Managing API credentials
API credentials allow applications, automation tools, and scripts to authenticate to the public compute API without using a user name and password.
Each API credential is associated with a user account and a project. It consists of a credential ID and an API secret key. After successful authentication, the application receives a project-scoped token and can access cloud resources according to the user's permissions in that project. An API credential cannot grant more permissions than the user already has. To access multiple projects, create a separate API credential for each project.
After creating an API credential, you can use it to authenticate OpenStack-compatible tools, scripts, and automation systems. For more information about OpenStack application credentials, refer to the OpenStack documentation.
Limitations
- System administrators can create only their own API credentials. Viewing and revoking API credentials that belong to other users is available by using the
vinfracommand-line tool.
To create an API credential
Admin panel
- Go to Settings > API access > API credentials and click Create.
- In the Create API credential window, specify a unique credential name, select the project that the credential will access, and set the date when the credential expires. The expiration date cannot be later than one year from the credential creation date.
- Click Create.
- In the Credentials created window, copy and save the credential ID and API secret key. To copy both values at once, click Copy token information.
Save the credential ID and API secret key immediately. The API secret key is shown only once and cannot be viewed again.
The new credential appears in the API credentials list. The API secret key is not available after credential creation.
A credential can have one of the following statuses:
- Active. The credential can be used for authentication.
- Expiring soon. The credential expires in less than 30 days.
- Expired. The credential can no longer be used for authentication.
Command-line interface
Use the following command:
vinfra domain user application-credential create [--description <description>] [--expires-at <expires-at>]
[--secret] [--permissions <permissions>] <name>
--description <description>- Credential description
--expires-at <expires-at>- Expiration time in ISO 8601 format (UTC)
--secret- Enter your secret when prompted.
--permissions <permissions>- Comma-separated list of permissions
<name>- Credential name
For example, to create an API credential mycredential for the current user, run:
# vinfra domain user application-credential create mycredential --expires-at 2027-06-23T12:00:00Z
If you provide your own secret, store it securely. The secret is hashed before it is stored and cannot be retrieved later.
You can check the created API credential in the vinfra domain user application-credential list output:
# vinfra domain user application-credential list +---------------+--------------+---------------+----------------------------+-------------+ | id | name | project_id | expires_at | permissions | +---------------+--------------+---------------+----------------------------+-------------+ | df8720da<...> | mycredential | 7b44afe6<...> | 2027-06-23T12:00:00.000000 | [] | +---------------+--------------+---------------+----------------------------+-------------+
To list API credentials for other users, add --user <user> and --domain <domain> options to the command.
To use an API credential
Set the following environment variables:
# export OS_AUTH_TYPE=v3applicationcredential # export OS_AUTH_URL=<auth_url> # export OS_APPLICATION_CREDENTIAL_ID=<credential_ID> # export OS_APPLICATION_CREDENTIAL_SECRET=<api_secret_key> # export OS_IDENTITY_API_VERSION=3
Then run OpenStack commands. For example:
# openstack --insecure server list
If the API endpoint uses a certificate trusted by your client, omit the --insecure option.
To revoke an API credential
Admin panel
- On the Settings > API access > API credentials screen, select the required credential.
- On the credential right pane, click Delete.
- Click Delete in the confirmation window.
Applications using the revoked credential can no longer authenticate. Expired credentials are also rejected on API calls.
Command-line interface
Use the following command:
vinfra domain user application-credential revoke [--domain <domain> --user <user>] <credential>
--domain <domain>- Domain name or ID. Required when
--useris specified. --user <user>- User ID or name. Omit to use the authenticated user.
<credential>- Credential ID or name
For example, to revoke the API credential mycredential for the user myuser in the domain mydomain, run:
# vinfra domain user application-credential revoke mycredential --domain mydomain --user myuser