Application Credentials

Users can create Application Credentials to allow their applications to authenticate to Keystone.

Users can delegate a subset of their role assignments on a project to an application credential, granting the application the same or restricted authorization to a project. With application credentials, applications authenticate with the application credential ID and a secret string which is not the user’s password.

Creating Application Credentials

Application credentials can be created from the Horizon dashboard:

  1. Select Application Credentials from the Identity tab on left side bar:

    ../../_images/dashboard_app_cred_0.png

  2. Click the button + Create Application Credential, and fill the form with values of your choice:

    ../../_images/dashboard_app_cred_1.png

  3. Download the openrc file which contains the generated application credential

    ../../_images/dashboard_app_cred_2.png

  4. Download also the app-cred-*-kubeconfig file, to authenticate with Kubernetes using the newly generated application credential (see below).

Creating Application Credendials using OSC

Users who have access to the OpenStack Client (see below) may create Application Credentials with the following command:

$ openstack application credential create --secret <YOUR SECRET> --role <ROLE> --<NAME>

You can also list, show and delete Application Credentials respectively with the following commands:

$ openstack application credential list
$ openstack application credential show <APPLICATION CREDENTIAL ID/NAME>
$ openstack application credential delete <APPLICATION CREDENTIAL ID/NAME>

How to use Application Credentials

Application Credentials can be used by applications to request authorization for performing operations with the assigned privileges by the user who created them.

We mention in particular two such applications:

  1. the OpenStack Client. is a command line tools for invoking the OpenStack API. To install the OpenStack Client, issue:

    $ sudo pip install python-openstackclient

    Source the openrc file that contains the generated application credential:

    $ source <openrc>

    Now you can issue commands to OpenStack, for example:

    $ openstack project list

    which will list your projects.

  2. kubectl is a command line interface for running commands against Kubernetes clusters. It can authenticate users by means of Keystone Application Credentials. For further details, see the documentation on Containers