[Feature] Implement support for Openstack Application Credentials
RaphaelVogel opened this issue · comments
Feature (What you would like to be added):
Application Credentials can be used instead of username/password to authenticate against Openstack. Backup of etcd to Swift should be possible using application credentials.
Motivation (Why is this needed?):
Application credentials are useful when implementing secret rotation scenarios for Openstack.
According to documentation only username/password is currently allowed.
Hi @RaphaelVogel ,
I have few doubts regarding to support for Openstack Application Credentials.
- this Application Credentials doc link you have provided says
This release is under development.. Is this has been released or am I miss something ? - When I tried to access the bucket via command line, swift throws this error:
swift list
Auth version 1.0 requires ST_AUTH, ST_USER, and ST_KEY environment variables
to be set or overridden with -A, -U, or -K.
Auth version 2.0 requires OS_AUTH_URL, OS_USERNAME, OS_PASSWORD, and
OS_TENANT_NAME OS_TENANT_ID to be set or overridden with --os-auth-url,
--os-username, --os-password, --os-tenant-name or os-tenant-id. Note:
adding "-V 2" is necessary for this.
this error doesn't say that authentication can also be done with application cred. Have you tried to access bucket via command line with application cred ?
Hi @ishan16696
- Yes this is also available in older releases (e.g. Xena) https://docs.openstack.org/keystone/xena/user/application_credentials.html I just copied the latest doc.
- As described in the link above under header
Using Application Credentialsyou must set the following env. variables when using official openstack cli.
export auth_url=https://keystone.server/identity/v3
export auth_type=v3applicationcredential
export application_credential_id=6aaaaaaaaaaaaaaaaa6df50c
export application_credential_secret= xxxxxxxxxxxxxxxxxxxxxI tried this in our Openstack environment and I could list contents of a bucket with openstack object list test-rv