The experiments with JWT that Sean refers to were probably mine.

By co-incidence my team have been spending some more time on instance identities, and have successfully authenticated against a multi-namespace OpenBao server using a JWT issued from nova with the following patch

https://github.com/bbc/nova/commit/b5376f4a0358b3972e5b1a274008808f9f0091c1

I think that there are two parts to this. First is issuing an instance identity from nova, my experiment is modelled after the GCP approach.

https://docs.cloud.google.com/compute/docs/instances/verifying-instance-identity
(see also https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-iid.html)

Second is then being able to usefully use the instance identity once it is issued. We have shown with OpenBao that a JWT be used to authenticate with a service outside of OpenStack, and we would also like to test against some AWS services and k8s.

Unfortunately none of this has anything to do with authenticating against keystone, it would be really for someone with a better understanding of keystone to decide if authentication via a form of identity tied to a compute instance has a place in OpenStack.

Jonathan.

On 27/11/2025 13:05, Nathan Harper wrote:
This is something that we’ve been discussing with some of our users, but haven’t yet made any progress.   Is there anyone on the list who has developed a solution for this?

From: Sean Mooney <smooney@redhat.com>
Date: Monday, 17 November 2025 at 08:39
To: Ricardo Cano <ledsole@gmail.com>, openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org>
Subject: Re: [nova][keystone] Machine identities

the short answer is no.

the slightly longer anaswer is there has been some experimets with
issuign jwt tokens but
nothing was ever upstreamed.

the topic of having a way to securely pass a application credital or
bootstrap token has beed raised
in the past but no won has really presented a compelling end to end
approch or worked to enable that upstream.
im sure some folks have developed exteions via vendor dat or other means
in private clouds or have workflows for this
it just is not supported out of hte box

On 17/11/2025 02:08, Ricardo Cano wrote:
> Hey guys,
>
> I was wondering if openstack had an equivalent to Azure's managed
> identities or AWS's IAM roles for ec2 to give vm's the ability to
> interact with the api.  Are there any existing patterns that people
> are using for this?
>
>
> Thanks!
>



** We have updated our privacy policy, which contains important information about how we collect and process your personal data. To read the policy, please click here **

This email and its attachments are intended solely for the addressed recipients and may contain confidential or legally privileged information.
If you are not the intended recipient you must not copy, distribute or disseminate this email in any way; to do so may be unlawful.

Any personal data/special category personal data herein are processed in accordance with UK data protection legislation.
All associated feasible security measures are in place. Further details are available from the Privacy Notice on the website and/or from the Company.

Graphcore Limited (registered in England and Wales with registration number 10185006) is registered at, 1 Maple Road, Bramhall, Stockport, Cheshire, UK, SK7 2DH.
This message was scanned for viruses upon transmission. However Graphcore accepts no liability for any such transmission.