Monday, January 7, 2019

How to create and use Application Credentials in OpenStack Rocky

I recently got my nose into application credentials to avoid exposing plain passwords of my OpenStack account in several places (like juju, kubernetes or any other consumer of an OpenStack cloud backend).

Here a few steps to get and test your application credentials:
  • open your dashboard 
  • if you are allowed to create application credentials you should see a button on the left side under identity like:
  • then fill the fields and download the rc file with credentials on a CLI with O~S client
  • then use it to set the environment vars (i.e. following)
#!/usr/bin/env bash

export OS_AUTH_TYPE=v3applicationcredential
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="garr-ct1"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=3df050279bc1490c871a52d49c3b5030
export OS_APPLICATION_CREDENTIAL_SECRET=<what you choosed as secret> 
  • use i.e. the following command to get a token: 
>openstack token issue


The documentation about how to deal with API post/get is quite complete here:
https://developer.openstack.org/api-ref/identity/v3/#create-application-credential

As an example you can use the following to create a token out of your app credentials (after generating them with a secret):

>curl -i -H "Content-Type: application/json" -d ' { "auth": { "identity": { "methods": ["application_credential"],  "application_credential": {  "id": "<your app credentials id>", "secret": "<your secret>"}}}}' "https://keystone.cloud.garr.it:5000/v3/auth/tokens"


HTTP/1.1 201 Created
Date: Mon, 07 Jan 2019 15:21:44 GMT
Server: Apache/2.4.18 (Ubuntu)
X-Subject-Token: fd00f5811b054d45aab98e346e794a73
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-request-id: req-e94efb0a-6d93-46be-9e1c-77317b0cdfbd
Content-Length: 13819
Content-Type: application/json

{"token": {"is_domain": false, "methods": ["application_credential"], "roles": [{"id": "f526fd6908794fcf8c70804fa6cdc8a3", "name": "Member"}], "application_credential": {"restricted": true, "id": "e9a7089baad04bf093fc2a5a665e4f5c", "name": "terraform"}, "is_admin_project": false, "project": {"domain": {"id": "2b932823d0dc46799acbfabd18b45ee4", "name": "cloudusers"}, "id": "21b5b236c2e244dcba9557ec8745d61a", "name": "olimpiadi-istat"}, "catalog": [{"endpoints": [......]

Hope this will save you some time Alex 


No comments:

Post a Comment