A trust provide project-specific role delegation between users, with optional impersonation. Requires the OS-TRUST extension. Applies to Identity v3.

trust create

Create new trust

openstack trust create
    --project <project>
    --role <role>
    [--expiration <expiration>]
    [--project-domain <project-domain>]
    [--trustor-domain <trustor-domain>]
    [--trustee-domain <trustee-domain>]
--project <project>

Project being delegated (name or ID) (required)

--role <role>

Roles to authorize (name or ID) (repeat option to set multiple values, required)


Tokens generated from the trust will represent <trustor> (defaults to False)

--expiration <expiration>

Sets an expiration date for the trust (format of YYYY-mm-ddTHH:MM:SS)

--project-domain <project-domain>

Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.

--trustor-domain <trustor-domain>

Domain that contains <trustor> (name or ID)

--trustee-domain <trustee-domain>

Domain that contains <trustee> (name or ID)


User that is delegating authorization (name or ID)


User that is assuming authorization (name or ID)

trust delete

Delete trust(s)

openstack trust delete <trust> [<trust> ...]

Trust(s) to delete

trust list

List trusts

openstack trust list
    [--sort-column SORT_COLUMN]
    [--sort-ascending | --sort-descending]
--sort-column SORT_COLUMN

specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated


sort the column(s) in ascending order


sort the column(s) in descending order

trust show

Display trust details

openstack trust show <trust>

Trust to display