The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. The keystone client is the command-line interface (CLI) for the OpenStack Identity API and its extensions. This chapter documents keystone version 1.7.1. For help on a specific keystone command, enter: $ keystone help COMMAND

usage: keystone [--version] [--debug] [--os-username <auth-user-name>] [--os-password <auth-password>] [--os-tenant-name <auth-tenant-name>] [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>] [--os-region-name <region-name>] [--os-identity-api-version <identity-api-version>] [--os-token <service-token>] [--os-endpoint <service-endpoint>] [--os-cache] [--force-new-token] [--stale-duration <seconds>] [--insecure] [--os-cacert <ca-certificate>] [--os-cert <certificate>] [--os-key <key>] [--timeout <seconds>] <subcommand> ... catalog List service catalog, possibly filtered by service. ec2-credentials-create Create EC2-compatible credentials for user per tenant. ec2-credentials-delete Delete EC2-compatible credentials. ec2-credentials-get Display EC2-compatible credentials. ec2-credentials-list List EC2-compatible credentials for a user. endpoint-create Create a new endpoint associated with a service. endpoint-delete Delete a service endpoint. endpoint-get Find endpoint filtered by a specific attribute or service type. endpoint-list List configured service endpoints. password-update Update own password. role-create Create new role. role-delete Delete role. role-get Display role details. role-list List all roles. service-create Add service to Service Catalog. service-delete Delete service from Service Catalog. service-get Display service from Service Catalog. service-list List all services in Service Catalog. tenant-create Create new tenant. tenant-delete Delete tenant. tenant-get Display tenant details. tenant-list List all tenants. tenant-update Update tenant name, description, enabled status. token-get Display the current user token. user-create Create new user. user-delete Delete user. user-get Display user details. user-list List users. user-password-update Update user password. user-role-add Add role to user. user-role-list List roles granted to a user. user-role-remove Remove role from user. user-update Update user's name, email, and enabled status. discover Discover Keystone servers, supported API versions and extensions. bootstrap Grants a new role to a new user on a new tenant, after creating each. bash-completion Prints all of the commands and options to stdout. help Display help about this program or one of its subcommands.

--version Shows the client version and exits. --debug Prints debugging output onto the console, this includes the curl request and response calls. Helpful for debugging and understanding the API calls. --os-username <auth-user-name> Name used for authentication with the OpenStack Identity service. Defaults to env[OS_USERNAME]. --os-password <auth-password> Password used for authentication with the OpenStack Identity service. Defaults to env[OS_PASSWORD]. --os-tenant-name <auth-tenant-name> Tenant to request authorization on. Defaults to env[OS_TENANT_NAME]. --os-tenant-id <tenant-id> Tenant to request authorization on. Defaults to env[OS_TENANT_ID]. --os-auth-url <auth-url> Specify the Identity endpoint to use for authentication. Defaults to env[OS_AUTH_URL]. --os-region-name <region-name> Specify the region to use. Defaults to env[OS_REGION_NAME]. --os-identity-api-version <identity-api-version> Specify Identity API version to use. Defaults to env[OS_IDENTITY_API_VERSION] or 2.0. --os-token <service-token> Specify an existing token to use instead of retrieving one via authentication (e.g. with username & password). Defaults to env[OS_SERVICE_TOKEN]. --os-endpoint <service-endpoint> Specify an endpoint to use instead of retrieving one from the service catalog (via authentication). Defaults to env[OS_SERVICE_ENDPOINT]. --os-cache Use the auth token cache. Defaults to env[OS_CACHE]. --force-new-token If the keyring is available and in use, token will always be stored and fetched from the keyring until the token has expired. Use this option to request a new token and replace the existing one in the keyring. --stale-duration <seconds> Stale duration (in seconds) used to determine whether a token has expired when retrieving it from keyring. This is useful in mitigating process or network delays. Default is 30 seconds. --insecure Explicitly allow client to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution. --os-cacert <ca-certificate> Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT]. --os-cert <certificate> Defaults to env[OS_CERT]. --os-key <key> Defaults to env[OS_KEY]. --timeout <seconds> Set request timeout (in seconds).

usage: keystone bootstrap [--user-name <user-name>] --pass <password> [--role-name <role-name>] [--tenant-name <tenant-name>] Grants a new role to a new user on a new tenant, after creating each. --user-name <user-name> The name of the user to be created (default="admin"). --pass <password> The password for the new user. --role-name <role-name> The name of the role to be created and granted to the user (default="admin"). --tenant-name <tenant-name> The name of the tenant to be created (default="admin").

usage: keystone catalog [--service <service-type>] List service catalog, possibly filtered by service. --service <service-type> Service type to return.

usage: keystone discover Discover Keystone servers, supported API versions and extensions.

usage: keystone ec2-credentials-create [--user-id <user-id>] [--tenant-id <tenant-id>] Create EC2-compatible credentials for user per tenant. --user-id <user-id> User ID for which to create credentials. If not specified, the authenticated user will be used. --tenant-id <tenant-id> Tenant ID for which to create credentials. If not specified, the authenticated tenant ID will be used.

usage: keystone ec2-credentials-delete [--user-id <user-id>] --access <access-key> Delete EC2-compatible credentials. --user-id <user-id> User ID. --access <access-key> Access Key.

