application_credential – Manage OpenStack Identity (Keystone) application credentials
Synopsis
Create or delete an OpenStack Identity (Keystone) application credential.
When the secret parameter is not set a secret will be generated and returned
in the response. Existing credentials cannot be modified so running this module
against an existing credential will result in it being deleted and recreated.
This needs to be taken into account when the secret is generated, as the secret
will change on each run of the module.
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.6
openstacksdk >= 1.0.0
Parameters
- name (True, str, None)
Name of the application credential.
- description (optional, str, None)
Application credential description.
- secret (optional, str, None)
Secret to use for authentication
(if not provided, one will be generated).
- roles (optional, list, None)
Roles to authorize (name or ID).
- name (optional, str, None)
Name of role
- id (optional, str, None)
ID of role
- domain_id (optional, str, None)
Domain ID
- expires_at (optional, str, None)
Sets an expiration date for the application credential,
format of YYYY-mm-ddTHH:MM:SS
(if not provided, the application credential will not expire).
- unrestricted (optional, bool, False)
Enable application credential to create and delete other application
credentials and trusts (this is potentially dangerous behavior and is
disabled by default).
- access_rules (optional, list, None)
List of access rules, each containing a request method, path, and service.
- service (True, str, None)
Name of service endpoint
- path (True, str, None)
Path portion of access URL
- method (True, str, None)
HTTP method
- state (optional, str, present)
Should the resource be present or absent.
Application credentials are immutable so running with an existing present
credential will result in the credential being deleted and recreated.
- cloud (optional, raw, None)
Named cloud or cloud config to operate against. If cloud is a string, it references a named cloud config as defined in an OpenStack clouds.yaml file. Provides default values for auth and auth_type. This parameter is not needed if auth is provided or if OpenStack OS_* environment variables are present. If cloud is a dict, it contains a complete cloud configuration like would be in a section of clouds.yaml.
- auth (optional, dict, None)
Dictionary containing auth information as needed by the cloud’s auth plugin strategy. For the default password plugin, this would contain auth_url, username, password, project_name and any information about domains (for example, user_domain_name or project_domain_name) if the cloud supports them. For other plugins, this param will need to contain whatever parameters that auth plugin requires. This parameter is not needed if a named cloud is provided or OpenStack OS_* environment variables are present.
- auth_type (optional, str, None)
Name of the auth plugin to use. If the cloud uses something other than password authentication, the name of the plugin should be indicated here and the contents of the auth parameter should be updated accordingly.
- region_name (optional, str, None)
Name of the region.
- wait (optional, bool, True)
Should ansible wait until the requested resource is complete.
- timeout (optional, int, 180)
How long should ansible wait for the requested resource.
- api_timeout (optional, int, None)
How long should the socket layer wait before timing out for API calls. If this is omitted, nothing will be passed to the requests library.
- validate_certs (optional, bool, None)
Whether or not SSL API requests should be verified.
Before Ansible 2.3 this defaulted to
true.- ca_cert (optional, str, None)
A path to a CA Cert bundle that can be used as part of verifying SSL API requests.
- client_cert (optional, str, None)
A path to a client certificate to use as part of the SSL transaction.
- client_key (optional, str, None)
A path to a client key to use as part of the SSL transaction.
- interface (optional, str, public)
Endpoint URL type to fetch from the service catalog.
- sdk_log_path (optional, str, None)
Path to the logfile of the OpenStackSDK. If empty no log is written
- sdk_log_level (optional, str, INFO)
Log level of the OpenStackSDK
Notes
Note
The standard OpenStack environment variables, such as
OS_USERNAMEmay be used instead of providing explicit values.Auth information is driven by openstacksdk, which means that values can come from a yaml config file in /etc/ansible/openstack.yaml, /etc/openstack/clouds.yaml or ~/.config/openstack/clouds.yaml, then from standard environment variables, then finally by explicit parameters in plays. More information can be found at https://docs.openstack.org/openstacksdk/
Examples
- name: Create application credential
openstack.cloud.application_credential:
cloud: mycloud
description: demodescription
name: democreds
state: present
- name: Create application credential with expiration, access rules and roles
openstack.cloud.application_credential:
cloud: mycloud
description: demodescription
name: democreds
access_rules:
- service: "compute"
path: "/v2.1/servers"
method: "GET"
expires_at: "2024-02-29T09:29:59"
roles:
- name: Member
state: present
- name: Delete application credential
openstack.cloud.application_credential:
cloud: mycloud
name: democreds
state: absent
Return Values
- application_credential (On success when I(state) is C(present)., dict, )
Dictionary describing the project.
- id (, str, 2e73d1b4f0cb473f920bd54dfce3c26d)
The ID of the application credential.
- name (, str, appcreds)
The name of the application credential.
- secret (, str, JxE7LajLY75NZgDH1hfu0N_6xS9hQ-Af40W3)
Secret to use for authentication (if not provided, returns the generated value).
- description (, str, App credential)
A description of the application credential’s purpose.
- expires_at (, str, 2024-02-29T09:29:59.000000)
The expiration time of the application credential in UTC, if one was specified.
- project_id (, str, 4b633c451ac74233be3721a3635275e5)
The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to.
- roles (, list, [{‘name’: ‘Member’}])
A list of one or more roles that this application credential has associated with its project. A token using this application credential will have these same roles.
- access_rules (, list, [{‘id’: ‘edecb6c791d541a3b458199858470d20’, ‘service’: ‘compute’, ‘path’: ‘/v2.1/servers’, ‘method’: ‘GET’}])
A list of access_rules objects
- unrestricted (, bool, )
A flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts.
- cloud (On success when I(state) is C(present)., dict, {‘auth_type’: ‘v3applicationcredential’, ‘auth’: {‘auth_url’: ‘https://192.0.2.1/identity’, ‘application_credential_secret’: ‘JxE7LajLY75NZgDH1hfu0N_6xS9hQ-Af40W3’, ‘application_credential_id’: ‘3e73d1b4f0cb473f920bd54dfce3c26d’}})
The current cloud config with the username and password replaced with the name and secret of the application credential. This can be passed to the cloud parameter of other tasks, or written to an openstack cloud config file.