Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Identity service command-line client

Warning
The keystone CLI is deprecated in favor of python-openstackclient. For more information on python-openstackclient, please see Section 3.3, “Subcommands”. For a Python library, continue using python-keystoneclient.
The keystone client is the command-line interface (CLI) for the Identity service API and its extensions. This chapter documents keystone version 1.7.2.
For help on a specific keystone command, enter: 
$ keystone help COMMAND
Copy to Clipboard Toggle word wrap

7.1. keystone usage
Copy link

usage: keystone [--version] [--debug] [--os-username <auth-user-name>] [--os-password <auth-password>] [--os-tenant-name <auth-tenant-name>] [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>] [--os-region-name <region-name>] [--os-identity-api-version <identity-api-version>] [--os-token <service-token>] [--os-endpoint <service-endpoint>] [--os-cache] [--force-new-token] [--stale-duration <seconds>] [--insecure] [--os-cacert <ca-certificate>] [--os-cert <certificate>] [--os-key <key>] [--timeout <seconds>] <subcommand> ...
Copy to Clipboard Toggle word wrap

Subcommands

catalog
List service catalog, possibly filtered by service.
ec2-credentials-create
Create EC2-compatible credentials for user per tenant.
ec2-credentials-delete
Delete EC2-compatible credentials.
ec2-credentials-get
Display EC2-compatible credentials.
ec2-credentials-list
List EC2-compatible credentials for a user.
endpoint-create
Create a new endpoint associated with a service.
endpoint-delete
Delete a service endpoint.
endpoint-get
Find endpoint filtered by a specific attribute or service type.
endpoint-list
List configured service endpoints.
password-update
Update own password.
role-create
Create new role.
role-delete
Delete role.
role-get
Display role details.
role-list
List all roles.
service-create
Add service to Service Catalog.
service-delete
Delete service from Service Catalog.
service-get
Display service from Service Catalog.
service-list
List all services in Service Catalog.
tenant-create
Create new tenant.
tenant-delete
Delete tenant.
tenant-get
Display tenant details.
tenant-list
List all tenants.
tenant-update
Update tenant name, description, enabled status.
token-get
Display the current user token.
user-create
Create new user.
user-delete
Delete user.
user-get
Display user details.
user-list
List users.
user-password-update
Update user password.
user-role-add
Add role to user.
user-role-list
List roles granted to a user.
user-role-remove
Remove role from user.
user-update
Update user's name, email, and enabled status.
discover
Discover Keystone servers, supported API versions and extensions.
bootstrap
Grants a new role to a new user on a new tenant, after creating each.
bash-completion
Prints all of the commands and options to stdout.
help
Display help about this program or one of its subcommands.

7.2. keystone optional arguments
Copy link

--version
Shows the client version and exits.
--debug
Prints debugging output onto the console, this includes the curl request and response calls. Helpful for debugging and understanding the API calls.
--os-username <auth-user-name>
Name used for authentication with the OpenStack Identity service. Defaults to env[OS_USERNAME].
--os-password <auth-password>
Password used for authentication with the OpenStack Identity service. Defaults to env[OS_PASSWORD].
--os-tenant-name <auth-tenant-name>
Tenant to request authorization on. Defaults to env[OS_TENANT_NAME].
--os-tenant-id <tenant-id>
Tenant to request authorization on. Defaults to env[OS_TENANT_ID].
--os-auth-url <auth-url>
Specify the Identity endpoint to use for authentication. Defaults to env[OS_AUTH_URL].
--os-region-name <region-name>
Specify the region to use. Defaults to env[OS_REGION_NAME].
--os-identity-api-version <identity-api-version>
Specify Identity API version to use. Defaults to env[OS_IDENTITY_API_VERSION] or 2.0.
--os-token <service-token>
Specify an existing token to use instead of retrieving one via authentication (e.g. with username & password). Defaults to env[OS_SERVICE_TOKEN].
--os-endpoint <service-endpoint>
Specify an endpoint to use instead of retrieving one from the service catalog (via authentication). Defaults to env[OS_SERVICE_ENDPOINT].
--os-cache
Use the auth token cache. Defaults to env[OS_CACHE].
--force-new-token
If the keyring is available and in use, token will always be stored and fetched from the keyring until the token has expired. Use this option to request a new token and replace the existing one in the keyring.
--stale-duration <seconds>
Stale duration (in seconds) used to determine whether a token has expired when retrieving it from keyring. This is useful in mitigating process or network delays. Default is 30 seconds.
--insecure
Explicitly allow client to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution.
--os-cacert <ca-certificate>
Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT].
--os-cert <certificate>
Defaults to env[OS_CERT].
--os-key <key>
Defaults to env[OS_KEY].
--timeout <seconds>
Set request timeout (in seconds).

7.3. keystone bootstrap
Copy link

usage: keystone bootstrap [--user-name <user-name>] --pass <password> [--role-name <role-name>] [--tenant-name <tenant-name>]
Copy to Clipboard Toggle word wrap
Grants a new role to a new user on a new tenant, after creating each.

