Application Credentials
Application credentials can be used to allow applications or other users certain access to specific projects without embedding the main user’s password in the application configuration.
Application credentials can be created either through the web interface or command line
Here we assume that users are familiar with using clouds.yaml
. See Python SDK | Setting Up Clouds.yaml for more information.
Create Credential from the Web interface
The option for generating application credentials can be found under Identity -> Application Credentials. Select Create Application Credential.
The currently selected project will be used to generate application credentials for the user and project pair. If you have access to multiple projects, the project these credentials are valid for can be changed by selecting the project from the drop down menu at the top of the page.
The form has 7 fields:
Name: The name that is given to the application credential.
Description: Description of the application credential. This could be the description of which application will use this credential or the purpose of the credential.
Secret: A password for the credential which will be used in order to authenticate access through keystone. We recommend you leave this blank or use a tool like pwgen to generate this automatically
Expiration Date: Date that the application credential expires and will be deleted. If left blank, the application credential will not expire.
Expiration Time: The time the credential expires, if a date is given by default the time is 00:00:00.
Roles: The role that the application credential is authorized to have.
Unrestricted Option: By default this is left unticked.
If ticked, the application credential will be able to create additional application credentials.
For security, always have the application credential restricted. Restrictions on these operations are deliberately imposed as a safeguard to prevent a compromised application credential from regenerating itself.
It is important to make a note of the secret which has been chosen for the application credential as it is only revealed once after the application credential has been generated. From the web interface, the RC file and the cloud.yaml
file is available once and it is recommended to download these files. If the user has forgotten the secret, a new application credential will have to be created.
Create Credential via the Web Interface (Horizon)
In the Web Interface, under the Identity tab, navigate to the Application Credentials
tab.
The only required field is the Name.
– Secret: Unless specified, it will be randomly generated and revealed once after the credential is created.
– Expiration Date: If not defined the credential will not expire.
We can download the clouds.yaml
file on the next page if needs be
Create Credential from Command Line
To view the list of application credentials, we can use the command:
openstack application credential list
This will return an empty line if no application credentials have been created yet, or a table similar to the one below:
+------------------------------+-----------------------+----------------------+-------------------------------- ------------------------------------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+------------------------------+-----------------------+----------------------+---------------------------------------------------------------------------+----------------------------+
| APPLICATION_CREDENTIAL_ID_1 | Test-App-Credential-1 | PROJECT_ID | This is a test application credential generated using the web interface. | 2020-07-01T00:00:00.000000 |
| APPLICATION_CREDENTIAL_ID_2 | Test-app-credential-2 | PROJECT_ID | Test Application Credential from command line. | None |
+------------------------------+-----------------------+----------------------+---------------------------------------------------------------------------+----------------------------+
To create a new application credential, you can use the command:
openstack application credential create [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>]
[--fit-width] [--print-empty]
[--secret <secret>]
[--role <role>]
[--expiration <expiration>]
[--description <description>]
[--unrestricted] [-:-restricted]
<name>
Below is an example of creating an application credential which expires on 06/07/2020 at 00:00:00 and the secret has been generated automatically by OpenStack.
The secret is only revealed once. If a user has forgotten the secret, a new application credential has to be generated.
After an application credential has expired, it is still visible in the application credential list. If the application credential is used after it has expired, nothing will happen and no one can get access to the project via the expired credential.
RC source and clouds.yaml file
Unlike in the web interface, the RC file and the clouds.yaml file are not automatically generated. They need to be created separately by the user. The following are examples of a clouds.yaml file and RC file for an application credential.
clouds.yaml
RC File
Common Problems
When testing Application Credentials using the cloud.yaml configuration file by running the command below, you may encounter an authentication error:
This error may occur if you have previously sourced the rc file from API access in OpenStack in the terminal session, as shown below:
Check it’s been sourced:
This can lead to conflicts with the current operation. To resolve the issue, start a new terminal session and re-run the test above.
References
Application Credentials — keystone 26.0.1.dev29 documentation
Identity API v3 (CURRENT) — keystone documentation
Application Credentials — GARR Cloud
Chapter 8. Application Credentials | Red Hat Product Documentation