When you create scripts that is using the openstack-client your scripts need to authenticate. To avoid having to place your username and password in the script you can create some credentials the script can use to authenticate. Openstack provides "application credentials" for this purpose.
Creating an application credential
Creating an application-credential can be done with the openstack-client. The credentials belongs to a certain user, in a certain project, and can be limited to certain of the users roles. The credential can also have an expiration-time, limiting the validity of the credentials, and if no expiry is set the credentials will be valid until the user looses access to the project, or until the credentials are revoked. A credential with the same amount of access as your user in a certain project can be created like so:
$ openstack application credential create TestCredential +--------------+------------------------------------+ | Field | Value | +--------------+------------------------------------+ | description | None | | expires_at | None | | id | 8f365f3e488b4cc886933915b058fef7 | | name | TestCredential | | project_id | <PROJECT-ID> | | roles | <ROLES> | | secret | <APPLICATION-CREDENTIAL-SECRET> | | system | None | | unrestricted | False | | user_id | <USER-ID> | +--------------+------------------------------------+
When a credential is created you will get a secret displayed (which is redacted in the above output), and you need to note this secret somewhere as it is only displayed once. You need this secret to actually use the credential.
Using an application credential
To use the application-credentials you need to set some environment-variables in your shell, similar to the variables set when using usernames/passwords. You would need the following variables:
export OS_AUTH_TYPE=v3applicationcredential export OS_AUTH_URL=<KEYSTONE-URI> export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME=<REGION_NAME> export OS_INTERFACE=public export OS_APPLICATION_CREDENTIAL_ID=<APPLICATION-CREDENTIAL-ID> export OS_APPLICATION_CREDENTIAL_SECRET=<APPLICATION-CREDENTIAL-SECRET>
The application-credentials values is seen when creating the application-credentials. The AUTH-URL and REGION-NAME is determined of which openstack installation you are interfacing with, and can be retrieved from the following table:
| Installation | Description | OS_AUTH_URL | OS_REGION_NAME |
|---|---|---|---|
| SkyHiGh | IIK's private cloud | https://api.skyhigh.iik.ntnu.no:5000/v3/ | SkyHiGh |
| StackIT | NTNU IT's cloud | https://api.stack.it.ntnu.no:5000/v3/ | NTNU-IT |
| SkyLow | IIK's development platform | https://api.skylow.iik.ntnu.no:5000/v3/ | SkyLow |
| PileIT | NTNU IT's development platform | https://api.pile.it.ntnu.no:5000/v3/ | PileIT |
When the environment-variables are set, you can use the command-line clients the same way as you would do normally. For instance, if you put the environment-variables into a file called "appcreds.sh" you can use the openstack clients like so:
$ source appcreds.sh $ openstack flavor list +--------------------------------------+--------------+--------+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +--------------------------------------+--------------+--------+------+-----------+-------+-----------+ | 03046375-608b-412a-8eff-3571b69da864 | c1.xlarge | 65536 | 40 | 0 | 32 | True | | 0febc39c-753f-4320-a0f6-f78c3a319569 | gpu.a100.20G | 253952 | 40 | 0 | 24 | False | | 114f5c26-66f9-44b1-8992-bc9347285725 | t1.small | 512 | 40 | 0 | 1 | True | | 1ea7791d-0ef5-4fac-9c81-ecbb8ad68f1a | c1.tiny | 16384 | 40 | 0 | 8 | True | ....