keystone commands

The keystone client is the command-line interface (CLI) for the OpenStack Identity API.

For help on a specific keystone command, enter:

$ keystone help COMMAND
 

Example A.1. Usage

keystone [--version] [--timeout <seconds>]
         [--os-username <auth-user-name>]
         [--os-password <auth-password>]
         [--os-tenant-name <auth-tenant-name>]
         [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
         [--os-region-name <region-name>]
         [--os-identity-api-version <identity-api-version>]
         [--os-token <service-token>]
         [--os-endpoint <service-endpoint>]
         [--os-cacert <ca-certificate>] [--insecure]
         [--os-cert <certificate>] [--os-key <key>] [--os-cache]
         [--force-new-token] [--stale-duration <seconds>]
         <subcommand> ...

 

Example A.2. Positional arguments

<subcommand>
    catalog             List service catalog, possibly filtered by service.
    ec2-credentials-create
                        Create EC2-compatible credentials for user per tenant
    ec2-credentials-delete
                        Delete EC2-compatible credentials
    ec2-credentials-get
                        Display EC2-compatible credentials
    ec2-credentials-list
                        List EC2-compatible credentials for a user
    endpoint-create     Create a new endpoint associated with a service
    endpoint-delete     Delete a service endpoint
    endpoint-get        Find endpoint filtered by a specific attribute or
                        service type
    endpoint-list       List configured service endpoints
    password-update     Update own password
    role-create         Create new role
    role-delete         Delete role
    role-get            Display role details
    role-list           List all roles
    service-create      Add service to Service Catalog
    service-delete      Delete service from Service Catalog
    service-get         Display service from Service Catalog
    service-list        List all services in Service Catalog
    tenant-create       Create new tenant
    tenant-delete       Delete tenant
    tenant-get          Display tenant details
    tenant-list         List all tenants
    tenant-update       Update tenant name, description, enabled status
    token-get           Display the current user token
    user-create         Create new user
    user-delete         Delete user
    user-get            Display user details.
    user-list           List users
    user-password-update
                        Update user password
    user-role-add       Add role to user
    user-role-list      List roles granted to a user
    user-role-remove    Remove role from user
    user-update         Update user's name, email, and enabled status
    discover            Discover Keystone servers, supported API versions and
                        extensions.
    bootstrap           Grants a new role to a new user on a new tenant, after
                        creating each.
    bash-completion     Prints all of the commands and options to stdout.
    help                Display help about this program or one of its
                        subcommands.

 

Example A.3. Optional arguments

  --version             Shows the client version and exits
  --timeout <seconds>   Set request timeout (in seconds)
  --os-username <auth-user-name>
                        Name used for authentication with the OpenStack
                        Identity service. Defaults to env[OS_USERNAME]
  --os-password <auth-password>
                        Password used for authentication with the OpenStack
                        Identity service. Defaults to env[OS_PASSWORD]
  --os-tenant-name <auth-tenant-name>
                        Tenant to request authorization on. Defaults to
                        env[OS_TENANT_NAME]
  --os-tenant-id <tenant-id>
                        Tenant to request authorization on. Defaults to
                        env[OS_TENANT_ID]
  --os-auth-url <auth-url>
                        Specify the Identity endpoint to use for
                        authentication. Defaults to env[OS_AUTH_URL]
  --os-region-name <region-name>
                        Defaults to env[OS_REGION_NAME]
  --os-identity-api-version <identity-api-version>
                        Defaults to env[OS_IDENTITY_API_VERSION] or 2.0
  --os-token <service-token>
                        Specify an existing token to use instead of retrieving
                        one via authentication (e.g. with username &
                        password). Defaults to env[OS_SERVICE_TOKEN]
  --os-endpoint <service-endpoint>
                        Specify an endpoint to use instead of retrieving one
                        from the service catalog (via authentication).
                        Defaults to env[OS_SERVICE_ENDPOINT]
  --os-cacert <ca-certificate>
                        Specify a CA bundle file to use in verifying a TLS
                        (https) server certificate. Defaults to env[OS_CACERT]
  --insecure            Explicitly allow keystoneclient to perform "insecure"
                        TLS (https) requests. The server's certificate will
                        not be verified against any certificate authorities.
                        This option should be used with caution.
  --os-cert <certificate>
                        Defaults to env[OS_CERT]
  --os-key <key>        Defaults to env[OS_KEY]
  --os-cache            Use the auth token cache. Defaults to env[OS_CACHE]
  --force-new-token     If the keyring is available and in use, token will
                        always be stored and fetched from the keyring until
                        the token has expired. Use this option to request a
                        new token and replace the existing one in the keyring.
  --stale-duration <seconds>
                        Stale duration (in seconds) used to determine whether
                        a token has expired when retrieving it from keyring.
                        This is useful in mitigating process or network
                        delays. Default is 30 seconds.

Log a bug against this page

loading table of contents...