Enable API access to cPouta from the CLI and create application credentials
- Summary
- This tutorial will guide you through the process of creating the necessary environment variables for the local environment to be able to use the cPouta OpenStack from the CLI.
- Internet
- https://pouta.csc.fi
flowchart LR
A(Log in to<br>pouta.csc.fi) --> pouta-id1
subgraph pouta-id1 [Horizon]
B(Select 'API access') --> C(Download openstack RC file)
C --> D(Source RC file in terminal)
end
pouta-id1 --> E(Use cPouta and/or Allas from the terminal)
E --> F{Create<br>application<br>credentials}
F -->|Yes| pouta-id2
subgraph pouta-id2 [Horizon]
G(Select 'identity' and application credentials) --> H(Create and name a new credential)
H --> I(Define roles and expiration date)
I --> J(Store credentials)
endPrerequisites
- An access to cPouta service.
Procedure
Sign in to cPouta. Select API Access 
from the menu on the left.
Expand the 'Download OpenStack RC File' button, and select ' OpenStack RC File' 
.
Open Terminal or PowerShell. Locate the file you downloaded and source it with command source project_2000099-openrc.sh or replace source word with a dot.
Enter your CSC account password at the prompt.
$ source project_2000099-openrc.sh
Please enter your OpenStack Password for project project_2000099 as user cbrown:
$ ▁
Check that the command was successful by typing env | grep ^OS_.
You should get a list of environment variables whose names begin with OS_.
$ env | ^OS_
OS_AUTH_URL=https://pouta.csc.fi:5001/v3
OS_PROJECT_ID=855821800b224a08a871d34c4f724g1d
OS_PROJECT_NAME=project_2000099
OS_USER_DOMAIN_NAME=Default
OS_PROJECT_DOMAIN_ID=default
OS_USERNAME=cbrown
OS_PASSWORD=passwordInPlainTxt
OS_REGION_NAME=regionOne
OS_INTERFACE=public
OS_IDENTITY_API_VERSION=3
$ ▁
That's it!
Now you have an access to your cPouta environment from the command line.
You can test the access by typing the command openstack flavor list.
Warning
Please make sure that no one else has access to your active terminal session, as your CSC account's password is visible in plain text in the environment variables.
Creating Application Credentials
To avoid using your personal credentials, you can create more granular Application Credentials access to the project.
From the cPouta web interface, select Application Credentials 
from the left hand menu under Identity.
Then click the '+ Create Application Credential' 
button.
Give the credential a descriptive name 
. Describe the credential in more detail 
. It is good practice to document credentials well.
It is also good practice to set an 
expiry date for the credential.
The safest thing to do is to give the minimum required access 
to a credential and then add more credentials for other needs as required.
Complete the creation by pressing the Create Application Credential 
button.
Here we have created limited access to the Allas service (object_store_user).
Tip
If there is no object_store_user role in your list, you haven't activated the Allas service for your project. Please activate it first from MyCSC service.
Now is a good time - actually the last moment - to save 
your application details. You will no longer be able to see the secret once you close this view.
If you look at the contents of the downloaded file, you'll see that it's similar to the one you downloaded in step .
$ cat app-cred-Alien data access to Allas (project_2000099)-openrc.sh
#!/usr/bin/env bash
export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://pouta.csc.fi:5001/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME="regionOne"
export OS_INTERFACE=public
export OS_APPLICATION_CREDENTIAL_ID=ca6157ca8351493cab6ac1ab9f8b3g24
export OS_APPLICATION_CREDENTIAL_SECRET=Pd3xzZiVF_4FGlLhSzGN-uVw9vgtiNSDPgPOjA3Q4ljmh3WLDze6mrpVizp75lojslFj2zF9s1arX2eJmxt01A
$ ▁
Access is also more restricted than with the personal account.
Info
You may be involved in multiple projects, and keeping track of project-specific credentials can become a burden. Good documentation will help you with this.
Further Learning
Here are some suggestions for what to read next: