Programmatic Access and Automation: Difference between revisions

From bwCloud-OS
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(84 intermediate revisions by the same user not shown)
Line 1: Line 1:
<span id="In-a-Nutshell"></span>
<span id="In-a-Nutshell"></span>
{{InANutshell|
{{InANutshell|
<li>'''Application Credentials''' enable secure, password-free access to bwCloud-OS — ideal for CLI usage and automation. </li>
<li>'''Application Credentials''' enable secure, token-based access to bwCloud-OS — ideal for CLI usage and automation. </li>
<li>You can use these credentials with the '''OpenStack client'''  to manage your cloud resources from the command line.</li>
<li>You can use these credentials with the '''OpenStack CLI'''  to manage cloud resources from the command line.</li>
<li>You can also use the credentials with the '''OpenStack Python SDK''' to manage cloud resources programmatically from within Python scripts or applications.</li>
<li>'''Automation tools''' like '''Ansible''' or '''Terraform''' can be used for efficient deployment and configuration of instances.</li>
<li>'''Automation tools''' like '''Ansible''' or '''Terraform''' can be used for efficient deployment and configuration of instances.</li>
}}
}}
Line 14: Line 15:
<span id="Application-Credential"></span>
<span id="Application-Credential"></span>


'''Application Credentials''' (also called tokens) allow access to your OpenStack project in an automated or script-based way — without requiring a password. To create one, you must have the necessary '''member privileges''' in the target project.
'''Application Credentials''' (also called '''tokens''') allow access to your OpenStack project in an automated or script-based way — without requiring a password. To create one, you must have the necessary '''member privileges''' in the target project.


=== Steps to Create an Application Credential ===
=== Steps to Create an Application Credential ===


# '''Log in''' to the '''[https://bw-cloud.org/q/d Dashboard]''' and select the correct '''region'''.
# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard]''' and select the correct '''region'''.
# Go to '''Identity → Application Credentials''' and Click '''Create Application Credential'''.
# Go to '''Identity → Application Credentials''' and click '''Create Application Credential'''.
# In the form that opens, fill out:
# In the form that opens, fill out:
#* '''Name''' – a meaningful name for the credential.
#* '''Name''' – a descriptive name for the credential.
#* '''Secret''' – choose a secure secret (password-like).
#* '''Secret''' – choose a secure secret (password-like).
#* '''Expiration''' – set an (optional) expiration date.
#* '''Expiration''' – set an (optional) expiration date.
# At the bottom of the form, Click '''Create Application Credential'''.
# At the bottom of the form, click '''Create Application Credential'''.
# Download the '''OpenRC file''' and save it, e.g., as <code>my_token.sh</code>.
# Download the '''''OpenRC''''' file and save it, for example as <code>my_token.sh</code>. Alternatively, you can download the file <code>'''''clouds.yaml'''''</code>.
''Make sure to protect your secret''  ''— store it securely and do not share it.'' <br>
''Make sure to protect your secret''  ''— store it securely and do not share it.''  


=== Optional: Ask for the Secret at Runtime ===
<br>📌 '''Note:''' The login-based method (via the top-right menu in the '''[https://portal.bw-cloud.org/ Dashboard]''') requires a password, which is not enabled by default in bwCloud-OS.
For added security, you can modify your <code>my_token.sh</code> file so that the secret is not stored in plain text. Replace the line:


<code> export OS_APPLICATION_CREDENTIAL_SECRET=******************** </code>
=== Using the ''OpenRC'' file (Recommended for CLI Usage) ===
 
with:<pre>echo "Passphrase: "
read -sr os_credential_secret_input
export OS_APPLICATION_CREDENTIAL_SECRET="$os_credential_secret_input"</pre>This way, you will be prompted for the secret each time you use the credential file.
 
=== Test Your Application Credential ===
Source your credential file ''my_token.sh:''  
Source your credential file ''my_token.sh:''  


<pre>source my_token.sh</pre>
<pre>source my_token.sh</pre>


Run the following command. You should see your credential ID.
The following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>openstack configuration show</pre>
<!--
To test the configuration, run the following command. You should see your credential ID.


<pre>curl \
<pre>curl \
Line 51: Line 48:
| jq .token.application_credential</pre>
| jq .token.application_credential</pre>


If <code>curl</code> or <code>jq</code> are not installed, you can install them using your system’s package manager (e.g., <code>apt</code>, <code>dnf</code>, <code>brew</code>, etc.).
If <code>curl</code> or <code>jq</code> are not installed, you can install them using your system’s package manager (<code>apt</code>, <code>dnf</code>, <code>brew</code>, etc.).
-->
==== Optional: Ask for the Secret at Runtime ====
For added security, you can modify your <code>my_token.sh</code> file so that the secret is not stored in plain text within the file. Replace the line:
 
<code> export OS_APPLICATION_CREDENTIAL_SECRET=******************** </code>
 
with:<pre>echo "Passphrase: "
read -sr os_credential_secret_input
export OS_APPLICATION_CREDENTIAL_SECRET="$os_credential_secret_input"</pre>This way, you will be prompted for the secret each time you use the credential file.
 
=== Using the ''clouds.yaml'' file (Recommended for Automation) ===
A <code>'''''clouds.yaml'''''</code> file provides a convenient way to configure access to OpenStack without exporting many environment variables.
==== Example ''clouds.yaml'' ====
 
<pre>
clouds:
  openstack:
    auth:
      auth_url: https://your-auth-url:5000
      application_credential_id: "YOUR_ID"
      application_credential_secret: "YOUR_SECRET"
    region_name: "RegionOne"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"
</pre>
 
==== Loading and Testing the Configuration ====
If this is your only cloud, you can place the file at one of the default locations:
 
* <code>~/.config/openstack/clouds.yaml</code>
* <code>/etc/openstack/clouds.yaml</code>
 
OpenStack CLI tools will automatically detect the file there.
 
If your file is stored in a custom location, you can specify it explicitly:
 
<code>export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml</code>
 
 
 
In multi-cloud setups, you can define multiple entries and select one by specifying the cloud name, e.g.:
 
<code>export OS_CLOUD=openstack</code>
 
 
Once the above configuration is set, the following command (see [[Programmatic Access and Automation#OpenStack-CLI|OpenStack CLI]]) will display the active cloud configuration, including the application credentials:
<pre>
openstack configuration show
</pre>


= OpenStack Client =
= OpenStack CLI =
<span id="OpenStack-CLI"></span>


== How can I connect to the bwCloud-OS using the OpenStack CLI? ==
== How can I connect to the bwCloud-OS using the OpenStack CLI? ==
<span id="OpenStack-CLI"></span>
<span id="OpenStack-CLI"></span>


To manage your resources from the command line, you can use the '''Python OpenStack Client (<code>openstack</code> CLI tool)'''.
To manage your resources from the command line, you can use the '''OpenStack Client''' (<code>openstack</code> command-line tool, implemented in Python).
 
Installation of the client depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide [[Guide: OpenStack CLI – Basic Usage|OpenStack CLI]]):
<pre>
sudo apt install python3-openstackclient
</pre>
 
=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].
 
<!--
==== Method 2: Using Username and Password (Login-based – not default in bwCloud-OS) ====
This method only works if password-based authentication is enabled for your account.


There are two supported authentication methods:
# '''Log in''' to the '''[https://portal.bw-cloud.org/ Dashboard]'''.
# In the top-right corner, click '''"OpenStack RC File"'''.
# '''Download and save''' the file, for example as <code>my_creds.sh</code>.
-->=== Testing the Connection ===


=== Method 1: Using Application Credentials (Token-based – Recommended) ===
Run the following commands in a terminal:
This is the preferred method, especially for scripting and automation.