Arguments

--user-name <user-name>
The name of the user to be created (default="admin").
--pass <password>
The password for the new user.
--role-name <role-name>
The name of the role to be created and granted to the user (default="admin").
--tenant-name <tenant-name>
The name of the tenant to be created (default="admin").

7.4. keystone catalog
Copy link

usage: keystone catalog [--service <service-type>]
Copy to Clipboard Toggle word wrap
List service catalog, possibly filtered by service.

Arguments

--service <service-type>
Service type to return.

7.5. keystone discover
Copy link

usage: keystone discover
Copy to Clipboard Toggle word wrap
Discover Keystone servers, supported API versions and extensions.

7.6. keystone ec2-credentials-create
Copy link

usage: keystone ec2-credentials-create [--user-id <user-id>] [--tenant-id <tenant-id>]
Copy to Clipboard Toggle word wrap
Create EC2-compatible credentials for user per tenant.

Arguments

--user-id <user-id>
User ID for which to create credentials. If not specified, the authenticated user will be used.
--tenant-id <tenant-id>
Tenant ID for which to create credentials. If not specified, the authenticated tenant ID will be used.

7.7. keystone ec2-credentials-delete
Copy link

usage: keystone ec2-credentials-delete [--user-id <user-id>] --access <access-key>
Copy to Clipboard Toggle word wrap
Delete EC2-compatible credentials.

Arguments

--user-id <user-id>
User ID.
--access <access-key>
Access Key.

7.8. keystone ec2-credentials-get
Copy link

usage: keystone ec2-credentials-get [--user-id <user-id>] --access <access-key>
Copy to Clipboard Toggle word wrap
Display EC2-compatible credentials.

Arguments

--user-id <user-id>
User ID.
--access <access-key>
Access Key.

7.9. keystone ec2-credentials-list
Copy link

usage: keystone ec2-credentials-list [--user-id <user-id>]
Copy to Clipboard Toggle word wrap
List EC2-compatible credentials for a user.

Arguments

--user-id <user-id>
User ID.

7.10. keystone endpoint-create
Copy link

usage: keystone endpoint-create [--region <endpoint-region>] --service <service> --publicurl <public-url> [--adminurl <admin-url>] [--internalurl <internal-url>]
Copy to Clipboard Toggle word wrap
Create a new endpoint associated with a service.

Arguments

--region <endpoint-region>
Endpoint region.
--service <service>, --service-id <service>, --service_id <service>
Name or ID of service associated with endpoint.
--publicurl <public-url>
Public URL endpoint.
--adminurl <admin-url>
Admin URL endpoint.
--internalurl <internal-url>
Internal URL endpoint.

7.11. keystone endpoint-delete
Copy link

usage: keystone endpoint-delete <endpoint-id>
Copy to Clipboard Toggle word wrap
Delete a service endpoint.

Arguments

<endpoint-id>
ID of endpoint to delete.

7.12. keystone endpoint-get
Copy link

usage: keystone endpoint-get --service <service-type> [--endpoint-type <endpoint-type>] [--attr <service-attribute>] [--value <value>]
Copy to Clipboard Toggle word wrap
Find endpoint filtered by a specific attribute or service type.

Arguments

--service <service-type>
Service type to select.
--endpoint-type <endpoint-type>
Endpoint type to select.
--attr <service-attribute>
Service attribute to match for selection.
--value <value>
Value of attribute to match.

7.13. keystone endpoint-list
Copy link

usage: keystone endpoint-list
Copy to Clipboard Toggle word wrap
List configured service endpoints.

7.14. keystone password-update
Copy link

usage: keystone password-update [--current-password <current-password>] [--new-password <new-password>]
Copy to Clipboard Toggle word wrap
Update own password.

Arguments

--current-password <current-password>
Current password, Defaults to the password as set by --os-password or env[OS_PASSWORD].
--new-password <new-password>
Desired new password.

7.15. keystone role-create
Copy link

usage: keystone role-create --name <role-name>
Copy to Clipboard Toggle word wrap
Create new role.

Arguments

--name <role-name>
Name of new role.

7.16. keystone role-delete
Copy link

usage: keystone role-delete <role>
Copy to Clipboard Toggle word wrap
Delete role.

Arguments

<role>
Name or ID of role to delete.

7.17. keystone role-get
Copy link

usage: keystone role-get <role>
Copy to Clipboard Toggle word wrap
Display role details.

Arguments

<role>
Name or ID of role to display.

7.18. keystone role-list
Copy link

usage: keystone role-list
Copy to Clipboard Toggle word wrap
List all roles.

7.19. keystone service-create
Copy link

usage: keystone service-create --type <type> [--name <name>] [--description <service-description>]
Copy to Clipboard Toggle word wrap
Add service to Service Catalog.

Arguments

--type <type>
Service type (one of: identity, compute, network, image, object-store, or other service identifier string).
--name <name>
Name of new service (must be unique).
--description <service-description>
Description of service.

7.20. keystone service-delete
Copy link

usage: keystone service-delete <service>
Copy to Clipboard Toggle word wrap
Delete service from Service Catalog.

Arguments

<service>
Name or ID of service to delete.

