OpenStack API credentials
servers.com allows you to manage your cloud servers and storage via OpenStack API. This article describes how to get started with OpenStack API and avoid exceeding OpenStack rate limits.
Get Keystone credentials
Keystone is an OpenStack component responsible for authentication and authorization within the cloud platform. When using OpenStack API, you'll need to authorize via Keystone using its credentials. servers.com uses Keystone v3.
To get credentials, go to Cloud Storage → Create & Manage, select Region and get parameters from the Access credentials section. Credentials are valid within a single cloud region.
You will need the following variables:
- API URL (e.g., https://<keystone_host>:5000/v3)
- Username (e.g., OS_USERNAME)
- Tenant name (e.g., OS_PROJECT_NAME / OS_TENANT_NAME)
- Password (e.g., OS_PASSWORD)
Additional parameters that are not shown in the Access credentials section but are required in Keystone, include:
- User domain (e.g. OS_USER_DOMAIN_NAME) - set the "default" value
- Project domain (e.g. OS_PROJECT_DOMAIN_NAME) - set the "default" value
Get Keystone token
Authentication into Keystone is performed via getting a token that allows you to perform actions within OpenStack. A token is requested by an API request that has the following structure:
Method: POST
Endpoint: <OS_AUTH_URL>/v3/auth
Request headers: Content-Type: application/json
Request body:
{
"auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "<User name>",
"domain": { "name": "default" },
"password": "<Password>"
}
}
},
"scope": {
"project": {,
"name": "<Tenant name>",
"domain": { "name": "default" }
}
}
}
}There are several methods and tools you can use to get a token. These include:
cURL request
You can generate a token using cURL. This involves making a POST request to the specific API endpoint obtained from the Keystone credentials. Here is an example:
curl -i -X POST \
-H "Content-Type: application/json" \
-d '{
"auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "<User name>",
"domain": { "name": "default" },
"password": "<Password>"
}
}
},
"scope": {
"project": {
"name": "<Tenant name>",
"domain": { "name": "default" }
}
}
}
}' \
https://<keystone_host>:5000/v3/auth/tokensOnce you've made a successful request, you will get a response with a Fernet token in the X-Subject-Token header. You will also see its expiration time in the expires_at parameter.
OpenStack SDK (Python)
OpenStack SDK automatically retrieves and renews a token. To set set it up, go through the following steps:
-
Install the library:
pip install openstacksdk -
Create a
clouds.yamlfile with the following content:clouds: mycloud: auth: auth_url: https://<keystone_host>:5000/v3 username: <User name> password: <Password> project_name: <Tenant name> user_domain_name: default project_domain_name: default region_name: <region_name> interface: publicYou can find the region name in the customer portal: Cloud storage → Access credentials → Shell variables → OS_REGION_NAME value.
-
To create a connection with OpenStack, insert the following lines into your Python code:
from openstack import connection conn = connection.Connection(cloud='mycloud')
OpenStack client (CLI)
To get a token via the OpenStack client, do the following:
- In the customer portal, go to Cloud Storage → Create & Manage, select Region → Access credentials section → Shell variables and click Show.
- Create the
openrc.shfile and insert variables you got on the previous step:export OS_AUTH_URL=https://auth.servers.%location_id%.cloud.servers.com:5000/v3/ export OS_IMAGE_URL=https://images.servers.%location_id%.cloud.servers.com:9292 export OS_TENANT_NAME=XXX export OS_USERNAME=YYY export OS_PASSWORD=ZZZ export OS_IDENTITY_API_VERSION=3 export OS_DEFAULT_DOMAIN_NAME=default -
Load the environment variables by performing this command in the terminal:
source openrc.sh -
Make any OpenStack command to make sure it works, for example:
openstack server list
Limitations
servers.com OpenStack platform has the following limitations:
- servers.com OpenStack uses v3 Keystone, other versions are not supported
- A token is valid for 24 hours
- There are rate limits for Keystone authentication, refer to the Rate limits section to optimize your requests consumption
Token recommendations
Please follow the following recommendations to ensure secure token usage:
- The token should be stored securely in a protected variable or configuration
- It is forbidden to log the token or store it in version control systems
- Applications should monitor token expiration and refresh it in advance
- Do not store passwords and tokens in plain text
- Use secure storage solutions (e.g., HashiCorp Vault, AWS Secrets Manager)
Rate limits
For security reasons, servers.com imposes limits on the number of authentication requests that you can make in Keystone. Use our recommendations to prevent request overuse:
- Token reusage:
- Don't request a new token for every action
- Use one token until it expires
- Token caching:
- In the code, the token refresh process starts 1 hour before expiration
- If a token is used every minute in parallel processes, requests made 5 minutes before expiration will reliably refresh the token
- The optimal refresh interval is every 12 hours (half the token lifetime)
- Limiting parallel authentication requests: use a shared token in multi-threaded processes instead of having a separate token for each thread
- Handling rate-limiting errors: implement an exponential backoff mechanism in case of the 429 error "Too many requests"
Share
Suggested Articles
- Cloud servers
- Cloud server volumes
- DNS
- Cloud storage
- Customer portal
- Dedicated servers
- Firewall
- Forex VPS
- How it works
- Kubernetes clusters
- L2 segments
- Load balancing
- Remote block storage
- Scalable bare metal
- VPN to GPN