# '''Log in''' to the '''[https://bw-cloud.org/q/d Dashboard]'''.
<pre>
# '''Create an Application Credential''' (see [[Automation and Tools#Application-Credential|this guide]] for instructions).
source ./my_token.sh
# '''Download and save''' the generated file, e.g. as <code>my_creds.sh</code>.
openstack token issue
</pre>


=== Method 2: Using Username and Password (Login-based) ===
This will issue a new authentication token, confirming that your configuration works correctly.
Use this method only if you cannot use tokens.


# '''Log in''' to the '''[https://bw-cloud.org/q/d Dashboard]'''.
== How can I perform basic operations with the OpenStack CLI? ==
# In the top-right corner, click '''"OpenStack RC File"'''.
<span id="CLI-COMMANDS"></span>
# '''Download and save''' the file, e.g. as <code>my_creds.sh</code>.
 
For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack CLI – Basic Usage]].
 
= OpenStack Python SDK =
<span id="OpenStack-SDK"></span>
 
== How can I connect to the bwCloud-OS using the OpenStack Python SDK? ==
<span id="OpenStack-SDK></span>
 
To manage your resources from within Python scripts, you can use the '''OpenStack Python SDK'''.  
 
Installation depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide [[Guide: OpenStack Python SDK – Basic Usage|OpenStack Python SDK]]):
<pre>
sudo apt install python3-openstacksdk
</pre>
 
=== Authentication Methods ===
See the section [[Programmatic Access and Automation#How can I create an application credential?|Create an application credential]].
 
For this purpose, we recommend  using the <code>clouds.yaml</code> file.


=== Testing the Connection ===
=== Testing the Connection ===


Run the following commands in a terminal:<pre>
Start a Python shell and run:
source ./my_creds.sh
 
openstack server list
<pre>
import openstack
conn = openstack.connect(cloud="openstack")
conn.authorize()
token = conn.session.get_token()
print("Token:", token)
</pre>
</pre>


This will display a list of your currently active instances in the selected project.
This will issue a new authentication token, confirming that your configuration works correctly.
 
== How can I perform basic operations with the OpenStack SDK? ==
<span id="SDK-ROUTINES"></span>
 
For common tasks such as managing instances, volumes, and networks, see:
[[Guide: OpenStack Python SDK – Basic Usage]].


= Auto-Deployment =
= Auto-Deployment =
Line 99: Line 192:
<span id="Ansible-Template"></span>
<span id="Ansible-Template"></span>


Yes. You can use this [https://github.com/bwCloud/ansible-template Ansible-template] for an easier start.
Yes. You can use this [https://github.com/bwCloud/ansible-template Ansible template] to get started more easily.

Latest revision as of 10:06, 27 April 2026

In a Nutshell
  • Application Credentials enable secure, token-based access to bwCloud-OS — ideal for CLI usage and automation.
  • You can use these credentials with the OpenStack CLI to manage cloud resources from the command line.
  • You can also use the credentials with the OpenStack Python SDK to manage cloud resources programmatically from within Python scripts or applications.
  • Automation tools like Ansible or Terraform can be used for efficient deployment and configuration of instances.


Application Credentials

How can I create an application credential?

Application Credentials (also called tokens) allow access to your OpenStack project in an automated or script-based way — without requiring a password. To create one, you must have the necessary member privileges in the target project.

Steps to Create an Application Credential

  1. Log in to the Dashboard and select the correct region.
  2. Go to Identity → Application Credentials and click Create Application Credential.
  3. In the form that opens, fill out:
    • Name – a descriptive name for the credential.
    • Secret – choose a secure secret (password-like).
    • Expiration – set an (optional) expiration date.
  4. At the bottom of the form, click Create Application Credential.
  5. Download the OpenRC file and save it, for example as my_token.sh. Alternatively, you can download the file clouds.yaml.

