Identity service command-line client

Identity service command-line client

Warning

The keystone CLI is deprecated in favor of python-openstackclient. For more information, see OpenStack command-line client. For a Python library, continue using python-keystoneclient.

The keystone client is the command-line interface (CLI) for the Identity service API and its extensions.

This chapter documents keystone version 2.3.1.

For help on a specific keystone command, enter:

$ keystone help COMMAND

keystone usage

usage: keystone [--version] [--debug] [--os-username <auth-user-name>]
                [--os-password <auth-password>]
                [--os-tenant-name <auth-tenant-name>]
                [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
                [--os-region-name <region-name>]
                [--os-identity-api-version <identity-api-version>]
                [--os-token <service-token>]
                [--os-endpoint <service-endpoint>] [--os-cache]
                [--force-new-token] [--stale-duration <seconds>] [--insecure]
                [--os-cacert <ca-certificate>] [--os-cert <certificate>]
                [--os-key <key>] [--timeout <seconds>]
                <subcommand> ...

Subcommands:

catalog
List service catalog, possibly filtered by service.
ec2-credentials-create
Create EC2-compatible credentials for user per tenant.
ec2-credentials-delete
Delete EC2-compatible credentials.
ec2-credentials-get
Display EC2-compatible credentials.
ec2-credentials-list
List EC2-compatible credentials for a user.
endpoint-create
Create a new endpoint associated with a service.
endpoint-delete
Delete a service endpoint.
endpoint-get
Find endpoint filtered by a specific attribute or service type.
endpoint-list
List configured service endpoints.
password-update
Update own password.
role-create
Create new role.
role-delete
Delete role.
role-get
Display role details.
role-list
List all roles.
service-create
Add service to Service Catalog.
service-delete
Delete service from Service Catalog.
service-get
Display service from Service Catalog.
service-list
List all services in Service Catalog.
tenant-create
Create new tenant.
tenant-delete
Delete tenant.
tenant-get
Display tenant details.
tenant-list
List all tenants.
tenant-update
Update tenant name, description, enabled status.
token-get
Display the current user token.
user-create
Create new user.
user-delete
Delete user.
user-get
Display user details.
user-list
List users.
user-password-update
Update user password.
user-role-add
Add role to user.
user-role-list
List roles granted to a user.
user-role-remove
Remove role from user.
user-update
Update user’s name, email, and enabled status.
discover
Discover Keystone servers, supported API versions and extensions.
bootstrap
Grants a new role to a new user on a new tenant, after creating each.
bash-completion
Prints all of the commands and options to stdout.
help
Display help about this program or one of its subcommands.

keystone optional arguments

--version
Shows the client version and exits.
--debug
Prints debugging output onto the console, this includes the curl request and response calls. Helpful for debugging and understanding the API calls.
--os-username <auth-user-name>
Name used for authentication with the OpenStack Identity service. Defaults to env[OS_USERNAME].
--os-password <auth-password>
Password used for authentication with the OpenStack Identity service. Defaults to env[OS_PASSWORD].
--os-tenant-name <auth-tenant-name>
Tenant to request authorization on. Defaults to env[OS_TENANT_NAME].
--os-tenant-id <tenant-id>
Tenant to request authorization on. Defaults to env[OS_TENANT_ID].
--os-auth-url <auth-url>
Specify the Identity endpoint to use for authentication. Defaults to env[OS_AUTH_URL].
--os-region-name <region-name>
Specify the region to use. Defaults to env[OS_REGION_NAME].
--os-identity-api-version <identity-api-version>
Specify Identity API version to use. Defaults to env[OS_IDENTITY_API_VERSION] or 2.0.
--os-token <service-token>
Specify an existing token to use instead of retrieving one via authentication (e.g. with username & password). Defaults to env[OS_SERVICE_TOKEN].
--os-endpoint <service-endpoint>
Specify an endpoint to use instead of retrieving one from the service catalog (via authentication). Defaults to env[OS_SERVICE_ENDPOINT].
--os-cache
Use the auth token cache. Defaults to env[OS_CACHE].
--force-new-token
If the keyring is available and in use, token will always be stored and fetched from the keyring until the token has expired. Use this option to request a new token and replace the existing one in the keyring.
--stale-duration <seconds>
Stale duration (in seconds) used to determine whether a token has expired when retrieving it from keyring. This is useful in mitigating process or network delays. Default is 30 seconds.
--insecure
Explicitly allow client to perform “insecure” TLS (https) requests. The server’s certificate will not be verified against any certificate authorities. This option should be used with caution.
--os-cacert <ca-certificate>
Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT].
--os-cert <certificate>
Defaults to env[OS_CERT].
--os-key <key>
Defaults to env[OS_KEY].
--timeout <seconds>
Set request timeout (in seconds).

keystone bootstrap

usage: keystone bootstrap [--user-name <user-name>] --pass <password>
                          [--role-name <role-name>]
                          [--tenant-name <tenant-name>]

Grants a new role to a new user on a new tenant, after creating each.

