Hi All,
Is it possible for a user logging in via an oidc provider to generate application credentials?
When I try it I get an error about there being no role for the user in the project.
We map the users to groups based on assertions in their tokens.
It looks like it would work if we mapped users individually to local users in keystone and then gave those roles. I would prefer to avoid using per user mappings for this if possible as it would be a lot of extra work for my team.
Alexander Dibbo – Cloud Architect / Cloud Operations Group Leader
For STFC Cloud Documentation visit
To raise a support ticket with the cloud team please email
To receive notifications about the service please subscribe to our mailing list at:
To receive fast notifications or to discuss usage of the cloud please join our Slack:
This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to UKRI business are solely those of the author and do not represent the views of UKRI.