[nova][keystone] Machine identities
Hey guys, I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this? Thanks!
Hey, Not yet, but I am working towards that from Keystone point of view. Sadly it will definitely quite a time if you want also the VMs to be getting API authentication, since we would need to align with Nova team how it can be provisioned. Regards, Artem ---- typed from mobile, auto-correct typos assumed ---- On Mon, 17 Nov 2025, 03:10 Ricardo Cano, <ledsole@gmail.com> wrote:
Hey guys,
I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this?
Thanks!
the short answer is no. the slightly longer anaswer is there has been some experimets with issuign jwt tokens but nothing was ever upstreamed. the topic of having a way to securely pass a application credital or bootstrap token has beed raised in the past but no won has really presented a compelling end to end approch or worked to enable that upstream. im sure some folks have developed exteions via vendor dat or other means in private clouds or have workflows for this it just is not supported out of hte box On 17/11/2025 02:08, Ricardo Cano wrote:
Hey guys,
I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this?
Thanks!
This is something that we’ve been discussing with some of our users, but haven’t yet made any progress. Is there anyone on the list who has developed a solution for this? From: Sean Mooney <smooney@redhat.com> Date: Monday, 17 November 2025 at 08:39 To: Ricardo Cano <ledsole@gmail.com>, openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [nova][keystone] Machine identities the short answer is no. the slightly longer anaswer is there has been some experimets with issuign jwt tokens but nothing was ever upstreamed. the topic of having a way to securely pass a application credital or bootstrap token has beed raised in the past but no won has really presented a compelling end to end approch or worked to enable that upstream. im sure some folks have developed exteions via vendor dat or other means in private clouds or have workflows for this it just is not supported out of hte box On 17/11/2025 02:08, Ricardo Cano wrote:
Hey guys,
I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this?
Thanks!
** We have updated our privacy policy, which contains important information about how we collect and process your personal data. To read the policy, please click here<http://www.graphcore.ai/privacy> ** This email and its attachments are intended solely for the addressed recipients and may contain confidential or legally privileged information. If you are not the intended recipient you must not copy, distribute or disseminate this email in any way; to do so may be unlawful. Any personal data/special category personal data herein are processed in accordance with UK data protection legislation. All associated feasible security measures are in place. Further details are available from the Privacy Notice on the website and/or from the Company. Graphcore Limited (registered in England and Wales with registration number 10185006) is registered at, 1 Maple Road, Bramhall, Stockport, Cheshire, UK, SK7 2DH. This message was scanned for viruses upon transmission. However Graphcore accepts no liability for any such transmission.
The experiments with JWT that Sean refers to were probably mine. By co-incidence my team have been spending some more time on instance identities, and have successfully authenticated against a multi-namespace OpenBao server using a JWT issued from nova with the following patch https://github.com/bbc/nova/commit/b5376f4a0358b3972e5b1a274008808f9f0091c1 I think that there are two parts to this. First is issuing an instance identity from nova, my experiment is modelled after the GCP approach. https://docs.cloud.google.com/compute/docs/instances/verifying-instance-iden... (see also https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-iid.html) Second is then being able to usefully use the instance identity once it is issued. We have shown with OpenBao that a JWT be used to authenticate with a service outside of OpenStack, and we would also like to test against some AWS services and k8s. Unfortunately none of this has anything to do with authenticating against keystone, it would be really for someone with a better understanding of keystone to decide if authentication via a form of identity tied to a compute instance has a place in OpenStack. Jonathan. On 27/11/2025 13:05, Nathan Harper wrote:
This is something that we’ve been discussing with some of our users, but haven’t yet made any progress. Is there anyone on the list who has developed a solution for this?
*From: *Sean Mooney <smooney@redhat.com> *Date: *Monday, 17 November 2025 at 08:39 *To: *Ricardo Cano <ledsole@gmail.com>, openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> *Subject: *Re: [nova][keystone] Machine identities
the short answer is no.
the slightly longer anaswer is there has been some experimets with issuign jwt tokens but nothing was ever upstreamed.
the topic of having a way to securely pass a application credital or bootstrap token has beed raised in the past but no won has really presented a compelling end to end approch or worked to enable that upstream. im sure some folks have developed exteions via vendor dat or other means in private clouds or have workflows for this it just is not supported out of hte box
On 17/11/2025 02:08, Ricardo Cano wrote:
Hey guys,
I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this?
Thanks!
** We have updated our privacy policy, which contains important information about how we collect and process your personal data. To read the policy, please click here <http://www.graphcore.ai/privacy> **
This email and its attachments are intended solely for the addressed recipients and may contain confidential or legally privileged information. If you are not the intended recipient you must not copy, distribute or disseminate this email in any way; to do so may be unlawful.
Any personal data/special category personal data herein are processed in accordance with UK data protection legislation. All associated feasible security measures are in place. Further details are available from the Privacy Notice on the website and/or from the Company.
Graphcore Limited (registered in England and Wales with registration number 10185006) is registered at, 1 Maple Road, Bramhall, Stockport, Cheshire, UK, SK7 2DH. This message was scanned for viruses upon transmission. However Graphcore accepts no liability for any such transmission.
participants (5)
-
Artem Goncharov
-
Jonathan Rosser
-
Nathan Harper
-
Ricardo Cano
-
Sean Mooney