7.21. keystone service-get
Copy link

usage: keystone service-get <service>
Copy to Clipboard Toggle word wrap
Display service from Service Catalog.

Arguments

<service>
Name or ID of service to display.

7.22. keystone service-list
Copy link

usage: keystone service-list
Copy to Clipboard Toggle word wrap
List all services in Service Catalog.

7.23. keystone tenant-create
Copy link

usage: keystone tenant-create --name <tenant-name> [--description <tenant-description>] [--enabled <true|false>]
Copy to Clipboard Toggle word wrap
Create new tenant.

Arguments

--name <tenant-name>
New tenant name (must be unique).
--description <tenant-description>
Description of new tenant. Default is none.
--enabled <true|false>
Initial tenant enabled status. Default is true.

7.24. keystone tenant-delete
Copy link

usage: keystone tenant-delete <tenant>
Copy to Clipboard Toggle word wrap
Delete tenant.

Arguments

<tenant>
Name or ID of tenant to delete.

7.25. keystone tenant-get
Copy link

usage: keystone tenant-get <tenant>
Copy to Clipboard Toggle word wrap
Display tenant details.

Arguments

<tenant>
Name or ID of tenant to display.

7.26. keystone tenant-list
Copy link

usage: keystone tenant-list
Copy to Clipboard Toggle word wrap
List all tenants.

7.27. keystone tenant-update
Copy link

usage: keystone tenant-update [--name <tenant_name>] [--description <tenant-description>] [--enabled <true|false>] <tenant>
Copy to Clipboard Toggle word wrap
Update tenant name, description, enabled status.

Arguments

--name <tenant_name>
Desired new name of tenant.
--description <tenant-description>
Desired new description of tenant.
--enabled <true|false>
Enable or disable tenant.
<tenant>
Name or ID of tenant to update.

7.28. keystone token-get
Copy link

usage: keystone token-get [--wrap <integer>]
Copy to Clipboard Toggle word wrap
Display the current user token.

Arguments

--wrap <integer>
Wrap PKI tokens to a specified length, or 0 to disable.

7.29. keystone user-create
Copy link

usage: keystone user-create --name <user-name> [--tenant <tenant>] [--pass [<pass>]] [--email <email>] [--enabled <true|false>]
Copy to Clipboard Toggle word wrap
Create new user.

Arguments

--name <user-name>
New user name (must be unique).
--tenant <tenant>, --tenant-id <tenant>
New user default tenant.
--pass [<pass>]
New user password; required for some auth backends.
--email <email>
New user email address.
--enabled <true|false>
Initial user enabled status. Default is true.

7.30. keystone user-delete
Copy link

usage: keystone user-delete <user>
Copy to Clipboard Toggle word wrap
Delete user.

Arguments

<user>
Name or ID of user to delete.

7.31. keystone user-get
Copy link

usage: keystone user-get <user>
Copy to Clipboard Toggle word wrap
Display user details.

Arguments

<user>
Name or ID of user to display.

7.32. keystone user-list
Copy link

usage: keystone user-list [--tenant <tenant>]
Copy to Clipboard Toggle word wrap
List users.

Arguments

--tenant <tenant>, --tenant-id <tenant>
Tenant; lists all users if not specified.

7.33. keystone user-password-update
Copy link

usage: keystone user-password-update [--pass <password>] <user>
Copy to Clipboard Toggle word wrap
Update user password.

Arguments

--pass <password>
Desired new password.
<user>
Name or ID of user to update password.

7.34. keystone user-role-add
Copy link

usage: keystone user-role-add --user <user> --role <role> [--tenant <tenant>]
Copy to Clipboard Toggle word wrap
Add role to user.

Arguments

--user <user>, --user-id <user>, --user_id <user>
Name or ID of user.
--role <role>, --role-id <role>, --role_id <role>
Name or ID of role.
--tenant <tenant>, --tenant-id <tenant>
Name or ID of tenant.

7.35. keystone user-role-list
Copy link

usage: keystone user-role-list [--user <user>] [--tenant <tenant>]
Copy to Clipboard Toggle word wrap
List roles granted to a user.

Arguments

--user <user>, --user-id <user>
List roles granted to specified user.
--tenant <tenant>, --tenant-id <tenant>
List only roles granted on specified tenant.

7.36. keystone user-role-remove
Copy link

usage: keystone user-role-remove --user <user> --role <role> [--tenant <tenant>]
Copy to Clipboard Toggle word wrap
Remove role from user.

Arguments

--user <user>, --user-id <user>, --user_id <user>
Name or ID of user.
--role <role>, --role-id <role>, --role_id <role>
Name or ID of role.
--tenant <tenant>, --tenant-id <tenant>
Name or ID of tenant.

7.37. keystone user-update
Copy link

usage: keystone user-update [--name <user-name>] [--email <email>] [--enabled <true|false>] <user>
Copy to Clipboard Toggle word wrap
Update user's name, email, and enabled status.

Arguments

--name <user-name>
Desired new user name.
--email <email>
Desired new email address.
--enabled <true|false>
Enable or disable user.
<user>
Name or ID of user to update.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat