Hi Artem, You are 100% correct here, I have noticed as soon as I give the reader the role it works. Thank you! On Tue, Mar 12, 2024 at 4:02 PM Artem Goncharov <artem.goncharov@gmail.com> wrote:

Can you please check which roles are bound to the appcred? The reason I am asking is https://review.opendev.org/c/openstack/keystone/+/910337 (wrong treatment of implied roles when you create appcred explicitly specifying role that implies another role (basically if you create appcred with member role - reader role is not given)

---- typed from mobile, auto-correct typos assumed ----

On Tue, Mar 12, 2024, 20:57 Satish Patel <satish.txt@gmail.com> wrote:

...

Folks,

I am running the 2023.1 release of openstack using kolla-ansible. I have integrated with LDAP and everything works fine. But today when I created application creds and used that to access openstack api I got all kinds of strange auth errors.

#!/usr/bin/env bash export OS_AUTH_TYPE=v3applicationcredential export OS_AUTH_URL=https://openstack-eng.example.com:5000 export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME="eng" export OS_INTERFACE=public export OS_APPLICATION_CREDENTIAL_ID=ee17300916b1401f912f6140ce9cd642 export OS_APPLICATION_CREDENTIAL_SECRET=XXXXXXXXX

# openstack server list ForbiddenException: 403: Client Error for url: https://openstack-eng.example.com:8774/v2.1/servers/detail?deleted=False, Policy doesn't allow os_compute_api:servers:detail to be performed.

# openstack image list ForbiddenException: 403: Client Error for url: https://openstack-eng.example.com:9292/v2/images, You are not authorized to complete get_images action.<br /><br />

What is wrong here because I have one more setup of openstack which is not using LDAP but in that cloud application creds working fine.

# cat /etc/keystone/keystone.conf

[DEFAULT] debug = False transport_url = hiding.... log_file = /var/log/kolla/keystone/keystone.log use_stderr = True

[oslo_middleware] enable_proxy_headers_parsing = True

[database] connection = mysql+pymysql:// keystone:hiding...@openstack-eng.example.com:3306/keystone connection_recycle_time = 10 max_pool_size = 1 max_retries = -1

[identity] domain_specific_drivers_enabled = true domain_config_dir = /etc/keystone/domains

[token] revoke_by_id = False provider = fernet expiration = 86400 allow_expired_window = 172800

[fernet_tokens] max_active_keys = 3

[cache] backend = oslo_cache.memcache_pool enabled = True memcache_servers = 10.0.25.201:11211,10.0.25.202:11211,10.0.25.203:11211

[oslo_messaging_notifications] transport_url = rabbit://openstack:hiding.... driver = noop

[oslo_messaging_rabbit] heartbeat_in_pthread = True amqp_durable_queues = true rabbit_quorum_queue = true kombu_reconnect_delay = 0.5 rabbit_transient_queues_ttl = 60

# cat /etc/keystone/domains/keystone.eng.conf

# Ansible managed

[identity] driver = ldap

[ldap] debug_level = 4095 group_allow_create = False group_allow_delete = False group_allow_update = False group_id_attribute = cn hiding.... hiding....