Arguments:

--user-name <user-name>
The name of the user to be created (default=”admin”).
--pass <password>
The password for the new user.
--role-name <role-name>
The name of the role to be created and granted to the user (default=”admin”).
--tenant-name <tenant-name>
The name of the tenant to be created (default=”admin”).

keystone catalog

usage: keystone catalog [--service <service-type>]

List service catalog, possibly filtered by service.

Arguments:

--service <service-type>
Service type to return.

keystone discover

usage: keystone discover

Discover Keystone servers, supported API versions and extensions.

keystone ec2-credentials-create

usage: keystone ec2-credentials-create [--user-id <user-id>]
                                       [--tenant-id <tenant-id>]

Create EC2-compatible credentials for user per tenant.

Arguments:

--user-id <user-id>
User ID for which to create credentials. If not specified, the authenticated user will be used.
--tenant-id <tenant-id>
Tenant ID for which to create credentials. If not specified, the authenticated tenant ID will be used.

keystone ec2-credentials-delete

usage: keystone ec2-credentials-delete [--user-id <user-id>] --access
                                       <access-key>

Delete EC2-compatible credentials.

Arguments:

--user-id <user-id>
User ID.
--access <access-key>
Access Key.

keystone ec2-credentials-get

usage: keystone ec2-credentials-get [--user-id <user-id>] --access
                                    <access-key>

Display EC2-compatible credentials.

Arguments:

--user-id <user-id>
User ID.
--access <access-key>
Access Key.

keystone ec2-credentials-list

usage: keystone ec2-credentials-list [--user-id <user-id>]

List EC2-compatible credentials for a user.

Arguments:

--user-id <user-id>
User ID.

keystone endpoint-create

usage: keystone endpoint-create [--region <endpoint-region>] --service
                                <service> --publicurl <public-url>
                                [--adminurl <admin-url>]
                                [--internalurl <internal-url>]

Create a new endpoint associated with a service.

Arguments:

--region <endpoint-region>
Endpoint region.
--service <service>, --service-id <service>, --service_id <service>
Name or ID of service associated with endpoint.
--publicurl <public-url>
Public URL endpoint.
--adminurl <admin-url>
Admin URL endpoint.
--internalurl <internal-url>
Internal URL endpoint.

keystone endpoint-delete

usage: keystone endpoint-delete <endpoint-id>

Delete a service endpoint.

Arguments:

<endpoint-id>
ID of endpoint to delete.

keystone endpoint-get

usage: keystone endpoint-get --service <service-type>
                             [--endpoint-type <endpoint-type>]
                             [--attr <service-attribute>] [--value <value>]

Find endpoint filtered by a specific attribute or service type.

Arguments:

--service <service-type>
Service type to select.
--endpoint-type <endpoint-type>
Endpoint type to select.
--attr <service-attribute>
Service attribute to match for selection.
--value <value>
Value of attribute to match.

keystone endpoint-list

usage: keystone endpoint-list

List configured service endpoints.

keystone password-update

usage: keystone password-update [--current-password <current-password>]
                                [--new-password  <new-password>]

Update own password.

Arguments:

--current-password <current-password>
Current password, Defaults to the password as set by --os-password or env[OS_PASSWORD].
--new-password <new-password>
Desired new password.

keystone role-create

usage: keystone role-create --name <role-name>

Create new role.

Arguments:

--name <role-name>
Name of new role.

keystone role-delete

usage: keystone role-delete <role>

Delete role.

Arguments:

<role>
Name or ID of role to delete.

keystone role-get

usage: keystone role-get <role>

Display role details.

Arguments:

<role>
Name or ID of role to display.

keystone role-list

usage: keystone role-list

List all roles.

keystone service-create

usage: keystone service-create --type <type> [--name <name>]
                               [--description <service-description>]

Add service to Service Catalog.

