Keystone has long been the barrier blocking cloud-native applications from truly automation-compatible support. Applications, deployment tools, and OpenStack services have all required dedicated keystone users whose passwords are committed to configuration files. This talk introduces Application Credentials, a new feature in the Queens release of keystone that enables applications and automation to authenticate with keystone without requiring a dedicated keystone user, allows graceful rotation of credentials with minimal downtime, and encourages restrictive permissions delegation to applications.
This talk will discuss the use cases that drove this feature request to the top of our priority list and some history on how we've tried to solve some of these problems before now. Attendees will learn how to create application credentials and how to use them in application development. Finally, we'll cover some of the limitations application credentials have, and the next steps we plan to take with them.
