Verify the Identity Service installation To verify that the Identity Service is installed and configured correctly, clear the values in the OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT environment variables: $ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT These variables, which were used to bootstrap the administrative user and register the Identity Service, are no longer needed. You can now use regular user name-based authentication. Request a authentication token by using the admin user and the password you chose for that user: $ keystone --os-username=admin --os-password=ADMIN_PASS \ --os-auth-url=http://controller:35357/v2.0 token-get In response, you receive a token paired with your user ID. This verifies that the Identity Service is running on the expected endpoint and that your user account is established with the expected credentials. Verify that authorization behaves as expected. To do so, request authorization on a tenant: $ keystone --os-username=admin --os-password=ADMIN_PASS \ --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 \ token-get In response, you receive a token that includes the ID of the tenant that you specified. This verifies that your user account has an explicitly defined role on the specified tenant and the tenant exists as expected. You can also set your --os-* variables in your environment to simplify command-line usage. Set up a admin-openrc.sh file with the admin credentials and admin endpoint: export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller:35357/v2.0 Source this file to read in the environment variables: $ source admin-openrc.sh Verify that your admin-openrc.sh file is configured correctly. Run the same command without the --os-* arguments: $ keystone token-get The command returns a token and the ID of the specified tenant. This verifies that you have configured your environment variables correctly. Verify that your admin account has authorization to perform administrative commands: $ keystone user-list +----------------------------------+-------+---------+-------------------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------------------+ | afea5bde3be9413dbd60e479fddf9228 | admin | True | admin@example.com | | 32aca1f9a47540c29d6988091f76c934 | demo | True | demo@example.com | +----------------------------------+-------+---------+-------------------+ $ keystone user-role-list --user admin --tenant admin +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 | | 5d3b60b66f1f438b80eaae41a77b5951 | admin | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 | +----------------------------------+----------+----------------------------------+----------------------------------+ Seeing that the id in the output from the keystone user-list command matches the user_id in the keystone user-role-list command, and that the admin role is listed for that user, for the related tenant, this verifies that your user account has the admin role, which matches the role used in the Identity Service policy.json file. As long as you define your credentials and the Identity Service endpoint through the command line or environment variables, you can run all OpenStack client commands from any machine. For details, see .