Application credentials allow users to generate their own OpenStack credentials suitable for applications to authenticate to the Identity service, without exposing their main credentials.

Application credentials can be easily revoked or rotated with little or no application downtime, or can even have an automatic expiry time.

To manage application credentials on the command line, you'll need recent versions of the python-openstackclient and python-keystoneclient packages and your main credentials loaded.

The simplest example for creating an application credential is to just pass a name:

$ openstack application credential create mydemo
+--------------+-----------------------------------------+
| Field        | Value                                   |
+--------------+-----------------------------------------+
| description  | None                                    |
| expires_at   | None                                    |
| id           | 0cfa2baa33f546b7bec27f1b7461a1c5        |
| name         | mydemo                                  |
| project_id   | 6d23beae28fc41958a2ba5d5d68eb87f        |
| roles        | Member                                  |
| secret       | ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ |
| unrestricted | False                                   |
+--------------+-----------------------------------------+

If you wanted to use this new application credential to run OpenStack CLI commands, your environment would require:

OS_AUTH_URL=https://keystone.rc.nectar.org.au:5000/v3/
OS_AUTH_TYPE=v3applicationcredential
OS_APPLICATION_CREDENTIAL_ID=0cfa2baa33f546b7bec27f1b7461a1c5
OS_APPLICATION_CREDENTIAL_SECRET=ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ

It is recommended that you unset all other OS_* environment variables as these can cause problems.

For more details about application credentials, or for information about how to use application credentials in the python-keystoneclient API, see OpenStack's Application Credentials user guide.