Configuring OpenStack EC2 credentials

The credentials that the Amazon S3 and Elastic Compute Cloud (EC2) APIs use are different from the credentials that OpenStack API uses. So, you must generate these special credentials to use them when you access the IBM Storage Scale OpenStack services.

The credentials are created by the openstack command, a command-line client for OpenStack that allows the creation and use of access or secret pairs for a user or project pair. When you use the command, you must create the access or secret for each user or project pair:
  1. Source openrc with the administrative credentials.
  2. Create EC2 credential by running this command for user-defined blob as a credential:
    openstack credential create --type ec2 --project <project> <user> '{"access": "<aws_access_key>", "secret": "<aws_secret_key>"}'
    Note: Make sure that you use Keystone UUIDs rather than names if duplicate user or project names might exist across domains. Additionally, the administrative users must be able to list and delete access or secrets for a specific user or project.

    You can set <aws_access_key> and <aws_secret_key> to any value. These values are supplied to the S3 client. These values are typically set as the access and secret S3 values. S3 uses them when it connects to Object storage. The S3 layer in OpenStack uses these values to look up the associated user and project that is associated with the EC2 credential.

  3. View all EC2 credentials by running this command:
    
openstack credential list
openstack credential show <credential-id>
  4. You can change your Access Key ID and Secret Access Key if necessary.
    Note: You might want to consider a regular rotation of these keys and switching applications to use the new pair.
    Change the EC2 credentials by running this command:
    openstack credential set –type ec2 –data '{"access": <access>, "secret": <secret>}' --project <project> <credential-id>
  5. Delete the EC2 credentials by running this command:
    openstack credential delete <credential_id>
    The following example shows the creation of EC2 credentials that link with the S3 credentials "s3user" and "s3pass" to the Keystone user "admin" that is in the project "build":
    source /root/openrc
openstack credential create --type ec2 --project build admin '{"access": "s3user", "secret": "s3pass"}'

    Now you can connect to the IBM Storage Scale Object store by using the Amazon S3 API. You can connect with any S3-enabled client by using the access key "s3user" and the secret "s3pass".