| title | excerpt | updated |
|---|---|---|
How to use service accounts to connect to OpenStack (EN) |
How to log in to OpenStack APIs or command lines with OVHcloud service accounts |
2023-11-27 |
To automate calls to protected APIs, you need to provide credentials to the code that handles them. With OVHcloud service accounts, it is possible to have a single ID per script for the use of the different APIs offered by OVHcloud products (OVHcloud API, OpenStack API, etc.).
This guide details how to use service accounts to connect to OpenStack APIs.
This allows you to:
- Integrate alerts from your infrastructure.
- Dynamically manage the scalability of your infrastructure.
- Automate the resolution of the most common incidents.
- An OVHcloud customer account.
- You know how to configure access policies via API.
- You know how to use the OpenStack API
- You have created a service account via API.
For example purposes in this guide, we will use the service account urn:v1:eu:identity:credential:xx11111-ovh/oauth2-0f0f0f0f0f0f0f0f to access the Public Cloud project urn:v1:eu:resource:publicCloudProject:0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f.
You must change these values to match your own.
First of all, our service account must be able to access your OpenStack infrastructure. OVHcloud provides 11 levels of rights that can be used within OpenStack. They are described in the following table:
| OpenStack rights | Nova: compute_manage | Nova: compute_snapshot_manage | Nova: compute_read | Swift: objectstore_all | glance: image_manage | glance: image_read | glance: image_import | Cinder: volume_manage | Cinder: volume_snapshot_manage | Cinder: volume_read | Neutron: network_manage | Neutron: network_read | Neutron: network_secgroup_manage | Neutron: network_secgroup_read | AI Training: ai_training_all | AI Training: ai_training_read |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| publicCloudProject:openstack:administrator | x | x | x | x | x | x | x | x | x | x | x | x | x | x | ||
| publicCloudProject:openstack:backupOperator | x | x | x | x | x | x | ||||||||||
| publicCloudProject:openstack:computeOperator | x | x | x | x | x | x | x | |||||||||
| publicCloudProject:openstack:imageOperator | x | x | x | |||||||||||||
| publicCloudProject:openstack:infrastructureSupervisor | x | x | x | x | x | |||||||||||
| publicCloudProject:openstack:networkOperator | x | x | x | |||||||||||||
| publicCloudProject:openstack:networkSecurityOperator | x | x | ||||||||||||||
| publicCloudProject:openstack:objectstoreOperator | x | |||||||||||||||
| publicCloudProject:openstack:volumeOperator | x | x | x | |||||||||||||
| publicCloudProject:ai:aiTrainingOperator | x | x | ||||||||||||||
| publicCloudProject:ai:aiTrainingRead | x |
For our example, we would like to add the publicCloudProject:openstack:infrastructureSupervisor right, which can be used to retrieve information on our infrastructure. It can be useful for setting up monitoring scripts.
You can now add the following access policy:
{
"description": "Demo for service account guide with openstack",
"identities": [
"urn:v1:eu:identity:credential:xx11111-ovh/oauth2-0f0f0f0f0f0f0f0f"
],
"name": "Demo-service-account",
"permissions": {
"allow": [
{
"action": "publicCloudProject:openstack:infrastructureSupervisor"
}
]
},
"resources": [
{
"urn": "urn:v1:eu:resource:publicCloudProject:0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f"
}
]
}If you are using your OpenStack infrastructure with the command line, you will need to use the following environment variables:
export OS_AUTH_TYPE=v3oidcclientcredentials
export OS_PROTOCOL=openid
export OS_ACCESS_TOKEN_TYPE=id_token
export OS_OPENID_SCOPE="openid profile email publicCloudProject/all"
export OS_AUTH_URL=https://auth.cloud.ovh.net/v3If you are using OVHcloud services from EMEA, add the following variables:
export OS_IDENTITY_PROVIDER=ovhcloud-emea
export OS_DISCOVERY_ENDPOINT=https://iam.ovh.net/role-adapter/urn:v1:eu:resource:publicCloudProject:pci/.well-known/openid-configurationIf you are using OVHcloud services from the “Rest of the World” regions, add the following variables:
export OS_IDENTITY_PROVIDER=ovhcloud-world
export OS_DISCOVERY_ENDPOINT=https://iam.ovh.ca/role-adapter/urn:v1:ca:resource:publicCloudProject:pci/.well-known/openid-configurationThen add the following variables with the values corresponding to your configuration:
export OS_PROJECT_ID=0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f
export OS_CLIENT_ID=0f0f0f0f0f0f0f0f
export OS_CLIENT_SECRET=xxxx
export OS_REGION_NAME=GRA1- OS_PROJECT_ID: your Public Cloud project ID.
- OS_CLIENT_ID: your service account ID.
- OS_CLIENT_SECRET: your service account secret.
- OS_REGION_NAME: the region affected by your script.
You can now use your command line to observe your virtual machines.