Arguments:

--type <type>
Service type (one of: identity, compute, network, image, object-store, or other service identifier string).
--name <name>
Name of new service (must be unique).
--description <service-description>
Description of service.

keystone service-delete

usage: keystone service-delete <service>

Delete service from Service Catalog.

Arguments:

<service>
Name or ID of service to delete.

keystone service-get

usage: keystone service-get <service>

Display service from Service Catalog.

Arguments:

<service>
Name or ID of service to display.

keystone service-list

usage: keystone service-list

List all services in Service Catalog.

keystone tenant-create

usage: keystone tenant-create --name <tenant-name>
                              [--description <tenant-description>]
                              [--enabled <true|false>]

Create new tenant.

Arguments:

--name <tenant-name>
New tenant name (must be unique).
--description <tenant-description>
Description of new tenant. Default is none.
--enabled <true|false>
Initial tenant enabled status. Default is true.

keystone tenant-delete

usage: keystone tenant-delete <tenant>

Delete tenant.

Arguments:

<tenant>
Name or ID of tenant to delete.

keystone tenant-get

usage: keystone tenant-get <tenant>

Display tenant details.

Arguments:

<tenant>
Name or ID of tenant to display.

keystone tenant-list

usage: keystone tenant-list

List all tenants.

keystone tenant-update

usage: keystone tenant-update [--name <tenant_name>]
                              [--description <tenant-description>]
                              [--enabled <true|false>]
                              <tenant>

Update tenant name, description, enabled status.

Arguments:

--name <tenant_name>
Desired new name of tenant.
--description <tenant-description>
Desired new description of tenant.
--enabled <true|false>
Enable or disable tenant.
<tenant>
Name or ID of tenant to update.

keystone token-get

usage: keystone token-get [--wrap <integer>]

Display the current user token.

Arguments:

--wrap <integer>
Wrap PKI tokens to a specified length, or 0 to disable.

keystone user-create

usage: keystone user-create --name <user-name> [--tenant <tenant>]
                            [--pass [<pass>]] [--email <email>]
                            [--enabled <true|false>]

Create new user.

Arguments:

--name <user-name>
New user name (must be unique).
--tenant <tenant>, --tenant-id <tenant>
New user default tenant.
--pass [<pass>]
New user password; required for some auth backends.
--email <email>
New user email address.
--enabled <true|false>
Initial user enabled status. Default is true.

keystone user-delete

usage: keystone user-delete <user>

Delete user.

Arguments:

<user>
Name or ID of user to delete.

keystone user-get

usage: keystone user-get <user>

Display user details.

Arguments:

<user>
Name or ID of user to display.

keystone user-list

usage: keystone user-list [--tenant <tenant>]

List users.

Arguments:

--tenant <tenant>, --tenant-id <tenant>
Tenant; lists all users if not specified.

keystone user-password-update

usage: keystone user-password-update [--pass <password>] <user>

Update user password.

Arguments:

--pass <password>
Desired new password.
<user>
Name or ID of user to update password.

keystone user-role-add

usage: keystone user-role-add --user <user> --role <role> [--tenant <tenant>]

Add role to user.

Arguments:

--user <user>, --user-id <user>, --user_id <user>
Name or ID of user.
--role <role>, --role-id <role>, --role_id <role>
Name or ID of role.
--tenant <tenant>, --tenant-id <tenant>
Name or ID of tenant.

keystone user-role-list

usage: keystone user-role-list [--user <user>] [--tenant <tenant>]

List roles granted to a user.

Arguments:

--user <user>, --user-id <user>
List roles granted to specified user.
--tenant <tenant>, --tenant-id <tenant>
List only roles granted on specified tenant.

keystone user-role-remove

usage: keystone user-role-remove --user <user> --role <role>
                                 [--tenant <tenant>]

Remove role from user.

Arguments:

--user <user>, --user-id <user>, --user_id <user>
Name or ID of user.
--role <role>, --role-id <role>, --role_id <role>
Name or ID of role.
--tenant <tenant>, --tenant-id <tenant>
Name or ID of tenant.

keystone user-update

usage: keystone user-update [--name <user-name>] [--email <email>]
                            [--enabled <true|false>]
                            <user>

Update user’s name, email, and enabled status.

Arguments:

--name <user-name>
Desired new user name.
--email <email>
Desired new email address.
--enabled <true|false>
Enable or disable user.
<user>
Name or ID of user to update.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

Contents