Skip to content

Authentication

Web interface

The web interface is authenticated using SWAMID SSO (Seamless Access). You can log in using your SWAMID account, or you can create a new eduID account if your institution is not a memeber of SWAMID. When you are logged in you can see all projects you have access to. You can switch between projects using the project selector in the top left corner

Project selector

If you have ALOT of projects you may need to set the current active project by going to Identity -> Projects and search for the relevant project and click the "Set active" button.

Project menu

API

The API is authenticated using API keys. You can create an API key by going to Identity -> Application Credentials and clicking the "Create Application Credential" button.

App Credentials

These credentials can be downloaded either as a OpenStack RC file, or as a clouds.yaml file, both of which can be used to authenticate using the OpenStack CLI or SDKs.

The Application Credential is scoped to a user and a project, so you can create multiple credentials for different projects if you have access to multiple projects.

NOTE: While the credentials are tied to a specific user, they are not automatically revoked when the user is removed from the project. This means that if you create an API key for a project and then remove yourself from that project, the API key will still be valid until it is manually revoked. This is by design, and allows users to create API keys that can be used by applications or scripts that need to access the project even if the user is no longer a member of the project.

The alternative to this is to use a shared service account to create API keys that are not tied to a specific user, but this is not recommended as it can lead to security issues since all credentials created by the service account will need to be revoked if any user with access to the service account leaves the project, as opposed to only the credentials created by that user. Depending on your your use case, you may or may not want to revoke all keys created by a user when they are removed from a project, and using tokens scoped to a user will allow you to do that in a cleaner way than a shared account.

S3

You can access credentials for use with S3 by going to Project -> API Access and clicking the "View Credentials" button. This will show you the S3 access key and secret key that you can use to access the S3 API. These credentials are tied to your user account and the project you are currently active in, so if you switch to a different project you will see different credentials.

API Access

Optionally you can also create credentials for use with S3 using Application Credentials with the openstack CLI or SDKs, but these credentials will not be visible in the web interface and will need to be managed using the CLI or SDKs.

openstack ec2 credentials list
openstack ec2 credentials create
openstack ec2 credentials delete <access_key>

NOTE: When using either the CLI, or the web interface, you will see all credentials for all projects you have access to.

However, when creating credentials, using either the CLI, or the web interface, the credentials will be created for the project used when creating the Application Credential (or the currently active project for the web interface), so if you want to create credentials for a specific project you will need to switch to that project before creating the Application Credential. Please take note of this when creating credentials, as it can lead to confusion if you have access to multiple projects and are not careful when switching between them.

Security Considerations

As credentials are not automatically revoked when a user is removed from a project, it is important to keep track of which credentials are active and revoke any credentials that are no longer needed or that may have been compromised. This is especially important for credentials that are used by applications or scripts, as these can be easily forgotten and left active even after they are no longer needed.

If you suspect that a credential has been compromised, or there is a security incident, please contact the support team immediately so that we can investigate and take appropriate action to mitigate any potential damage.

Sunet staff will never ask you for any secrets, so if you receive any requests for your credentials, please report it to the support team immediately.