usage: keystone ec2-credentials-get [--user-id <user-id>] --access <access-key> Display EC2-compatible credentials. --user-id <user-id> User ID. --access <access-key> Access Key.

usage: keystone ec2-credentials-list [--user-id <user-id>] List EC2-compatible credentials for a user. --user-id <user-id> User ID.

usage: keystone endpoint-create [--region <endpoint-region>] --service <service> --publicurl <public-url> [--adminurl <admin-url>] [--internalurl <internal-url>] Create a new endpoint associated with a service. --region <endpoint-region> Endpoint region. --service <service>, --service-id <service>, --service_id <service> Name or ID of service associated with endpoint. --publicurl <public-url> Public URL endpoint. --adminurl <admin-url> Admin URL endpoint. --internalurl <internal-url> Internal URL endpoint.

usage: keystone endpoint-delete <endpoint-id> Delete a service endpoint. <endpoint-id> ID of endpoint to delete.

usage: keystone endpoint-get --service <service-type> [--endpoint-type <endpoint-type>] [--attr <service-attribute>] [--value <value>] Find endpoint filtered by a specific attribute or service type. --service <service-type> Service type to select. --endpoint-type <endpoint-type> Endpoint type to select. --attr <service-attribute> Service attribute to match for selection. --value <value> Value of attribute to match.

usage: keystone endpoint-list List configured service endpoints.

usage: keystone password-update [--current-password <current-password>] [--new-password <new-password>] Update own password. --current-password <current-password> Current password, Defaults to the password as set by --os-password or env[OS_PASSWORD]. --new-password <new-password> Desired new password.

usage: keystone role-create --name <role-name> Create new role. --name <role-name> Name of new role.

usage: keystone role-delete <role> Delete role. <role> Name or ID of role to delete.

usage: keystone role-get <role> Display role details. <role> Name or ID of role to display.

usage: keystone role-list List all roles.

usage: keystone service-create --type <type> [--name <name>] [--description <service-description>] Add service to Service Catalog. --type <type> Service type (one of: identity, compute, network, image, object-store, or other service identifier string). --name <name> Name of new service (must be unique). --description <service-description> Description of service.

usage: keystone service-delete <service> Delete service from Service Catalog. <service> Name or ID of service to delete.

usage: keystone service-get <service> Display service from Service Catalog. <service> Name or ID of service to display.

usage: keystone service-list List all services in Service Catalog.

usage: keystone tenant-create --name <tenant-name> [--description <tenant-description>] [--enabled <true|false>] Create new tenant. --name <tenant-name> New tenant name (must be unique). --description <tenant-description> Description of new tenant. Default is none. --enabled <true|false> Initial tenant enabled status. Default is true.

usage: keystone tenant-delete <tenant> Delete tenant. <tenant> Name or ID of tenant to delete.

usage: keystone tenant-get <tenant> Display tenant details. <tenant> Name or ID of tenant to display.

usage: keystone tenant-list List all tenants.

usage: keystone tenant-update [--name <tenant_name>] [--description <tenant-description>] [--enabled <true|false>] <tenant> Update tenant name, description, enabled status. --name <tenant_name> Desired new name of tenant. --description <tenant-description> Desired new description of tenant. --enabled <true|false> Enable or disable tenant. <tenant> Name or ID of tenant to update.

usage: keystone token-get [--wrap <integer>] Display the current user token. --wrap <integer> Wrap PKI tokens to a specified length, or 0 to disable.

usage: keystone user-create --name <user-name> [--tenant <tenant>] [--pass [<pass>]] [--email <email>] [--enabled <true|false>] Create new user. --name <user-name> New user name (must be unique). --tenant <tenant>, --tenant-id <tenant> New user default tenant. --pass [<pass>] New user password; required for some auth backends. --email <email> New user email address. --enabled <true|false> Initial user enabled status. Default is true.

usage: keystone user-delete <user> Delete user. <user> Name or ID of user to delete.

usage: keystone user-get <user> Display user details. <user> Name or ID of user to display.

usage: keystone user-list [--tenant <tenant>] List users. --tenant <tenant>, --tenant-id <tenant> Tenant; lists all users if not specified.

usage: keystone user-password-update [--pass <password>] <user> Update user password. --pass <password> Desired new password. <user> Name or ID of user to update password.

usage: keystone user-role-add --user <user> --role <role> [--tenant <tenant>] Add role to user. --user <user>, --user-id <user>, --user_id <user> Name or ID of user. --role <role>, --role-id <role>, --role_id <role> Name or ID of role. --tenant <tenant>, --tenant-id <tenant> Name or ID of tenant.

usage: keystone user-role-list [--user <user>] [--tenant <tenant>] List roles granted to a user. --user <user>, --user-id <user> List roles granted to specified user. --tenant <tenant>, --tenant-id <tenant> List only roles granted on specified tenant.

usage: keystone user-role-remove --user <user> --role <role> [--tenant <tenant>] Remove role from user. --user <user>, --user-id <user>, --user_id <user> Name or ID of user. --role <role>, --role-id <role>, --role_id <role> Name or ID of role. --tenant <tenant>, --tenant-id <tenant> Name or ID of tenant.

usage: keystone user-update [--name <user-name>] [--email <email>] [--enabled <true|false>] <user> Update user's name, email, and enabled status. --name <user-name> Desired new user name. --email <email> Desired new email address. --enabled <true|false> Enable or disable user. <user> Name or ID of user to update.