Skip to main content
IMHCloud Logo
Back to glossary

Application Credential

An application credential is a scoped authentication token in OpenStack that allows applications to authenticate to cloud APIs without exposing user passwords.

Security

What is an Application Credential in cloud hosting?

An application credential is a scoped authentication token that allows scripts, automation tools, and applications to access cloud APIs without using your user password. Instead of embedding your account password in configuration files or environment variables, you create a dedicated credential with limited permissions specifically for that application.

Application credentials are tied to a specific project and can be restricted to a subset of roles. They can also have expiration dates, making them safer to use in CI/CD pipelines, deployment scripts, and long-running services. If a credential is compromised, you revoke only that credential without changing your main password.

Related Terms

  • Keystone: The OpenStack identity service that manages authentication and authorization, such as issuing tokens, managing users, and validating application credentials.
  • Project: An isolated container for cloud resources where application credentials are scoped, such as a production project with its own instances and networks.
  • User: An identity that owns application credentials and defines their maximum permission scope, such as a developer account or service account.

Why Application Credentials Exist

Storing your user password in scripts or configuration files creates security risks. If someone gains access to that file, they have full access to your account. Changing your password breaks every script that uses it.

Application credentials solve this by providing credentials that:

  • Work only within a specific project
  • Can be limited to specific roles (read-only, compute access only, etc.)
  • Can expire automatically after a set time
  • Can be revoked individually without affecting other credentials or your main password

Without application credentials, teams often share passwords, embed them in code repositories, or use overly permissive service accounts. This makes it difficult to track which application made a particular API call and impossible to revoke access granularly.

What Do Application Credentials Actually Do?

  • Authenticate API requests to OpenStack services without requiring your user password
  • Limit access to a single project, preventing cross-project resource access
  • Restrict permissions to specific roles you assign when creating the credential
  • Expire automatically on a date you specify, reducing the risk of stale credentials
  • Generate a unique secret that can be rotated without changing your account password
  • Appear in audit logs with their own identity, making it clear which application made each request

When Would I Use an Application Credential?

Use an application credential when you need automated access to cloud APIs. Common scenarios include:

  • CI/CD pipelines: Your deployment scripts need to launch instances, upload images, or update load balancers
  • Monitoring tools: External monitoring services need read-only access to check instance health
  • Backup automation: Scheduled scripts need to create snapshots or copy volumes
  • Container orchestration: Kubernetes clusters need credentials to provision persistent volumes or floating IPs
  • Development environments: Developers need credentials for testing without sharing their personal passwords

When Would I NOT Use an Application Credential?

Avoid application credentials when direct user authentication is more appropriate:

  • Interactive dashboard sessions: When using the Horizon dashboard, log in with your user account for full access and session management
  • One-time manual tasks: If you are running a single command from your workstation, your user token is simpler
  • Highly privileged operations: Some administrative actions require your full user identity rather than a scoped credential

Application credentials also cannot be used to create other application credentials. If you need to delegate credential creation, you need direct user authentication with the identity service.

Real-World Example

Company A runs a SaaS platform hosted on OpenStack. Their deployment pipeline needs to:

  1. Upload new container images to Glance
  2. Launch instances with the new image
  3. Update the load balancer to include the new instances
  4. Remove old instances

Instead of storing an admin password in their CI/CD system, Company A creates an application credential with only the "compute" and "image" roles, scoped to their production project. The credential expires in 90 days, and a scheduled job creates a new one before expiration. When a developer leaves the company, their personal credentials are revoked, but the deployment pipeline continues working because it uses its own application credential.

Frequently Asked Questions

Can I use an application credential across multiple projects? No. Each application credential is scoped to a single project. If your automation needs access to multiple projects, create a separate credential for each project and configure your application to use the appropriate credential for each context.

What happens if someone steals my application credential? They can access only the project and roles you assigned to that credential. Immediately revoke the compromised credential in the Horizon dashboard or via the API. Your user account remains secure, and other application credentials continue working.

Do application credentials expire automatically? Only if you set an expiration date when creating them. Without an expiration date, the credential remains valid until you manually revoke it. Setting expiration dates is recommended for credentials used in temporary or external systems.

Can I see what actions were taken with an application credential? Yes. API requests authenticated with application credentials appear in audit logs with the credential's identity. This lets you track which application made specific changes, even when multiple applications use the same user account.

How do I rotate an application credential? Create a new application credential with the same roles and project scope. Update your application to use the new credential. Once the new credential is working, revoke the old one. This process avoids downtime because both credentials work simultaneously during the transition.

Summary

  • An application credential is a scoped token that lets applications authenticate to cloud APIs without using your user password
  • Each credential is limited to a specific project and can be restricted to certain roles
  • Credentials can have expiration dates and can be revoked individually
  • Use application credentials for CI/CD pipelines, monitoring tools, backup scripts, and any automated cloud access
  • Compromised credentials can be revoked without affecting your main account or other credentials

Related Terms

Read definition

OpenStack API

The OpenStack API is a collection of RESTful HTTP interfaces that allow applications and tools to programmatically manage cloud resources including instances, networks, storage, and identity services.

Infrastructure
Learn more