openstack_identity_application_credential_v3

For your information

These instructions are a copy of the official OpenStack Terraform provider documentation in the Terraform Registry.

Manages a V3 Application Credential resource within OpenStack Keystone.

All arguments including the application credential name and secret will be stored in the raw state as plain-text. Read more about sensitive data in state.

An Application Credential is created within the authenticated user project scope and is not visible by an admin or other accounts. The Application Credential visibility is similar to openstack_compute_keypair_v2.

Example Usage⁠

Predefined secret⁠

The application credential below will have only one swiftoperator role.

resource "openstack_identity_application_credential_v3" "swift" {
  name        = "swift"
  description = "Swift technical application credential"
  secret      = "supersecret"
  roles       = ["swiftoperator"]
  expires_at  = "2019-02-13T12:12:12Z"
}

Unrestricted with autogenerated secret and unlimited TTL⁠

Application credential below will inherit all the current user's roles.

carefully

Restrictions on these Identity operations are deliberately imposed as a safeguard to prevent a compromised application credential from regenerating itself. Disabling this restriction poses an inherent added risk.

resource "openstack_identity_application_credential_v3" "unrestricted" {
  name         = "unrestricted"
  description  = "Unrestricted application credential"
  unrestricted = true
}

output "application_credential_secret" {
  value = openstack_identity_application_credential_v3.unrestricted.secret
}

Application credential with access rules⁠

Application Credential access rules are supported only in Keystone starting from Train release.

resource "openstack_identity_application_credential_v3" "monitoring" {
  name        = "monitoring"
  expires_at  = "2019-02-13T12:12:12Z"

  access_rules {
    path    = "/v2.0/metrics"
    service = "monitoring"
    method  = "GET"
  }

  access_rules {
    path    = "/v2.0/metrics"
    service = "monitoring"
    method  = "PUT"
  }
}

Argument Reference⁠

The following arguments are supported:

region — (Optional) The region in which to obtain the V3 Keystone client.If omitted, the region argument of the provider is used. Changing thiscreates a new application credential.
name — (Required) A name of the application credential. Changing thiscreates a new application credential.
description — (Optional) A description of the application credential.Changing this creates a new application credential.
unrestricted — (Optional) A flag indicating whether the applicationcredential may be used for creation or destruction of other applicationcredentials or trusts. Changing this creates a new application credential.
secret — (Optional) The secret for the application credential. If omitted,it will be generated by the server. Changing this creates a new application credential.
roles — (Optional) A collection of one or more role names, which thisapplication credential has to be associated with its project. If omitted,all the current user's roles within the scoped project will be inherited bya new application credential. Changing this creates a new application credential.
access_rules — (Optional) A collection of one or more access rules, whichthis application credential allows to follow. The structure is describedbelow. Changing this creates a new application credential.
expires_at — (Optional) The expiration time of the application credentialin the RFC3339 timestamp format (e.g. 2019-03-09T12:58:49Z). If omitted,an application credential will never expire. Changing this creates a newapplication credential.

The access_rules block supports:

id — (Computed) The ID of the existing access rule. The access rule ID ofanother application credential can be provided.
path — (Optional) The API path that the application credential is allowedto access. May use named wildcards such as {tag} or the unnamed wildcard \\* to match against any string in the path up to a /, or the recursive wildcard \\*\\* to include / in the matched path.
service — (Optional) The service type identifier for the service that theapplication credential is granted to access. Must be a service type that islisted in the service catalog and not a code name for a service. E.g. identity, compute, volumev3, image, network, object-store, sharev2, dns, key-manager, monitoring, etc.
method — (Optional) The request method that the application credential ispermitted to use for a given API endpoint. Allowed values: POST, GET, HEAD, PATCH, PUT and DELETE.

Attributes Reference⁠

The following attributes are exported:

region — See Argument Reference above.
name — See Argument Reference above.
description — See Argument Reference above.
unrestricted — See Argument Reference above.
secret — See Argument Reference above.
roles — See Argument Reference above.
access_rules — See Argument Reference above.
expires_at — See Argument Reference above.
project_id — The ID of the project the application credential was createdfor and that authentication requests using this application credential willbe scoped to.

Import⁠

Application Credentials can be imported using the id, e.g.

$ terraform import openstack_identity_application_credential_v3.application_credential_1 c17304b7-0953-4738-abb0-67005882b0a0

openstack_identity_application_credential_v3

Example Usage⁠​

Predefined secret⁠​

Unrestricted with autogenerated secret and unlimited TTL⁠​

Application credential with access rules⁠​

Argument Reference⁠​

Attributes Reference⁠​

Import⁠​