Set up admin access to a cloud


In order to configure a newly deployed OpenStack cloud for production use one must first gain native administrative control of it. Although this refers to OpenStack-level admin user access, this article will show how to obtain it via queries made with the Juju client.


As an alternative to the instructions presented in this article, if the Horizon dashboard is available, access can be obtained by downloading a credentials file.


Install the client software

The OpenStack clients will be needed in order to manage the cloud from the command line. Install them on the same machine that hosts the Juju client. This example uses the snap install method:

sudo snap install openstackclients --classic

Set cloud-specific authentication variables

In terms of authentication, three cloud-specific pieces of information are needed:

  • the Keystone administrator password

  • the Keystone service endpoint

  • the root CA certificate (if the cloud is TLS-enabled)

Keystone administrator password

Set environmental variable OS_PASSWORD to the Keystone administrator password:

export OS_PASSWORD=$(juju run --unit keystone/leader 'leader-get admin_passwd')

Keystone service endpoint

Determine the IP address of the keystone unit and set environmental variable OS_AUTH_URL to the Keystone service endpoint:

IP_ADDRESS=$(juju run --unit keystone/leader -- 'network-get --bind-address public')
export OS_AUTH_URL=https://${IP_ADDRESS}:5000/v3


If the Keystone endpoint is not using TLS you will need to modify the URL to use HTTP.

Root CA certificate

Place the CA certificate in a file that your OpenStack client software can access and set environmental variable OS_CACERT to that file’s path. A commonly used path that works for the openstackclients snap, for user ‘ubuntu’, is /home/ubuntu/snap/openstackclients/common/root-ca.crt:

export OS_CACERT=/home/ubuntu/snap/openstackclients/common/root-ca.crt
juju run --unit vault/leader 'leader-get root-ca' > $OS_CACERT

Set other authentication variables

Charmed OpenStack uses standard values for other authentication variables:

export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=admin_domain
export OS_USER_DOMAIN_NAME=admin_domain

Verify administrative control

The admin user environment should now be complete.

First inspect all the variables:

env | grep OS_

A good initial verification test is to query the cloud’s endpoints (Keystone service catalog):

openstack endpoint list

A second recommended verification to make is a login to the Horizon dashboard (if present), where the following should be used:

OS_PASSWORD (Password)

You should now have the permissions to configure and manage the cloud.

Consider a helper script

Variables can be conveniently set through the use of a shell script that you can write yourself. However, the OpenStack Charms project maintains such files (one script calls another) and they can be found in the openstack-bundles repository.

Simply download the repository and source the openrc file:

git clone ~/openstack-bundles
source ~/openstack-bundles/stable/openstack-base/openrc

This sets a suite of variables. Here is an example:


Some of the above variables were not covered in the manual method but can be required in certain situations. For instance, Swift needs OS_AUTH_VERSION, Gnocchi looks for OS_AUTH_TYPE, and when backing Juju with OpenStack one needs to know the values of multiple variables.


The helper files will set the Keystone endpoint variable OS_AUTH_URL to use HTTPS if Vault is detected as containing a root CA certificate. This will always be the case due to the OVN requirement for TLS via Vault. If Keystone is not TLS-enabled (for some reason) you will need to manually reset the above variable to use HTTP.