Red Hat Summit Red Hat Summitサポートコンソール開発者トライアルの開始お問い合わせ

Chapter 8. Application Credentials

Application Credentials help you to avoid the practice of embedding user account credentials in configuration files. Instead, the user creates an Application Credential that receives delegated access to a single project and has its own distinct secret. The user can also limit the delegated privileges to a single role in that project. This allows you to adopt the principle of least privilege, where the authenticated service only gains access to the one project and role that it needs to function, rather than all of them.

This approach allows you to consume an API with revealing your user credentials, and lets applications authenticate to Keystone without requiring embedded user credentials.

You can use Application Credentials to generate tokens and configure keystone_authtoken settings for applications. These use cases are described in the following sections.

Note

The Application Credential is dependent on the user account that created it, so it will terminate if that account is ever deleted, or loses access to the relevant role.

8.1. Use Application Credentials to generate tokens
リンクのコピー

Application Credentials are available to users as a self-service function in the dashboard. This example demonstrates how a user can create an Application Credential and then use it to generate a token.

  1. Create a test project, and test user accounts:

    1. Create a project called AppCreds. For example: 

      $ openstack project create AppCreds
      Copy to Clipboard Toggle word wrap

    2. Create a user called AppCredsUser. For example: 

      $ openstack user create --project AppCreds --password-prompt AppCredsUser
      Copy to Clipboard Toggle word wrap

    3. Grant AppCredsUser access to the _member_ role for the AppCreds project. For example: 

      $ openstack role add --user AppCredsUser --project AppCreds _member_
      Copy to Clipboard Toggle word wrap

  2. Login to the dashboard as AppCredsUser and create an Application Credential:

    Overview Identity Application Credentials +Create Application Credential.

    Note

    Be sure to download the clouds.yaml file contents, as you will not be able to access it again once you close the pop-up window titled Your Application Credential.

  3. Create a file named /home/stack/.config/openstack/clouds.yaml using the CLI and paste the contents of the clouds.yaml file. For example: 

    # This is a clouds.yaml file, which can be used by OpenStack tools as a source
# of configuration on how to connect to a cloud. If this is your only cloud,
# just put this file in ~/.config/openstack/clouds.yaml and tools like
# python-openstackclient will just work with no further config. (You will need
# to add your password to the auth section)
# If you have more than one cloud account, add the cloud entry to the clouds
# section of your existing file and you can refer to them by name with
# OS_CLOUD=openstack or --os-cloud=openstack
clouds:
  openstack:
    auth:
      auth_url: http://10.0.0.10:5000/v3
      application_credential_id: "6d141f23732b498e99db8186136c611b"
      application_credential_secret: "<example secret value>"
    region_name: "regionOne"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"
    Copy to Clipboard Toggle word wrap
    Note

    These exact values will be different for your deployment.

  4. Use the Application Credential to generate a token. You must not be sourced as any specific user when using the following command, and you must be in the same directory as your clouds.yaml file. 

    [stack@undercloud-0 openstack]$ openstack --os-cloud=openstack token issue
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                                        |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-08-29T05:37:29+0000                                                                                                                                                                                     |
| id         | gAAAAABbhiMJ4TxxFlTMdsYJpfStsGotPrns0lnpvJq9ILtdi-NKqisWBeNiJlUXwmnoGQDh2CMyK9OeTsuEXnJNmFfKjxiHWmcQVYzAhMKo6_QMUtu_Qm6mtpzYYHBrUGboa_Ay0LBuFDtsjtgtvJ-r8G3TsJMowbKF-yo--O_XLhERU_QQVl3hl8zmMRdmLh_P9Cbhuolt |
| project_id | 1a74eabbf05c41baadd716179bb9e1da                                                                                                                                                                             |
| user_id    | ef679eeddfd14f8b86becfd7e1dc84f2                                                                                                                                                                             |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    Copy to Clipboard Toggle word wrap
Note

If you receive an error similar to __init__() got an unexpected keyword argument 'application_credential_secret', then you might still be sourced to the previous credentials. For a fresh environment, run sudo su - stack.

