Learn how to use service accounts to connect to OpenStack APIs.
To automate calls to protected APIs, you need to provide credentials to the code that handles them. With OVHcloud service accounts, it is possible to have a single ID per script for the use of the different APIs offered by OVHcloud products (OVHcloud API, OpenStack API, etc.).
This allows you to:
- Integrate alerts from your infrastructure.
- Dynamically manage the scalability of your infrastructure.
- Automate the resolution of the most common incidents.
Requirements
- an OVHcloud customer account
- you know how to configure access policies via API
- you know how to use the OpenStack API
- you have created a service account via API
Instructions
For example purposes in this guide, we will use the service account urn:v1:us:identity:credential:xx11111-ovh/oauth2-0f0f0f0f0f0f0f0f to access the Public Cloud project urn:v1:us:resource:publicCloudProject:0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f.
You must change these values to match your own.
Assign OpenStack access rights to their service account
First of all, our service account must be able to access your OpenStack infrastructure. OVHcloud provides 11 levels of rights that can be used within OpenStack. They are described in the following table:
OpenStack rights | Nova: compute_manage | Nova: compute_snapshot_manage | Nova: compute_read | Swift: objectstore_all | glance: image_manage | glance: image_read | glance: image_import | Cinder: volume_manage | Cinder: volume_snapshot_manage | Cinder: volume_read | Neutron: network_manage | Neutron: network_read | Neutron: network_secgroup_manage | Neutron: network_secgroup_read | AI Training: ai_training_all | AI Training: ai_training_read |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
publicCloudProject:openstack:administrator | x | x | x | x | x | x | x | x | x | x | x | x | x | x | ||
publicCloudProject:openstack:backupOperator | x | x | x | x | x | x | ||||||||||
publicCloudProject:openstack:computeOperator | x | x | x | x | x | x | x | |||||||||
publicCloudProject:openstack:imageOperator | x | x | x | |||||||||||||
publicCloudProject:openstack:infrastructureSupervisor | x | x | x | x | x | |||||||||||
publicCloudProject:openstack:networkOperator | x | x | x | |||||||||||||
publicCloudProject:openstack:networkSecurityOperator | x | x | ||||||||||||||
publicCloudProject:openstack:objectstoreOperator | x | |||||||||||||||
publicCloudProject:openstack:volumeOperator | x | x | x | |||||||||||||
publicCloudProject:ai:aiTrainingOperator | x | x | ||||||||||||||
publicCloudProject:ai:aiTrainingRead | x |
publicCloudProject:openstack:infrastructureSupervisor
right, which can be used to retrieve information on our infrastructure. It can be useful for setting up monitoring scripts.You can now add the following access policy:
{ "description": "Demo for service account guide with openstack", "identities": [ "urn:v1:us:identity:credential:xx11111-ovh/oauth2-0f0f0f0f0f0f0f0f" ], "name": "Demo-service-account", "permissions": { "allow": [ { "action": "publicCloudProject:openstack:infrastructureSupervisor" } ] }, "resources": [ { "urn": "urn:v1:us:resource:publicCloudProject:0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f" } ] }
Using a service account with the OpenStack command line (CLI)
If you are using your OpenStack infrastructure with the command line, you will need to use the following environment variables:
export OS_AUTH_TYPE=v3oidcclientcredentials export OS_PROTOCOL=openid export OS_ACCESS_TOKEN_TYPE=id_token
export OS_OPENID_SCOPE="openid profile email publicCloudProject/all"
export OS_AUTH_URL=https://auth.cloud.ovh.us/v3
If you are using OVHcloud services from EMEA, add the following variables:
export OS_IDENTITY_PROVIDER=ovhcloud-emea export OS_DISCOVERY_ENDPOINT=https://iam.ovh.us/role-adapter/urn:v1:us:resource:publicCloudProject:pci/.well-known/openid-configuration
If you are using OVHcloud services from the “Rest of the World” regions, add the following variables:
export OS_IDENTITY_PROVIDER=ovhcloud-us export OS_DISCOVERY_ENDPOINT=https://iam.ovh.us/role-adapter/urn:v1:us:resource:publicCloudProject:pci/.well-known/openid-configuration
Then add the following variables with the values corresponding to your configuration:
export OS_PROJECT_ID=0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f export OS_CLIENT_ID=0f0f0f0f0f0f0f0f export OS_CLIENT_SECRET=xxxx export OS_REGION_NAME=US-EAST-VA-1 # or US-WEST-OR-1
- OS_PROJECT_ID: your Public Cloud project ID.
- OS_CLIENT_ID: your service account ID.
- OS_CLIENT_SECRET: your service account secret.
- OS_REGION_NAME: the region affected by your script.
You can now use your command line to observe your virtual machines.
