Managing API credentials
API credentials allow applications, automation tools, and scripts to authenticate to the public compute API without using a user name and password.
Each API credential is associated with a user account and a project. It consists of a credential ID and an API secret key. After successful authentication, the application receives a project-scoped token and can access cloud resources according to the user's permissions in that project. An API credential cannot grant more permissions than the user already has. To access multiple projects, create a separate API credential for each project.
After creating an API credential, you can use it to authenticate OpenStack-compatible tools, scripts, and automation systems. For more information about OpenStack application credentials, refer to the OpenStack documentation.
Limitations
- You can view, create, and revoke only your own API credentials.
To create an API credential
- Go to Settings > API credentials and click Create.
- In the Create API credential window, specify a unique credential name, select the project that the credential will access, and set the date when the credential expires. The expiration date cannot be later than one year from the credential creation date.
- Click Create.
- In the Credentials created window, copy and save the credential ID and API secret key. To copy both values at once, click Copy token information.
Save the credential ID and API secret key immediately. The API secret key is shown only once and cannot be viewed again.
The new credential appears in the API credentials list. The API secret key is not available after credential creation.
A credential can have one of the following statuses:
- Active. The credential can be used for authentication.
- Expiring soon. The credential expires in less than 30 days.
- Expired. The credential can no longer be used for authentication.
To use an API credential
Set the following environment variables:
# export OS_AUTH_TYPE=v3applicationcredential # export OS_AUTH_URL=<auth_url> # export OS_APPLICATION_CREDENTIAL_ID=<credential_ID> # export OS_APPLICATION_CREDENTIAL_SECRET=<api_secret_key> # export OS_IDENTITY_API_VERSION=3
Then run OpenStack commands. For example:
# openstack --insecure server list
If the API endpoint uses a certificate trusted by your client, omit the --insecure option.
To revoke an API credential
- On the Settings > API credentials screen, select the required credential.
- On the credential right pane, click Delete.
- Click Delete in the confirmation window.
Applications using the revoked credential can no longer authenticate. Expired credentials are also rejected on API calls.