Heat has two problem areas related to managing keystone identities:
1 - Storing user credentials when creating a stack, such that subsequently we can perform actions on behalf of the user who created the stack (HA actions, Autoscaling events etc)
2 - We allow credentials (keystone ec2 keypair) to be deployed inside each instance, such that authentication with our API's is possible, for the purposes of reading updated resource metadata, and writing metric data used for Alarm evaluation.
(1) is likely to be solved by the Trusts work recently merged into keystone, but I'd like to clarify the details/design of how we will use trusts to perform actions on behalf of the stack-owner in a secure way.
(2) We currently have a sub-optimal solution for, but no clear path to improving it - I'd like to present the current-state of our in-instance credentials management, and brainstorm the way forward, I'm expecting some requirements for additional keystone features to come out of this.