Hello Ryan, We actually faced a similar situation and we extended Keystone to support the concept of Project bound credentials, which means, credentials that are owned by a project and not by a user. Therefore, the credentials are shared by all users of a project. The spec is the following: https://review.opendev.org/c/openstack/keystone-specs/+/766725 We have it already running in PROD for over 6 months now, and it is also integrated with RadosGW<>Keystone authentication. On Thu, Nov 25, 2021 at 7:53 PM Ryan Bannon <ryan.bannon@gmail.com> wrote:
Hello all,
Relatively new to OpenStack.
To my understanding, application credentials are bound to users. Is there a way to bind them to Projects (I assume not) or, perhaps, Groups? My naive thought on a possible solution is that if a group has access to a Project, a "generic" user account that everybody has access to could be used for the application credentials. (The use case here is to not bind an app cred to an individual who might leave the organization, thus making the app cred secret lost.)
Thanks,
Ryan
-- Rafael Weingärtner