Skip to main content

Overview

Application credentials allow automation pipelines, CI/CD systems, and service accounts to authenticate without embedding user passwords. They are scoped to the user’s current project and role assignments, and can be restricted further to a specific subset of roles or API paths. Unlike user passwords, application credentials have explicit expiry dates and can be revoked independently.
Prerequisites
  • An active Xloud account with appropriate permissions
  • Access to the Xloud Dashboard (https://connect.<your-domain>) or CLI configured with credentials
  • API credentials sourced (source admin-openrc.sh)
Application credentials are bound to the creating user. If that user is disabled or deleted, all their application credentials are invalidated immediately. For long-lived service accounts, create a dedicated service user to own the credentials.

Create an Application Credential

Navigate to Application Credentials

Log in as the user who will own the credential. Navigate to Identity → Application Credentials and click Create Application Credential.

Configure the credential

FieldDescription
NameDescriptive identifier (e.g., ci-pipeline-prod)
SecretLeave blank to auto-generate a cryptographically secure secret
Expiration DateSet an expiry for credentials used in short-lived pipelines
RolesRestrict to a subset of your role assignments (optional)
Access RulesLimit the credential to specific API paths and HTTP methods

Save the credential securely

After creation, the Dashboard displays the credential ID and secret once. Download the clouds.yaml snippet for immediate use.
The secret is shown only once and cannot be retrieved again. Store it in a secrets manager (such as Xloud Key Management or HashiCorp Vault) immediately after creation.

Authenticate with Application Credentials

Application credentials replace user passwords in the clouds.yaml configuration file.

Add to clouds.yaml

Add the following to your ~/.config/openstack/clouds.yaml:
~/.config/openstack/clouds.yaml
clouds:
  xloud-ci:
    auth:
      auth_url: https://api.<your-domain>:5000/v3
      application_credential_id: "<CREDENTIAL_ID>"
      application_credential_secret: "<CREDENTIAL_SECRET>"
    auth_type: v3applicationcredential
    region_name: RegionOne

Test the credential

Verify authentication with the credential
openstack --os-cloud xloud-ci token issue
A token is issued — the credential is valid and functional.

Access Rules

Access rules restrict a credential to specific API operations, providing fine-grained control beyond role-level permissions.
Create credential with access rules
openstack application credential create \
  --description "Image upload only" \
  --access-rules '[
    {"path": "/v2/images", "method": "POST", "service": "image"},
    {"path": "/v2/images/**", "method": "PUT", "service": "image"}
  ]' \
  image-uploader
FieldDescription
pathAPI path pattern (supports ** wildcard)
methodHTTP method: GET, POST, PUT, DELETE, PATCH
serviceService type: compute, image, identity, volume, network

Manage Existing Credentials

Navigate to Identity → Application Credentials to view all credentials owned by the current user. Delete expired or unused credentials to reduce attack surface.
Rotate application credentials before their expiration date. Create the replacement credential first, update all consumers, then delete the old credential. This zero-downtime rotation pattern avoids pipeline interruptions.

Next Steps

Users

Manage user accounts that own application credentials.

Multi-Factor Authentication

Add TOTP-based two-factor authentication to user accounts.

Identity Admin Guide

Configure token policies and security hardening for your Identity deployment.

Troubleshooting

Resolve credential rejection and authentication failure issues.