Project-scoped app creds - Best practice

Ryan Bannon ryan.bannon at
Fri Nov 26 17:17:58 UTC 2021

Hi all,

Rafael, thanks for the notes! That's a great initiative. Although it looks
like it has stalled in the review phase...? (I'm new to interpreting the
development workflow for OpenStack.)

To all: does anybody else have input on how they solved this issue?



On Thu, Nov 25, 2021 at 6:21 PM Rafael Weingärtner <
rafaelweingartner at> wrote:

> Hello Ryan,
> We actually faced a similar situation and we extended Keystone to support
> the concept of Project bound credentials, which means, credentials that are
> owned by a project and not by a user. Therefore, the credentials are shared
> by all users of a project.
> The spec is the following:
> We have it already running in PROD for over 6 months now, and it is also
> integrated with RadosGW<>Keystone authentication.
> On Thu, Nov 25, 2021 at 7:53 PM Ryan Bannon <ryan.bannon at> wrote:
>> Hello all,
>> Relatively new to OpenStack.
>> To my understanding, application credentials are bound to users. Is there
>> a way to bind them to Projects (I assume not) or, perhaps, Groups? My naive
>> thought on a possible solution is that if a group has access to a Project,
>> a "generic" user account that everybody has access to could be used for the
>> application credentials. (The use case here is to not bind an app cred to
>> an individual who might leave the organization, thus making the app cred
>> secret lost.)
>> Thanks,
>> Ryan
> --
> Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openstack-discuss mailing list