Project-scoped app creds - Best practice

Rafael Weingärtner rafaelweingartner at
Thu Nov 25 23:20:28 UTC 2021

Hello Ryan,
We actually faced a similar situation and we extended Keystone to support
the concept of Project bound credentials, which means, credentials that are
owned by a project and not by a user. Therefore, the credentials are shared
by all users of a project.

The spec is the following:

We have it already running in PROD for over 6 months now, and it is also
integrated with RadosGW<>Keystone authentication.

On Thu, Nov 25, 2021 at 7:53 PM Ryan Bannon <ryan.bannon at> wrote:

> Hello all,
> Relatively new to OpenStack.
> To my understanding, application credentials are bound to users. Is there
> a way to bind them to Projects (I assume not) or, perhaps, Groups? My naive
> thought on a possible solution is that if a group has access to a Project,
> a "generic" user account that everybody has access to could be used for the
> application credentials. (The use case here is to not bind an app cred to
> an individual who might leave the organization, thus making the app cred
> secret lost.)
> Thanks,
> Ryan

Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openstack-discuss mailing list