Make sure to protect your secret — store it securely and do not share it.


📌 Note: The login-based method (via the top-right menu in the Dashboard) requires a password, which is not enabled by default in bwCloud-OS.

Using the OpenRC file (Recommended for CLI Usage)

Source your credential file my_token.sh: 

source my_token.sh

The following command (see OpenStack CLI) will display the active cloud configuration, including the application credentials: 

openstack configuration show

Optional: Ask for the Secret at Runtime

For added security, you can modify your my_token.sh file so that the secret is not stored in plain text within the file. Replace the line:

export OS_APPLICATION_CREDENTIAL_SECRET=********************

with:

echo "Passphrase: "
read -sr os_credential_secret_input
export OS_APPLICATION_CREDENTIAL_SECRET="$os_credential_secret_input"

This way, you will be prompted for the secret each time you use the credential file.

Using the clouds.yaml file (Recommended for Automation)

A clouds.yaml file provides a convenient way to configure access to OpenStack without exporting many environment variables.

Example clouds.yaml

clouds:
  openstack:
    auth:
      auth_url: https://your-auth-url:5000
      application_credential_id: "YOUR_ID"
      application_credential_secret: "YOUR_SECRET"
    region_name: "RegionOne"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"

Loading and Testing the Configuration

If this is your only cloud, you can place the file at one of the default locations:

  • ~/.config/openstack/clouds.yaml
  • /etc/openstack/clouds.yaml

OpenStack CLI tools will automatically detect the file there.

If your file is stored in a custom location, you can specify it explicitly:

export OS_CLIENT_CONFIG_FILE=/path/to/clouds.yaml


In multi-cloud setups, you can define multiple entries and select one by specifying the cloud name, e.g.:

export OS_CLOUD=openstack


Once the above configuration is set, the following command (see OpenStack CLI) will display the active cloud configuration, including the application credentials: 

openstack configuration show

OpenStack CLI

How can I connect to the bwCloud-OS using the OpenStack CLI?

To manage your resources from the command line, you can use the OpenStack Client (openstack command-line tool, implemented in Python).

Installation of the client depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide OpenStack CLI): 

sudo apt install python3-openstackclient

Authentication Methods

See the section Create an application credential.

Testing the Connection

Run the following commands in a terminal: 

source ./my_token.sh
openstack token issue

This will issue a new authentication token, confirming that your configuration works correctly.

How can I perform basic operations with the OpenStack CLI?

For common tasks such as managing instances, volumes, and networks, see: Guide: OpenStack CLI – Basic Usage.

OpenStack Python SDK

How can I connect to the bwCloud-OS using the OpenStack Python SDK?

To manage your resources from within Python scripts, you can use the OpenStack Python SDK.

Installation depends on your operating system, e.g. for Ubuntu (for other installation methods, see the guide OpenStack Python SDK): 

sudo apt install python3-openstacksdk

Authentication Methods

See the section Create an application credential.

For this purpose, we recommend using the clouds.yaml file.

Testing the Connection

Start a Python shell and run: 

import openstack
conn = openstack.connect(cloud="openstack")
conn.authorize()
token = conn.session.get_token()
print("Token:", token)

This will issue a new authentication token, confirming that your configuration works correctly.

How can I perform basic operations with the OpenStack SDK?

For common tasks such as managing instances, volumes, and networks, see: Guide: OpenStack Python SDK – Basic Usage.

Auto-Deployment

The following tools are commonly used for (semi-)automated provisioning of resources.

Method Usage
Terraform This tool can be used to create an instance or a defined infrastructure.
Ansible Create roles or tasks for all customizations that you make in an instance.

Does bwCloud-OS provide templates for automated deployment of OpenStack instances?

Yes. You can use this Ansible template to get started more easily.

Retrieved from "https://wiki.bwcloud-os.de/index.php?title=Programmatic_Access_and_Automation&oldid=2213"