Creating Application Credentials
Application Credentials provide secure authentication for applications and automation scripts. This guide shows how to quickly create them using the OpenStack CLI.
Prerequisites
# Install OpenStack CLI
pip install python-openstackclient
# Authenticate with your user credentials
source openrc.sh # or set your environment variables
Quick Creation Commands
# Create Application Credential with reader role (read-only access)
openstack application credential create \
--role reader \
--description "Monitoring and reporting application" \
my-reader-app
# Create Application Credential with member role (full project management)
openstack application credential create \
--role member \
--description "CI/CD automation and deployment" \
my-member-app
# Create Application Credential with load-balancer_member role (load balancer management)
openstack application credential create \
--role load-balancer_member \
--description "Load balancer automation" \
my-lb-app
# Create Application Credential with SwiftOperator role (object storage management)
openstack application credential create \
--role SwiftOperator \
--description "Swift object storage automation" \
my-swift-app
# Create Application Credential with creator role (secret and certificate management)
openstack application credential create \
--role creator \
--description "Secret and certificate automation" \
my-secrets-app
# Create with expiration date (recommended)
openstack application credential create \
--role reader \
--expires-at "2024-12-31T23:59:59" \
--description "Temporary access for monitoring" \
temp-reader-app
Using the Credentials
After creation, use the returned credentials in your applications:
# Set environment variables
export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://api.pub1.infomaniak.cloud/identity/v3
export OS_APPLICATION_CREDENTIAL_ID="your-credential-id"
export OS_APPLICATION_CREDENTIAL_SECRET="your-credential-secret"
# Test authentication
openstack token issue
Save Your Credentials
The Application Credential secret is only shown once during creation. Save it securely immediately.
Role Selection Guide
| Role | Use Cases | Permissions |
|---|---|---|
reader |
Monitoring, reporting, compliance checks | Read-only access to project resources |
member |
CI/CD, automation, resource management | Full project management capabilities |
load-balancer_member |
Load balancer automation | Read and write access to load balancer APIs |
SwiftOperator |
Object storage automation | Full access to Swift object storage resources in project |
creator |
Secret and certificate management | Create and manage secrets and owned project resources |
Region-Specific Behavior: reader Role Permissions
In region dc3-a, the reader role inherits permissions equivalent to the member role.
Always verify the active region before interpreting IAM test results or executing operations.
Region-Specific Behavior: member Role in dc4-a
In region dc4-a, the member role does not automatically include reader permissions.
When creating Application Credentials for the dc4-a region, you must explicitly add both roles:
openstack application credential create \
--role reader \
--role member \
--description "Full access in dc4-a" \
my-dc4a-app
Service-Specific Permissions
Select the service documentation below for detailed permission matrices:
Core Infrastructure Services
- Compute (Nova) - Virtual machines and server management
- Image (Glance) - Image management and sharing
- Block Storage (Cinder) - Volumes, snapshots, and backups
- Network (Neutron) - Networking and security groups
Advanced Services
- Load Balancer (Octavia) - Load balancer configuration
- DNS (Designate) - DNS zones and records
- Orchestration (Heat) - Infrastructure as Code
- Billing (CloudKitty) - Cost tracking and billing
- Monitoring (Aodh) - Alarms and monitoring
- Key Management (Barbican) - Secrets and certificate management
Next: Choose a service above to view detailed permissions and usage examples for your Application Credentials.