Hi Ahmad,

I replied in another thread, which suggested not to use metadata at all, as it's not designed to store or transmit passwords at all, especially in light of https://wiki.openstack.org/wiki/OSSN/OSSN-0074

But likely you have not received it.

But I think there is actually a safe way (which is still discouraged in general) of having a password auth on login through os-server-password API in Nova:

https://docs.openstack.org/api-ref/compute/#servers-password-servers-os-server-password

Though, it would need a modification of all images, or supplying more metadata to them.

1. You'd need to have a script like this: https://paste.openstack.org/show/bn7fIrRf8Olkni9cI4QT/

2. Add to cloud.cfg: https://paste.openstack.org/show/b1kcVmdbkWC2OUZL9yg3/

3. In Horizon local_settings add "OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True"

What this flow will do:

1. A random password is being generated and set for user `clouduser`

2. A password is being encrypted with public part of SSH key, which you supplied for instance

3. Encrypted version of the password is sent back to the metadata

4. In horizon you can fetch the password from the metadata and decrypt it using your SSH private key

I'd suggest to additionally modify the script/image to expire the password after the first login, as well as to prohibit password auth via SSH.

But I can totally get why password auth might be valuable, especially in cases where instance get misconfigured and need to have a way to login via console.

вт, 14 окт. 2025 г. в 17:44, Ahmad Milad Pour <miladpourahmad94@gmail.com>:

Hello Hamid,

Thanks for the reply. I know this way, but I'm looking for another way to pass the password as metadata.

Do you know any other ways?

Regards,
Ahmad

On Tue, Oct 14, 2025 at 1:50 PM <hamid.lotfi@gmail.com> wrote:
Hi Ahmad,
When creating an instance in OpenStack, you can use the --user-data option to pass a cloud-init configuration file to the instance at boot time. This file allows you to automate initial setup tasks such as setting a user password, configuring the timezone, installing packages, or running custom scripts.

https://docs.openstack.org/nova/2024.1/user/metadata.html#user-data

Example:
cloud-init.yml
=============
#cloud-config
timezone: Asia/Tehran
user: ahmad
password: ahmad
chpasswd: { expire: False }
ssh_pwauth: True

Create Instance:
openstack server create --image ubuntu-x86_64 --flavor ubuntu --network internal --user-data cloud-init.yml vm1