lolcreds

Public credential defaults and exposure patterns for authorized security testing.

etcd

Cloud Native Computing Foundationdatabase4 credentials

Credentials4 documented
01

Unauthenticated Default Client Access

etcd / unauthenticated-default

etcd client authentication is disabled unless auth is explicitly enabled. In an auth-disabled deployment, clients can read and write through exposed etcd client endpoints without presenting a username, password, token, or client certificate, unless network or TLS controls block them.

no authsecretusername/password

Unauthenticated access

open default
no authentication required
username
none
password
none

Location

public interface
http://<host>:2379, https://<host>:2379

etcd client API listener when auth is disabled or unauthenticated clients are accepted

config file
etcd flags/config, static pod manifest, systemd unit

--auth-token, auth enable state, client-cert-auth, trusted-ca-file, and listen/advertise client URLs determine whether credentials or mTLS are required

logs

etcd startup logs and etcdctl auth status output showing auth disabled/enabled state

Notes

This represents absence of etcd username/password authentication, not a blank password. Exposure depends on listen URLs, firewalling, Kubernetes control-plane network isolation, TLS client-auth settings, and whether `etcdctl auth enable` has been run.

02

etcd User Password

etcd / client-user-password

etcd can enable username/password authentication for client access. Users and roles control access to keys and ranges once auth is enabled.

user definedgenerated on installsecretusername/password

Location

public interface
etcd client API, etcdctl, gRPC gateway, and Kubernetes apiserver-to-etcd access
database

etcd auth store containing users, roles, and password verifier state

config file

etcd static pod manifests, systemd units, etcdctl scripts, and deployment manifests

environment
ETCDCTL_USER, ETCDCTL_PASSWORD
secret store

Kubernetes Secrets, Vault entries, and cluster bootstrap secret stores

logs

etcd server logs, audit output, and etcdctl traces

03

Client / Peer TLS Private Key

etcd / client-peer-tls-key

etcd commonly uses mutual TLS for client and peer authentication. Client, server, and peer certificate private keys grant access to the cluster or quorum communication path.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

private key material for etcd client, server, or peer TLS authentication

-----BEGIN (RSA |EC |OPENSSH |ENCRYPTED |)PRIVATE KEY-----

Location

config file
/etc/kubernetes/pki/etcd/, /etc/etcd/

etcd client, server, peer, and CA certificate/key files

secret store

Kubernetes Secrets, PKI vaults, and backup key stores

artifact

cluster backups, kubeadm cert bundles, support bundles, and disaster recovery archives

04

Bootstrap, Snapshot, and Encryption Secret

etcd / bootstrap-token-and-snapshot-secret

etcd deployments often store bootstrap credentials, backup/snapshot credentials, and Kubernetes secrets data inside etcd. Exposure of snapshots can expose all Kubernetes Secret values unless separately encrypted.

generated on installuser definedsecretsecret value

Location

artifact

etcd snapshots, disaster recovery backups, and copied data directories

config file

backup scripts, snapshot cron jobs, static pod manifests, and encryption provider configs

secret store

backup vaults and cloud object storage credentials

database

etcd keyspace including Kubernetes Secret objects or application secrets

Notes

An etcd snapshot is often credential-equivalent in Kubernetes environments because it may contain all cluster Secret resources.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.