of at most 3% during VM creation, and has negligible effect on subsequent cross-cloud resource requests.

Advisors: Raluca Ada Popa

BibTeX citation:

@mastersthesis{Li:EECS-2025-61,
    Author= {Li, Alec},
    Title= {Enforcing Least Privilege Cross-Cloud Resource Access for Cloud Orchestrators},
    School= {EECS Department, University of California, Berkeley},
    Year= {2025},
    Month= {May},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2025/EECS-2025-61.html},
    Number= {UCB/EECS-2025-61},
    Abstract= {As cloud computing systems evolve over time, there has been an increased dependency on systems that span across multiple cloud providers, leading to the increased usage of <i>workload orchestrator</i> services, to assist with the deployment and management of workloads among multiple clouds. However, the workload orchestrators that exist today all require the end user to disclose their cloud credentials—this means that an adversary that compromises a workload orchestrator can access resources in the user's cloud.

Recently, Skydentity solves one aspect of this security issue, by introducing a system that protects against orchestrator compromise, ensuring that workload orchestrators never hold any cloud credentials, and utilizing proxies that enforce fine-grained user-specified authorization policies. However, VMs created through Skydentity do not have the ability to request resources <i>across clouds</i>, limiting the scope of workloads that can utilize Skydentity.

We introduce an extension of Skydentity that allows for VMs created by workload orchestrators to access resources across clouds, while maintaining the security guarantees of Skydentity, protecting against orchestrator compromise. Our prototype introduces an added latency of at most 3% during VM creation, and has negligible effect on subsequent cross-cloud resource requests.},
}

EndNote citation:

%0 Thesis
%A Li, Alec 
%T Enforcing Least Privilege Cross-Cloud Resource Access for Cloud Orchestrators
%I EECS Department, University of California, Berkeley
%D 2025
%8 May 14
%@ UCB/EECS-2025-61
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2025/EECS-2025-61.html
%F Li:EECS-2025-61