[nova][keystone] Machine identities
Hey guys, I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this? Thanks!
Hey, Not yet, but I am working towards that from Keystone point of view. Sadly it will definitely quite a time if you want also the VMs to be getting API authentication, since we would need to align with Nova team how it can be provisioned. Regards, Artem ---- typed from mobile, auto-correct typos assumed ---- On Mon, 17 Nov 2025, 03:10 Ricardo Cano, <ledsole@gmail.com> wrote:
Hey guys,
I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this?
Thanks!
the short answer is no. the slightly longer anaswer is there has been some experimets with issuign jwt tokens but nothing was ever upstreamed. the topic of having a way to securely pass a application credital or bootstrap token has beed raised in the past but no won has really presented a compelling end to end approch or worked to enable that upstream. im sure some folks have developed exteions via vendor dat or other means in private clouds or have workflows for this it just is not supported out of hte box On 17/11/2025 02:08, Ricardo Cano wrote:
Hey guys,
I was wondering if openstack had an equivalent to Azure's managed identities or AWS's IAM roles for ec2 to give vm's the ability to interact with the api. Are there any existing patterns that people are using for this?
Thanks!
participants (3)
-
Artem Goncharov
-
Ricardo Cano
-
Sean Mooney