Manage application credentials

Application credentials is a mechanism in the MOSK Identity service (Keystone) that enables application automation tools, such as shell scripts, Terraform modules, Python programs, and others, to securely perform various actions in the cloud API in order to deploy and manage application components.

Historically, dedicated technical user accounts were created to be used by application automation tools. The application credentials mechanism has significant advantages over the legacy approach in terms of the following.


Cloud users manage application credential objects completely on their own, without having to reach out to cloud operators


Application credentials are owned by the cloud user who created them, not the project, domain, or system that they have access to. Non-admin users only have access to application credentials that they have created themselves.


Cloud users creating application credentials have control over the actions that automation tools will be allowed to perform on their behalf by the following:

  • Specifying the cloud API endpoints the tool may access

  • Delegating to the tool just a subset of the owner’s roles

  • Restricting the tool from creating new application credential objects or trusts

  • Defining the validity period for a credential


In case a credential is compromised, the automation tools using it can be easily switched to a new object

Usage limitations

  • For security reasons, a cloud user who logs in to the cloud through the Mirantis Container Cloud IAM or an external identity provider cannot use the application credentials mechanism by default. To enable the functionality, contact your cloud operator.

  • MOSK Object Storage service does not support application credentials authentication to access S3 API. To authenticate in S3 API, use the EC2 credentials mechanism.

  • MOSK Object Storage service has limited support for application credentials when accessing Swift API. The service does not accept application credentials with restrictions to allowed API endpoints.

Create an application credential using CLI

You can create an application credential using OpenStack CLI or Horizon. To create an application credential using CLI, use the openstack application credential create command.

If you do not provide the application credential secret, one will be generated automatically.


The application credential secret displays only once upon creation. It cannot be recovered from the Identity service. Therefore, capture the secret string from the command output and keep it in a safe place for future usage.

When creating application credentials, you can limit their capabilities depending on the security requirements of your deployment:

  • Define expiration time.

  • Limit the roles of an application credential to only a subset of roles that the user creating the credential has.

  • Pass a list of allowed API paths and actions, aka access rules, that the application credential will have access to. For the comprehensive list of possible options when creating credentials, consult the upstream OpenStack documentation.

  • Restrict an application credential from creating another application credential or a trust.


    This is the default behavior, but depending on what the application credential is used for, you may need to loosen this restriction.

An application credential will be created with access to the scope of your current session. For example, if your current credential is scoped to a specific project, domain, or system, the created application credential will have access to the same scope.

Create an application credential through Horizon

  1. In the Identity panel, select Application Credentials.

    In this view, you can list, create, and delete application credentials as well as display details of a specific application credential.

  2. Click Create Application Credential.

    In the wizard that opens, fill in the required fields and download clouds.yaml or an RC file to authenticate with the created application credential.

Authenticate with an application credential

To authenticate in a MOSK cloud using an application credential, you need to know the ID and secret of the application credential.

When using the human-readable name of an application credential instead of its ID, you also have to supply the user ID or the user name with the user domain ID or name. These details are required for the Identity service (Keystone) to resolve your application credential, since different users may have application credentials with the same name.

The following example illustrates a snippet from an RC file with required environment variables using the application credential name:

export OS_AUTH_URL=""
export OS_AUTH_TYPE=v3applicationcredential
export OS_USERNAME=demo
export OS_USER_DOMAIN_NAME=Default

The following example illustrates a snippet of an entry in clouds.yaml using the application credential ID:

    auth_type: v3applicationcredential
      application_credential_id: 21dced0fd20347869b93710d2b98aae0
      application_credential_secret: supersecret

Using OpenStack CLI explicit arguments

Use the following openstackclient explicit arguments while authenticating with an application credential:

openstack --os-auth-type v3applicationcredential \
          --os-auth-url \
          --os-application-credential-name my-appcreds \
          --os-application-credential-secret supersecret \
          --os-username demo \
          --os-user-domain-name Default \
          <ANY OSC COMMAND>

Using shell scripting

The following example curl command outputs the OpenStack keystone token using the application_credential authentication method:

curl -X POST \
     -i -H "Content-Type: application/json" \
     -d '{"auth":{"identity":{"methods":["application_credential"],"application_credential":{"id": "21dced0fd20347869b93710d2b98aae0","secret": "supersecret"}}}}'

The token is located in the x-subject-token header of the response, and the response body contains information about the user, scope, effective roles, and the service catalog.

Rotate an application credential

In case an application credential becomes invalid due to the expiry or the owner-user leaving the team, or compromised if its secret gets exposed, Mirantis recommends rotating the credential immediately as follows:

  1. Create a new application credential with the same permissions.

  2. Adjust the automation tooling configuration to use the new object.

  3. Delete the old object. This can be performed by the owner-user or cloud operator.