7.3 Setting Environment Variables for OpenStack CLI Clients

When you run OpenStack command-line clients, you must authenticate to Keystone so that you can be authorized to perform an action. You can submit the required credentials using the command-line arguments for the OpenStack clients, or you can store the credentials as environment variables which can then be used by the OpenStack clients. Using environment variables is often easier.

The following are the minimum required OpenStack environment variables:

Environment Variable

Purpose

OS_AUTH_URL

Keystone authentication URL.

OS_TENANT_NAME

Keystone tenant name.

OS_USERNAME

Keystone user name.

OS_PASSWORD

Keystone password.

OS_PROJECT_NAME

Keystone project name.

OS_PROJECT_DOMAIN_ID

Keystone domain ID containing the project.

OS_PROJECT_DOMAIN_NAME

Keystone domain name containing the project.

OS_USER_DOMAIN_ID

Keystone user's domain ID.

OS_USER_DOMAIN_NAME

Keystone user's domain name.

OS_IDENTITY_API_VERSION

Keystone identity API version. This should be set to 3.

The docker-ostk utility automatically sets this variable for you.

OS_VOLUME_API_VERSION

Cinder volume API version. This should be set to 2.

The docker-ostk utility automatically sets this variable for you.

If you do not set the OS_PASSWORD environment variable, the OpenStack CLI clients prompt you to enter the password.

For a complete list of the environment variables you can use, see http://docs.openstack.org/developer/python-openstackclient/man/openstack.html#environment-variables

To manually set the environment variables: 

$ export variable_name=value

For example: 

$ export OS_AUTH_URL=http://10.0.0.10:5000/v3
$ export OS_TENANT_NAME=admin
$ export OS_PROJECT_NAME=admin
$ export OS_USERNAME=admin
$ export OS_PASSWORD=password
$ export OS_PROJECT_DOMAIN_ID=default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_USER_DOMAIN_ID=default
$ export OS_USER_DOMAIN_NAME=Default

Using an Environment File

You can create an environment file that exports the variables (as shown above), and use the source command to set the variables before you run OpenStack CLI commands. You can download a preconfigured environment file from the OpenStack Horizon dashboard, as follows:

  1. Log in to the OpenStack Horizon dashboard.

  2. Select Project, then Compute, and then select Access & Security. Select the API Access subtab.

  3. Click Download OpenStack RC v3 File and save this file to the host.

  4. Use the source command to load the environment variables. 

    $ source admin-openrc.sh
Please enter your OpenStack Password:

    You are prompted to enter the OpenStack admin password. Enter the password and the environment variables are set up.

    Caution

    The password is stored in plain text, and is not encrypted.

Using a Key-Value Pairs File with docker-ostk

If you use the docker-ostk utility to run OpenStack CLI clients, you can pass the environment variables to the Docker container by storing the environment variables as key-value pairs in a file. To use the file, you specify the location of the file by setting the ENV_FILE environment variable before you run the docker-ostk command. The following is an example environment file with key-value pairs. 

OS_AUTH_URL=http://10.0.0.10:5000/v3
OS_TENANT_NAME=admin
OS_PROJECT_NAME=admin
OS_USERNAME=admin
OS_PASSWORD=password
OS_PROJECT_DOMAIN_ID=default
OS_PROJECT_DOMAIN_NAME=Default
OS_USER_DOMAIN_ID=default
OS_USER_DOMAIN_NAME=Default

Using a clouds.yaml File with the openstack CLI Client

If you use the openstack CLI client, you can store credentials in YAML format in a file named clouds.yaml. The following is an example clouds.yaml file containing the credentials for two projects, admin and dev: 

clouds:
  admin:
    auth:
      auth_url: http://10.0.0.20:5000/v3
      project_name: admin
      tenant_name: admin
      username: admin
      password: password
    project_domain_id: default
    project_domain_name: Default
    user_domain_id: default
    user_domain_name: Default
    identity_api_version: 3
    volume_api_version: 2
  dev:
    auth:
      auth_url: http://10.0.0.20:5000/v3
      project_name: DevProject
      username: jdoe
      password: password
    project_domain_id: default
    project_domain_name: Default
    user_domain_id: default
    user_domain_name: Default
    identity_api_version: 3
    volume_api_version: 2

You select the credentials you want to use with the --os-cloud option when you run a command, for example: 

$ openstack --os-cloud=dev server list

The openstack CLI client searches for the clouds.yaml file in order in the following locations:

  1. Current working directory

  2. $HOME/.config/openstack

  3. /etc/openstack

The first file found is used. If you use the docker-ostk utility, the clouds.yaml file must be in the current working directory as this directory is bind-mounted into the container.

For more information see http://docs.openstack.org/developer/python-openstackclient/configuration.html

Password Security

For security reasons, it is recommended that you do not store your OpenStack project passwords in a file or in an environment variable. To avoid storing passwords in plain text, you can either let the OpenStack CLI client prompt you for the password interactively, or you can specify the password with the --os-password option when you run a command.

Copyright © 2016, 2017 Oracle and/or its affiliates. All rights reserved. Legal Notices