The traditional way of authenticating with the openstack client is to use a username and password which are set as an environment variable. Some of us are not too keen of having clear-text passwords lying around, and this article are thus presenting a way to authenticate to openstack without having the password as clear-text.
The simple approach
The simplest approach to using the command-line clients without having the password stored on your client in clear-text is to use the following modified openrc file:
projectID= #Your openstack project ID username= #Your NTNU username keystoneURL=https://api.skyhigh.iik.ntnu.no:5000/v3 unset OS_TOKEN unset OS_AUTH_TYPE export OS_AUTH_URL=$keystoneURL export OS_IDENTITY_API_VERSION=3 export OS_TENANT_ID=$projectID export OS_INTERFACE="public" export OS_ENDPOINT_TYPE=publicURL export OS_USERDOMAIN_NAME="NTNU" export OS_USERNAME="eigilo" export OS_DOMAIN_NAME=NTNU tcommand="openstack token issue -f value -c id" echo "Please supply the password to the $OS_DOMAIN_NAME user $username:" token=$($tcommand) status=$? while [[ $status -ne 0 ]]; do echo "Could not get a token. Please try again:" token=$($tcommand) status=$? done export OS_TOKEN="$token" export OS_AUTH_TYPE="token" unset OS_DOMAIN_NAME unset OS_USERDOMAIN_NAME unset OS_USERNAME echo "You are now authenticated to use the openstack CLI client."
Add your username and the ID of your project to the first to variables in this file, and you are good to go. This openrc-file is used the same way as the ordinary one which you can download from horizon:
eigil@breve:~$ source tokenopenrc.sh Please supply the password to the NTNU user eigilo: Password: You are now authenticated to use the openstack CLI client. eigil@breve:~$ openstack server list +--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+ | a3b399b3-f00b-40c0-1337-d4fee729f9dc | debiantest | ACTIVE | ObreNetwork-NTNU=192.168.0.113, 10.212.136.98 | Debian 9.4.2 (Stretch) stable amd64 | m1.tiny | +--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+
Token lifetime
One downside using tokens instead of a password is that the tokens have limited lifetime. The lifetime of your session can be seen by running the command "openstack token issue:
eigil@breve:~$ openstack token issue -f value -c expires 2018-08-21T09:31:14+0000
The timestamp appearing is the UTC time of when your token expires. If the commandline client are used after the expiry the following message will appear: