Comment 3 for bug 1085049

Yeah, so there are really two problems:
- The user creating the stack needs to have the admin role if they want to use these resources (not sure if this is actually a problem, or if we just need to document the addition of the demo user to the right role in the Devstack getting started, although the Fedora getting started procedure results in a user which already has the admin role)

- The AccessKey resource FnGetAtt call to _secret_accesskey() must work *without* the admin role, because cfn-hup uses the in-instance user credentials, which we definitely don't want to have the admin role. This then allows the in-instance user credentials to read the instance resource metadata (via a DescribeStackResource call to the CFN api), which includes the secret key _for the in-instance user_ which will allow us to implement stuff like in-instance key expiry/rotation (like AWS does for IAM Roles) if we wish.

So the first problem is either a patch to devstack or a change to the docs I think (SteveB - do you have any strong opinions on which?)

The second problem is a regression caused by my user.py rework last week - I have a fix for this which I'm currently testing