A common problem when setting up a Nectar project is how to handle scripted tasks such as automated instance launching, snapshots and backups. The issue is that these tasks need valid credentials in order to talk to the relevant Openstack APIs, but there are security and other concerns with embedding personal Openstack credentials into scripts.
In theory, one solution would be to set up an AAF Service identity; i.e. an identity whose password can be shared among the users of a Nectar project. This identity could then be used to set up a Nectar Service Account. The problem is that AAF strongly discourages the use of "group" access credentials. Nectar does not condone this approach either.
Nectar Robot Accounts used to be the preferred way to manage credentials for performing scripted API requests in the Nectar Research Cloud. However:
- Robot Accounts are cumbersome to use and require Nectar support staff to create and manage them manually.
- Robot Accounts do not support Object Storage write operations.
- Robot Accounts are now deprecated by Nectar. Existing Robot Accounts will be allowed continue for the time being, but new ones will not be created. At some point, Robot Accounts will be disabled.
- If you have an existing Robot Account, you are encouraged to transition to Keystone Application Credentials as soon as practical; see below.
Starting with the Openstack Queens release, the Keystone service supports Application Credentials. Users can use this facility to create their own OpenStack credentials for authorizing scripted tasks that access specific services. These credentials may be created for specific tasks and/or services, and may be revoked individually by the user who created them. They can also be created to expire after a period, and will be automatically invalidated if the user's access is removed. This makes them (relatively) safe to embed into scripts.
Application Credentials are now the preferred way to authorize admin scripts in Nectar. For more information, see the Nectar support documentation for Application Credentials.