8.2. Integrate Application Credentials with applications
リンクのコピー

Application Credentials can be used to authenticate applications to keystone. When using Application Credentials, the keystone_authtoken settings use v3applicationcredential as the authentication type and will contain the credentials you received during the credential creation process. You will need to enter the following values:

  • application_credential_secret: The Application Credential secret.
  • application_credential_id: The Application Credential id.
  • application_credential_name: (Optional) - You might use this if using a named application credential, rather than an ID.

For example: 

[keystone_authtoken]
auth_url = http://10.0.0.10:5000/v3
auth_type = v3applicationcredential
application_credential_id = "6cb5fa6a13184e6fab65ba2108adf50c"
application_credential_secret = "<example password>"
Copy to Clipboard Toggle word wrap

8.3. Use the command line to manage Application Credentials
リンクのコピー

You can use the command line to create and delete Application Credentials.

The create subcommand will create an application credential based on the currently sourced account. For example, creating the credential when sourced as an admin user will grant the same roles to the Application Credential: 

$ openstack application credential create --description "App Creds - All roles" AppCredsUser
+--------------+----------------------------------------------------------------------------------------+
| Field        | Value                                                                                  |
+--------------+----------------------------------------------------------------------------------------+
| description  | App Creds - All roles                                                                  |
| expires_at   | None                                                                                   |
| id           | fc17651c2c114fd6813f86fdbb430053                                                       |
| name         | AppCredsUser                                                                           |
| project_id   | 507663d0cfe244f8bc0694e6ed54d886                                                       |
| roles        | member reader admin                                                                    |
| secret       | fVnqa6I_XeRDDkmQnB5lx361W1jHtOtw3ci_mf_tOID-09MrPAzkU7mv-by8ykEhEa1QLPFJLNV4cS2Roo9lOg |
| unrestricted | False                                                                                  |
+--------------+----------------------------------------------------------------------------------------+
Copy to Clipboard Toggle word wrap

By default, the resulting role membership includes all the roles assigned to the account that created the credentials. You can limit the role membership by only delegating access to a specific role. For example: 

$ openstack application credential create --description "App Creds - Member" --role member AppCredsUser
+--------------+----------------------------------------------------------------------------------------+
| Field        | Value                                                                                  |
+--------------+----------------------------------------------------------------------------------------+
| description  | App Creds - Member                                                                     |
| expires_at   | None                                                                                   |
| id           | e21e7f4b578240f79814085a169c9a44                                                       |
| name         | AppCredsUser                                                                           |
| project_id   | 507663d0cfe244f8bc0694e6ed54d886                                                       |
| roles        | member                                                                                 |
| secret       | XCLVUTYIreFhpMqLVB5XXovs_z9JdoZWpdwrkaG1qi5GQcmBMUFG7cN2htzMlFe5T5mdPsnf5JMNbu0Ih-4aCg |
| unrestricted | False                                                                                  |
+--------------+----------------------------------------------------------------------------------------+
Copy to Clipboard Toggle word wrap

To delete an Application Credential: 

$ openstack application credential delete AppCredsUser
Copy to Clipboard Toggle word wrap

8.4. Operational tasks
リンクのコピー

8.4.1. Replace an existing Application Credential
リンクのコピー

Application Credentials are bound to the user account that created them and will become invalid if the user account is ever deleted, or if the user loses access to the delegated role. As a result, you should be prepared to generate a new Application Credential as needed.

8.4.1.1. For configuration files
リンクのコピー

To update the Application Credentials assigned to an application (using a configuration file):

  1. Create a new set of Application Credentials.
  2. Add the new credentials to the application’s configuration file, replacing the existing credentials. This is described in Section 8.2, “Integrate Application Credentials with applications”.
  3. Restart the application’s service to apply the change.
  4. Delete the old Application Credential, if appropriate. For more information on the command line options, see Section 8.3, “Use the command line to manage Application Credentials”.

8.4.1.2. For clouds.yaml files
リンクのコピー

To replace an existing Application Credential used by clouds.yaml:

For example, if your clouds.yaml contains an Application Credential called AppCred1, and it is due to expire:

  1. Create an Application Credential called AppCred2.
  2. Add the new AppCred2 to the clouds.yaml file, while removing the AppCred1 configuration.
  3. Generate a token with clouds.yaml to confirm that the credentials are working as expected. See step 4 of Section 8.1, “Use Application Credentials to generate tokens” for more information.
トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2026 Red Hat