Creating Application Credentials

Application Credentials provide secure authentication for applications and automation scripts. This guide shows how to quickly create them using the OpenStack CLI.

Prerequisites

# Install OpenStack CLI
pip install python-openstackclient

# Authenticate with your user credentials
source openrc.sh  # or set your environment variables

Quick Creation Commands

# Create Application Credential with reader role (read-only access)
openstack application credential create \
    --role reader \
    --description "Monitoring and reporting application" \
    my-reader-app

# Create Application Credential with member role (full project management)
openstack application credential create \
    --role member \
    --description "CI/CD automation and deployment" \
    my-member-app

# Create Application Credential with load-balancer_member role (load balancer management)
openstack application credential create \
    --role load-balancer_member \
    --description "Load balancer automation" \
    my-lb-app

# Create Application Credential with SwiftOperator role (object storage management)
openstack application credential create \
    --role SwiftOperator \
    --description "Swift object storage automation" \
    my-swift-app

# Create Application Credential with creator role (secret and certificate management)
openstack application credential create \
    --role creator \
    --description "Secret and certificate automation" \
    my-secrets-app

# Create with expiration date (recommended)
openstack application credential create \
    --role reader \
    --expires-at "2024-12-31T23:59:59" \
    --description "Temporary access for monitoring" \
    temp-reader-app

Using the Credentials

After creation, use the returned credentials in your applications:

# Set environment variables
export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://api.pub1.infomaniak.cloud/identity/v3
export OS_APPLICATION_CREDENTIAL_ID="your-credential-id"
export OS_APPLICATION_CREDENTIAL_SECRET="your-credential-secret"

# Test authentication
openstack token issue

Save Your Credentials

The Application Credential secret is only shown once during creation. Save it securely immediately.

Role Selection Guide

Role	Use Cases	Permissions
`reader`	Monitoring, reporting, compliance checks	Read-only access to project resources
`member`	CI/CD, automation, resource management	Full project management capabilities
`load-balancer_member`	Load balancer automation	Read and write access to load balancer APIs
`SwiftOperator`	Object storage automation	Full access to Swift object storage resources in project
`creator`	Secret and certificate management	Create and manage secrets and owned project resources
`observer`	Secret and certificate read-only access	Read-only access to secrets and containers in Barbican
`load-balancer_observer`	Load balancer read-only access	Read-only access to load balancer APIs and configurations

Restricting Access with Access Rules

Application Credentials can be further restricted using Access Rules to limit permissions to specific API endpoints and HTTP methods. This provides granular control beyond role-based permissions.

Whenever Specific Permissions Are Needed

If your application only needs to read data from a specific service (e.g., only list volumes, only view images), use Access Rules with GET methods instead of assigning a broad role like member. This follows the principle of least privilege and limits the blast radius in case of credential compromise.

Service Names for Access Rules

The service field in access rules uses Keystone service names. Here are the correct names for Infomaniak Public Cloud services:

Display Name	Access Rule Service Name
Cinder (v3)	`volumev3`
Glance	`image`
Nova	`compute`
Neutron	`network`
Designate	`dns`
Barbican	`key-manager`
Swift	`object-store`

CLI Syntax

Access Rules are passed as a JSON array when creating the credential:

openstack application credential create <name> \
    --role <role> \
    --access-rules '[
      {"service": "<service-name>", "method": "<HTTP_METHOD>", "path": "<path>"},
      ...
    ]' \
    --description "Description"

Path Format in Access Rules

The path in access rules uses the API path without the service prefix. For example:

Service	Access Rule Path	Actual Endpoint
Cinder	`/v3/**`	`/volume/v3/**`
Nova	`/v2.1/servers`	`/compute/v2.1/servers`
Glance	`/v2/images`	`/image/v2/images`
Swift	`/v1/AUTH_...`	`/object/v1/AUTH_...`

Use ** as wildcard for recursive matching.

Examples by Service

Cinder — Read-Only Volume Access

openstack application credential create my-cinder-reader \
    --role member \
    --role reader \
    --access-rules '[
      {"service": "volumev3", "method": "GET", "path": "/v3/"},
      {"service": "volumev3", "method": "GET", "path": "/v3/**"}
    ]' \
    --description "Reader-only Cinder volumev3"

Nova — Read-Only Compute Access

openstack application credential create my-nova-reader \
    --role member \
    --role reader \
    --access-rules '[
      {"service": "compute", "method": "GET", "path": "/v2.1/servers"},
      {"service": "compute", "method": "GET", "path": "/v2.1/servers/detail"},
      {"service": "compute", "method": "GET", "path": "/v2.1/servers/**"},
      {"service": "compute", "method": "GET", "path": "/v2.1/flavors"},
      {"service": "compute", "method": "GET", "path": "/v2.1/flavors/**"},
      {"service": "compute", "method": "GET", "path": "/v2.1/os-keypairs"},
      {"service": "compute", "method": "GET", "path": "/v2.1/os-keypairs/**"}
    ]' \
    --description "Reader-only Nova compute"

Barbican — Read-Only Secret Access

openstack application credential create my-barbican-reader \
    --role creator \
    --access-rules '[
      {"service": "key-manager", "method": "GET", "path": "/v1/"},
      {"service": "key-manager", "method": "GET", "path": "/v1/secrets"},
      {"service": "key-manager", "method": "GET", "path": "/v1/secrets/**"},
      {"service": "key-manager", "method": "GET", "path": "/v1/containers"},
      {"service": "key-manager", "method": "GET", "path": "/v1/containers/**"}
    ]' \
    --description "Reader-only Barbican secret"

Need More Service Examples?

For complete, per-service Access Rules examples for Glance, Neutron, Designate, Swift, and Octavia, see each service's individual policy documentation linked below.

Region-Specific Role Behaviors

Different regions may have slightly different role behavior. Understanding these differences will help you create correct Application Credentials.

Region `dc3-a`

In region dc3-a, the reader role inherits permissions equivalent to the member role. Always verify the active region before interpreting IAM test results or executing operations.

Region `dc4-a`

In region dc4-a, the member role does not automatically include reader permissions. When creating Application Credentials for the dc4-a region, you must explicitly add both roles:

openstack application credential create \
    --role reader \
    --role member \
    --description "Full access in dc4-a" \
    my-app

Best Practices

Always verify the active region before interpreting IAM test results or executing operations.

Service-Specific Permissions

Select the service documentation below for detailed permission matrices:

Core Infrastructure Services

Compute (Nova) - Virtual machines and server management
Image (Glance) - Image management and sharing
Block Storage (Cinder) - Volumes, snapshots, and backups
Network (Neutron) - Networking and security groups

Advanced Services

Load Balancer (Octavia) - Load balancer configuration
DNS (Designate) - DNS zones and records
Orchestration (Heat) - Infrastructure as Code
Billing (CloudKitty) - Cost tracking and billing
Monitoring (Aodh) - Alarms and monitoring
Key Management (Barbican) - Secrets and certificate management

Next: Choose a service above to view detailed permissions and usage examples for your Application Credentials.