Skip to content

Application Credentials

API - CLI Identity Credential Types

For access via CLI/API, OpenStack offers various options depending on the implementation, which may be more suitable depending on requirements. The following credential types are currently available.

A) Application Credentials

Keystone Application Credentials enable users to generate their own OpenStack credentials suitable for applications and to authenticate with the identity service without having to expose their main credentials.

Advantage: Application Credentials can be easily revoked or changed without interrupting the application, or they can even have an automatic expiration time.

Disadvantage: They are tied to the user account that created the Application Credentials. If an employee leaves the company, simply deactivating the user account is not sufficient. Their Application Credentials must also be deleted. More about Application Credentials can be found under Create Application Credentials.

B) Local User - API access via Local Keystone Password is not supported.

C) Download current user's session token - Users who have activated OTP (2 Factor - OneTimePassword) can now very easily download the current User Session Token, which is valid for 24 hours, via the OpenStack Management (Horizon).

To do this, log in to the OpenStack Management (Horizon).

Then click on the small arrow in the upper right corner and select Export credentials.

image

In the next window, select Current user's session token and the desired Export Format (YAML or RC) and confirm with Download.

image

Note

RC: Exports the Bash environment variables as a source file.

YAML: Is exported as a yaml file which must be placed in the ~/.config/openstack directory and can subsequently be used via the environment variable OS_CLOUD or the CLI parameter --os-cloud. :::

Tip

The "Current user's session token" is valid for 24 hours and can be used for the API, the CLI, or even Terraform. After that, the token expires and the user can get a new token via Horizon.

D) Federated user

Users who have not activated OTP can, in addition to methods A) and C), also select the Federated user method and will then be prompted for their Keycloak password during an API / CLI call. However, Terraform does not support this method.

Note

Depending on the defined password policy, not all credential types may be allowed. If, for example, OTP is mandatory, then credential type D) Federated user is currently not possible.

How to create Application Credentials

A user's Federated Login Credentials cannot be used in Openstack for access from a CLI Tool. The solution to this problem is Keystone Application Credentials, which the user can create after logging into OpenStack Horizon and then use directly for CLI tools. Application Credentials enable users to generate their own OpenStack credentials suitable for applications and authenticate with the identity service without having to expose their main credentials.

Application Credentials can be easily revoked or changed without interrupting the application, or they can even have an automatic expiration time.

Please navigate to Identity => "Application Credentials" in OpenStack Horizon and click on Create Application Credentials.

image

Now enter a name and description for the Application Credential and click on "Create Application Credential".

  • The application credentials are created for the currently selected project.
  • You can specify your own secret, otherwise one will be generated for you.
  • Optionally, you can provide the Application Credential with an expiration date and time.
  • You can select one or more roles for these Application Credentials. If you do not select any, all roles you have assigned in the current project will be applied. For more information on Roles, see Application Credential Roles.

Important

If you need the Application Credential for creating a Kubernetes Cluster, you must check "Unrestricted (dangerous)" to get the necessary permissions (creation of additional Trusts).

image

  • Please note the ID and Secret of the created Application Credential to use them in your CLI tool.
  • Alternatively, depending on later use, you can also download the "clouds.yml" or "openrc" (Legacy) file, which contains all information.

Important

The Application Credential Secret will no longer be available after closing this page, so you must note it down now or download the clouds.yaml file! If you lose it, you must generate a new Application Credential.

  • Then click on "Close".

image

Example of a cloud.yaml File

# This is a clouds.yaml file, which can be used by OpenStack tools as a souce
# of configuration on how to connect to a cloud. If this is your only cloud,
# just put this file in ~/.config/openstack/clouds.yaml and tools like
# python-openstackclient will just work with no further config.
# If you have more than one cloud account, add the cloud entry to the clouds
# section of your existing file and you can refer to them by name with
# OS_CLOUD=openstack or --os-cloud=openstack
clouds:
  openstack:

 auth:
   auth_url: https://keystone.service.ewcs.ch/v3
   application_credential_id: "003295c34794404..."
   application_credential_secret: "-15dgWMA19Bd5q..."

 region_name: "ch-zh1"
 interface: "public"
 identity_api_version: 3
 auth_type: "v3applicationcredential"

Application Credential Roles

The selectable roles in Application Credentials mean:

Role Description
_member_ Default role that allows access to a project
member Duplicate of _member_ that is still required for some API calls
heat_stack_owner Role is allowed to create/start Heat Stacks
reader May read Secrets in Barbican
creator May create Secrets in Barbican e.g. for server-side encryption
load_balancer_member May create load balancers