Search code examples
curlopenstack

Can openstack curl support v3applicationcredential authentication method?

As we know we can retrieve a token with user/password from openstack and then use this token to send requests with "curl" to openstack instead of commands. And -- to retrieve that token usually we use user/password to get it. But if it's logged in script, it will be in risk of password leaking... In the mean time, we can use v3applicationcredential for openstack API authentication --eg. in the openrc file we can put it like --

vsa11061573:/home/i331281/loadbalancer/openrc # cat secret_NEO-LA-BR-1-FACTORYBR1
export OS_AUTH_URL=https://identity-3.la-br-1.cloud.sap/v3
export OS_AUTH_TYPE=v3applicationcredential
export OS_REGION_NAME=la-br-1
export OS_APPLICATION_CREDENTIAL_ID=975b3757b0704babac512ca9a80aeaa2
export OS_APPLICATION_CREDENTIAL_SECRET=MKVHS88mDv0W1KhiGQL9__UsHNuTVVfFaR-oweW-liVmljt8VkcJw4FUcA2MxAPn5ndEB__GqgwTYpV8oBWFLQ

But to use curl to perform openstack operation, we need to retrieve token with AUTH like this --

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "user00001",
          "domain": { "name": "mydomain" },
          "password": "password0000011111"
        }
      }
    },
    "scope": {
      "project": {
        "name": "myproject",
        "domain": { "name": "mydomain" }
      }
    }
  }
}' \
  "https://identity-3.eu-de-1.cloud.sap/v3/auth/tokens"

Here the auth method is "Password", and in the supported list --

keystone.auth.plugins.external.Base
keystone.auth.plugins.mapped.Mapped
keystone.auth.plugins.oauth1.OAuth
keystone.auth.plugins.password.Password
keystone.auth.plugins.token.Token
keystone.auth.plugins.totp.TOTP

I can't find that v3applicationcredential -- but from https://docs.openstack.org/keystone/queens/user/application_credentials.html we can see -- this v3applicationcredential authentication method is supported. So here's the question -- can we retrieve token with curl with this v3applicationcredential auth method? And if yes, how to get it? Thanks in advance for your help.

Regards Eisen

Solution

  • Yes, everything that you can do with the openstack command line you can do with curl since they are HTTP requests in both cases.

    The name of the method is application_credential and the required attributes are id and secret. Scope is not required since scope information is already contained within the application credential.

    Inserting that information into the example you provided we get:

    curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["application_credential"],
      "application_credential": {
        "id": "<ID>",
        "secret": "<SECRET>"
      }
    }
  }
}' \
  "https://identity-3.eu-de-1.cloud.sap/v3/auth/tokens"