Application Credentials

What are Application Credentials?

Application Credentials are temporary credentials which can be used to allow applications authenticate to OpenStack. With application credentials, applications authenticate with the application credential ID and a secret string which is not the user’s password. This way, the user’s password is not embedded in the application’s configuration, which is especially important for users whose identities are managed by an external system.

Do I need them?

tl;dr answer

A basic user should never worry about them.

Better explanation

GRNET OpenStack is a service offered to Greek Academic and Research Community. Every student, professor and researcher with valid academic credentials can have access and use its resources. In case of Web Interface (ui.cloud.grnet.gr) Application Credentials are not required because everyone can authenticate through Delos AAI Federation by choosing their Institution and supplying their academic credentials.

But you promised command line and API access…

… And this is the case where Application Credentials are vital. One of the benefits accompanying OpenStack is the easiness to interact with its resources through many different ways. Web Interface may be the friendliest but in terms of capabilities the OpenStack CLI and API are far more powerful. To be able to unlock their potential, user must be able to authenticate with OpenStack. The only way to achieve it is through Application Credentials.

In that case let’s create them!

How to create Application Credentials

  1. User has to login to GRNET OpenStack (ui.cloud.grnet.gr) through Delos AAI Federation
  2. Navigate to Identity -> Application Credentials to the left sub-menu
  3. Click the “Create Application Credential” button to the right
  4. At the creation form, choose a desired name for the credentials object, optionally choose a secret (the credentials “password”) and strictly choose role “Member”
  5. Click “Create Application Credential” button to the bottom right of the form
  6. Upon successful creation, click on “Download openrc file” button to the bottom

    IMPORTANT NOTE: As the warning implies, after closing the modal, the credentials cannot be retrieved.
  7. The downloaded credentials file has the following content:
    #!/usr/bin/env bash
    
    export OS_AUTH_TYPE=v3applicationcredential
    export OS_AUTH_URL=https://keystone-louros.cloud.grnet.gr:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_REGION_NAME="Louros"
    export OS_INTERFACE=public
    export OS_APPLICATION_CREDENTIAL_ID=<12345abcd123ef785>
    export OS_APPLICATION_CREDENTIAL_SECRET=<credential_secret>
    

What to do with your brand new Application Credentials

This is a part of the next topic: “Usage of OpenStack CLI”.

Stay tuned!
Stamatis