$ openstack server list +--------------------------------------+---------------------+--------+-------------------------------------------------+-----------+--------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+---------------------+--------+-------------------------------------------------+-----------+--------+ | 0f0f0f0f-0f0f-0f0f-0f0f-0f0f0f0f0ff0 | name_vm | ACTIVE | Ext-Net=127.0.0.1, | Debian 12 | d2-2 | +--------------------------------------+---------------------+--------+-------------------------------------------------+-----------+--------+
However, you will not have access to Swift Object Storage services with this service account:
$ openstack container list Forbidden (HTTP 403) (Request-ID: 0f0f0f0f0f0f0f0f0f0f0f0-000f0f0f0f)
Using the service account with the Python SDK
To connect using the Python SDK and OVHcloud access, you can use two techniques:
- Environment variables: As with the CLI, you can configure your access with environment variables. These are the same as those documented in the "Use a service account with the OpenStack command line (CLI)" section above.
- A clouds.yaml configuration file: if you want to deploy your configuration with a clouds.yaml file as described in the official OpenStack documentation, you must follow the following format:
clouds: ovhcloud: auth_type: 'v3oidcclientcredentials' region_name: US-EAST-VA-1 # or US-WEST-OR-1 auth: protocol: 'openid' access_token_type: 'id_token'
openid_scope: 'openid profile email publicCloudProject/all'
auth_url: 'https://auth.cloud.ovh.us/v3' identity_provider: 'ovhcloud-emea' discovery_endpoint: 'https://iam.ovh.us/role-adapter/urn:v1:us:resource:publicCloudProject:pci/.well-known/openid-configuration' project_id: '0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f' client_id: '0f0f0f0f0f0f0f0f' client_secret: 'xxxx'
The previous example works for the EMEA region. If you are using OVHcloud services from the "Rest of the World" regions, edit the following lines with these values:
- identity_provider:
ovhcloud-us
- discovery_endpoint:
https://iam.ovh.ca/role-adapter/urn:v1:us:resource:publicCloudProject:pci/.well-known/openid-configuration
As a reminder, you must replace the variables in these examples with the values that match your configuration.
Then add the following variables with the values corresponding to your configuration:
- project_id: your Public Cloud project ID.
- client_id: your service account ID.
- client_secret: your service account secret.
- region_name: the region concerned by your script.
You can now use your Python code to access the services authorized by the access policy associated with your service account. Using the previous example, you can access the list of servers as follows:
$ virtualenv iam-openstack $ pip install openstacksdk $ cat clouds.yaml clouds: ovhcloud: auth_type: 'v3oidcclientcredentials' region_name: VA1 auth: protocol: 'openid' access_token_type: 'id_token'
openid_scope: 'openid profile email publicCloudProject/all'
auth_url: 'https://auth.cloud.ovh.us/v3' identity_provider: 'ovhcloud-emea' discovery_endpoint: 'https://iam.ovh.us/role-adapter/urn:v1:us:resource:publicCloudProject:pci/.well-known/openid-configuration' project_id: '0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f' client_id: '0f0f0f0f0f0f0f0f' client_secret: 'xxxx' $ cat list-servers.py import openstack # Initialize connection conn = openstack.connect(cloud='ovhcloud') # List the servers for server in conn.compute.servers(): print("ID: #", server.id) print("Name: ", server.name) $ python3 list-servers.py ID: # 0f0f0f0f-0f0f-0f0f-0f0f-0f0f0f0f0ff0 Name: name-vm
However, you will not have access to the Object Storage service containers:
$ virtualenv iam-openstack $ pip install openstacksdk $ cat clouds.yaml clouds: ovhcloud: auth_type: 'v3oidcclientcredentials' region_name: US-EAST-VA-1 # or US-WEST-OR-1 auth: protocol: 'openid' access_token_type: 'id_token'
openid_scope: 'openid profile email publicCloudProject/all'
auth_url: 'https://auth.cloud.ovh.us/v3' identity_provider: 'ovhcloud-emea' discovery_endpoint: 'https://iam.ovh.us/role-adapter/urn:v1:us:resource:publicCloudProject:pci/.well-known/openid-configuration' project_id: '0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f' client_id: '0f0f0f0f0f0f0f0f' client_secret: 'xxxx' $ cat list-containers.py import openstack # Initialize connection conn = openstack.connect(cloud='ovhcloud') # List the servers for container in conn.object_store.containers(): print(container.toDict()) $ python3 list-containers.py Traceback (most recent call last): File "list-objects.py", line 10, in <module> for container in conn.object_store.containers(): File "/Users/ovhcloud/Library/Python/3.7/lib/python/site-packages/openstack/resource.py", line 2077, in list exceptions.raise_from_response(response) File "/Users/ovhcloud/Library/Python/3.7/lib/python/site-packages/openstack/exceptions.py", line 268, in raise_from_response request_id=request_id, openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: https://storage.<REGION_NAME>.cloud.ovh.us/v1/AUTH_0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f/, ForbiddenAccess was denied to this resource. #REGION_NAME will be "us-east-va" or "us-west-or"
Go further
For more information and tutorials, please see our other IAM or Manage and Operate guides, or explore the guides for other OVHcloud products and services.