Application Credentials in OpenStack Flex

What Are Application Credentials?

Application Credentials are a feature in OpenStack Flex, by way of Identity (Keystone), that allow users to create limited-access tokens for applications or scripts without exposing their primary user password.

They provide a secure and manageable way to let applications authenticate with OpenStack services using a pair of:

• Application Credential ID (or Name)
• Secret (like a password)

Think of them as service accounts or API keys for specific apps, with restricted access and scopes.

IMPORTANT: You cannot use an Application Credential to log into Skyline. Application Credentials are not like normal users and are instead designed for non-interactive, programmatic access — such as scripts, API clients, or automation tools.

Use Cases

• Allowing automation tools to access your OpenStack Flex account without storing your user’s main password
• Delegating limited access to an external tool or team
• Running background tasks or scheduled jobs
• CI/CD pipelines needing programmatic access to OpenStack APIs

How They Differ from Normal Users

Managing Application Credentials in Skyline UI

Skyline is OpenStack Flex' modern web-based dashboard. If you're unfamiliar with accessing or managing your account via the Skyline UI, see this document first

Steps to Create Application Credentials

1. Log in to the Skyline Dashboard with your user credentials.

2. Click the User Icon in the top right and select User Center

3. Click Application Credentials from the left-hand navigation bar.

4. Click Create Application Credentials

5. Fill out the creation form:

   • Name: A friendly identifier (e.g., my-deploy-tool)
   • Expires At (optional): A date which the Application Credential will become invalidated.
   • Roles: Choose the minimal roles this app needs (e.g., reader)
   • Unrestricted (optional): Whether this Application User can create or destroy application credentials.
   • Description (optional): Details on what this Application Credential is for.

6. Click OK
7. Open the JSON File that is automatically downloaded. After creation, your browser should automatically download a JSON file with the name of the Application Credential. Within this file is the secret which is essentially the password for that Application Credential. You'll also see some other details for the credential. Below is an example of the contents of one of these files.

{
  "id": "12d304f3f5ca678c9dd20e59f04188a1",
  "description": "Test_User",
  "project_id": "123b456702c738d12345678910e9d95a",
  "expires_at": "2025-07-04T04:59:59.999000",
  "secret": "7IVY2fIIbsUpRozxmz8xh9briWGyq-Xq9-J6UoqKIz5oIslAvf85TZ29u2K5-slAvf85TZ29-lhLYC4_NxKKw"
}

Viewing Existing Application Credentials

1. Log in to the Skyline Dashboard with your user credentials.

2. Click the User Icon in the top right and select User Center

3. Click Application Credentials from the left-hand navigation bar.

4. You can see:

   • Name
   • Project
   • Expiration
   • Restriction Status
   • Description
   • Roles

IMPORTANT: Credentials cannot be edited, only revoked and/or recreated!

Revoking Application Credentials

1. In the Application Credentials list, click Delete next to the desired credential
2. Select Confirm
3. The Application Credential will now be revoked and no longer listed. Once revoked, that credential ID/secret pair will no longer work.

Example: Using Application Credentials with OpenStack CLI

export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://keystone.api.dfw3.rackspacecloud.com/v3
export OS_APPLICATION_CREDENTIAL_ID=<app_cred_id>
export OS_APPLICATION_CREDENTIAL_SECRET=<app_cred_secret>

Now you can use openstack CLI commands without relying on your username/password or an unscoped token.

Security Considerations

• Keep secrets in a secure secret store or environment variable
• Follow the rule of least privilege
• Revoke unused or compromised credentials immediately
• Rotate credentials regularly
• Avoid hardcoding secrets in code