$ openstack server list
+--------------------------------------+---------------------+--------+-------------------------------------------------+-----------+--------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+---------------------+--------+-------------------------------------------------+-----------+--------+
| 0f0f0f0f-0f0f-0f0f-0f0f-0f0f0f0f0ff0 | name_vm | ACTIVE | Ext-Net=127.0.0.1, | Debian 12 | d2-2 |
+--------------------------------------+---------------------+--------+-------------------------------------------------+-----------+--------+However, you will not have access to Swift Object Storage services with this service account:
$ openstack container list
Forbidden (HTTP 403) (Request-ID: 0f0f0f0f0f0f0f0f0f0f0f0-000f0f0f0f)To connect using the Python SDK and OVHcloud access, you can use two techniques:
- Environment variables: As with the CLI, you can configure your access with environment variables. These are the same as those documented in the Use a service account with the Openstack command line (CLI) section above.
- A clouds.yaml configuration file: if you want to deploy your configuration with a clouds.yaml file as described in the official Openstack documentation, you must follow the following format:
clouds:
ovhcloud:
auth_type: 'v3oidcclientcredentials'
region_name: GRA
auth:
protocol: 'openid'
access_token_type: 'id_token'
openid_scope: 'openid profile email publicCloudProject/all'
auth_url: 'https://auth.cloud.ovh.net/v3'
identity_provider: 'ovhcloud-emea'
discovery_endpoint: 'https://iam.ovh.net/role-adapter/urn:v1:eu:resource:publicCloudProject:pci/.well-known/openid-configuration'
project_id: '0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f'
client_id: '0f0f0f0f0f0f0f0f'
client_secret: 'xxxx'The previous example works for the EMEA region. If you are using OVHcloud services from the "Rest of the World" regions, edit the following lines with these values:
- identity_provider:
ovhcloud-world - discovery_endpoint:
https://iam.ovh.ca/role-adapter/urn:v1:ca:resource:publicCloudProject:pci/.well-known/openid-configuration
As a reminder, you must replace the variables in these examples with the values that match your configuration.
Then add the following variables with the values corresponding to your configuration:
- project_id: your Public Cloud project ID.
- client_id: your service account ID.
- client_secret: your service account secret.
- region_name: the region concerned by your script.
You can now use your Python code to access the services authorized by the access policy associated with your service account. Using the previous example, you can access the list of servers as follows:
$ virtualenv iam-openstack
$ pip install openstacksdk
$ cat clouds.yaml
clouds:
ovhcloud:
auth_type: 'v3oidcclientcredentials'
region_name: GRA1
auth:
protocol: 'openid'
access_token_type: 'id_token'
openid_scope: 'openid profile email publicCloudProject/all'
auth_url: 'https://auth.cloud.ovh.net/v3'
identity_provider: 'ovhcloud-emea'
discovery_endpoint: 'https://iam.ovh.net/role-adapter/urn:v1:eu:resource:publicCloudProject:pci/.well-known/openid-configuration'
project_id: '0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f'
client_id: '0f0f0f0f0f0f0f0f'
client_secret: 'xxxx'
$ cat list-servers.py
import openstack
# Initialize connection
conn = openstack.connect(cloud='ovhcloud')
# List the servers
for server in conn.compute.servers():
print("ID: #", server.id)
print("Name: ", server.name)
$ python3 list-servers.py
ID: # 0f0f0f0f-0f0f-0f0f-0f0f-0f0f0f0f0ff0
Name: name-vmHowever, you will not have access to the Object Storage service containers:
$ virtualenv iam-openstack
$ pip install openstacksdk
$ cat clouds.yaml
clouds:
ovhcloud:
auth_type: 'v3oidcclientcredentials'
region_name: GRA
auth:
protocol: 'openid'
access_token_type: 'id_token'
openid_scope: 'openid profile email publicCloudProject/all'
auth_url: 'https://auth.cloud.ovh.net/v3'
identity_provider: 'ovhcloud-emea'
discovery_endpoint: 'https://iam.ovh.net/role-adapter/urn:v1:eu:resource:publicCloudProject:pci/.well-known/openid-configuration'
project_id: '0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f'
client_id: '0f0f0f0f0f0f0f0f'
client_secret: 'xxxx'
$ cat list-containers.py
import openstack
# Initialize connection
conn = openstack.connect(cloud='ovhcloud')
# List the servers
for container in conn.object_store.containers():
print(container.toDict())
$ python3 list-containers.py
Traceback (most recent call last):
File "list-objects.py", line 10, in <module>
for container in conn.object_store.containers():
File "/Users/ovhcloud/Library/Python/3.7/lib/python/site-packages/openstack/resource.py", line 2077, in list
exceptions.raise_from_response(response)
File "/Users/ovhcloud/Library/Python/3.7/lib/python/site-packages/openstack/exceptions.py", line 268, in raise_from_response
request_id=request_id,
openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: https://storage.gra.cloud.ovh.net/v1/AUTH_0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f/, ForbiddenAccess was denied to this resource.Join our community of users on https://community.ovh.com/en/.