On the contrary, I believe that you have fully understood my problem, and your explanations are very clear. Thank you so much.
I looked at the documentation, it is well explained, I understand what to do.
I'm using kolla-ansible to deploy Wallaby, it's not going to be easy, because changing the default permissions for cinder doesn't look easy.
Thanks again, you've saved me a lot of time, and it's going to help me with what I want to do with my students.
According to this cinder doc [1], it looks like what you're trying to do is valid, to create an image backed by a volume and boot instances from that image.
The problem I see where the "failed to get snapshot" error is raised in nova for the non-admin user, it looks to be a problem with policy access for the GET /snapshots/{snapshot_id} cinder API. Although the image is public, the volume behind it was created by some project and by default the API will allow the admin project or the project that created/owns the volume [2]:
volume:get_snapshot
Default
rule:admin_or_owner
Operations
GET /snapshots/{snapshot_id}
This is why it works when you boot an instance using the admin account. Currently, you would need to change the above rule in the cinder policy.yaml in order to allow a different project than the owner to GET the snapshot.
It's possible this is a bug in nova and that we should be using an elevated admin request context to call GET /snapshots/{snapshot_id} if the snapshot is for a volume-backed image.
Hopefully I haven't completely misunderstood what is going on here, if so, please ignore me. :)