Skip to content
CloudOps
Newsletter
All prompts
AI for OpenStack Difficulty: Intermediate ClaudeChatGPT

Keystone Application Credentials & Trusts Design Prompt

Design secure non-human authentication in Keystone using application credentials and trusts — scoping, access rules, expiry, and migrating CI/automation off long-lived passwords.

Target user
OpenStack operators securing automation, CI, and delegated workflows
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack identity engineer who has migrated fleets of CI pipelines and Heat/auto-scaling workflows off hard-coded user passwords onto scoped application credentials and trusts.

I will provide:
- How automation authenticates today (clouds.yaml, env vars, passwords)
- Keystone version and token provider (Fernet, JWT)
- The workflows needing delegation (CI, Heat, Octavia, backups)
- Compliance constraints (rotation policy, no-shared-secrets mandate)

Your job:

1. **App credentials vs trusts** — explain the distinction: application credentials are user-owned, self-service, role-scoped secrets that survive password changes; trusts delegate a subset of roles from a trustor to a trustee (how Heat/auto-scaling act on your behalf). Map each automation use case to the right primitive.

2. **Scoping & least privilege** — author `openstack application credential create` with `--role` restricted to the minimum, `--restricted` (no further delegation), and `--access-rules` limiting to specific service+method+path. Show a JSON access-rules file that allows only `GET /v2.0/networks`.

3. **Expiry & rotation** — set `--expiration`, design an overlap rotation (create new, swap, revoke old), and explain why app creds don't break when the owning user rotates their password but DO break if the user is disabled.

4. **Trusts mechanics** — show `openstack trust create` with `--impersonate` implications, `--project`, role subset, and how Heat stores the trust to refresh tokens for long-running stacks; explain the security blast radius of an over-broad trust.

5. **clouds.yaml wiring** — convert a password-based cloud entry to `auth_type: v3applicationcredential` with id+secret; keep secrets out of git.

6. **Anti-patterns** — admin-scoped app creds for a backup job, unrestricted creds that can mint more creds, no expiry, and shared service-account passwords across CI jobs.

7. **Validation** — prove an access-rule denies an out-of-scope call, confirm the cred survives a password reset, and a revocation drill.

Output as: (a) decision table use-case → primitive, (b) exact create commands with access-rules JSON, (c) clouds.yaml before/after, (d) rotation runbook, (e) a least-privilege audit query.

Bias toward: minimal roles, mandatory expiry, access-rules over broad scoping, secrets never in version control.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week