Create application credentials as Openstack admin for federated user(s)

Single user

# user OS_TOKEN
export OS_TOKEN=gAAAAABjtUl_4LZr3iNqI7dOoBYMw-...
 
# cat ~/.config/openstack/clouds.yaml
clouds:
  dev-admin-token:
    auth:
      auth_url: https://keystone.service.examle.com/v3
    region_name: "eu-south"
    interface: "public"
    identity_api_version: 3
    project_domain_name: "my-foo"
    project_name: "foo"
    auth_type: "v3token"
 
OS_AC=$(openstack application credential create ${OS_AC_NAME} --unrestricted --os-cloud dev-admin-token -f json)

Multiple user

export OS_ENV=dev
 
export RESELLER="foo"
export KEYCLOAK_ADMIN_URL="https://keycloak.${OS_ENV}.example.com"
export KEYCLOAK_ADMIN_USER="keycloak"
export KEYCLOAK_ADMIN_PASSWORD=$(grep keycloak_password /etc/keycloak/keycloak-client.properties | cut -d" " -f3)
export KEYSTONE_SP_ID="keystone.service.${OS_ENV}.example.com"
 
ADMIN_TOKEN=$(curl -d "client_id=admin-cli" -s -d "username=$KEYCLOAK_ADMIN_USER" -d "password=$KEYCLOAK_ADMIN_PASSWORD" -d "grant_type=password" "$KEYCLOAK_ADMIN_URL/auth/realms/master/protocol/openid-connect/token" | jq -r .access_token)
KEYSTONE_CLIENT_ID=$(curl -s -H "Authorization: Bearer $ADMIN_TOKEN" "$KEYCLOAK_ADMIN_URL/auth/admin/realms/$RESELLER/clients?clientId=$KEYSTONE_SP_ID&viewableOnly=true" | jq -r ".[0].id")
KEYSTONE_CLIENT_SECRET=$(curl -s -H "Authorization: Bearer $ADMIN_TOKEN" "$KEYCLOAK_ADMIN_URL/auth/admin/realms/$RESELLER/clients/$KEYSTONE_CLIENT_ID/client-secret" | jq -r ".value")
 
 
KEYCLOAK_USER_NAME=foo
KEYCLOAK_USER_PASSWORD=pass1234
 
KEYCLOAK_KEYSTONE_SCOPED_TOKEN=$(curl -d "client_id=$KEYSTONE_SP_ID" -d "client_secret=$KEYSTONE_CLIENT_SECRET" -s -d "username=$KEYCLOAK_USER_NAME" -d "password=$KEYCLOAK_USER_PASSWORD" -d "grant_type=password" -d "scope=openid email profile" "$KEYCLOAK_ADMIN_URL/auth/realms/$RESELLER/protocol/openid-connect/token" | jq -r ".access_token")
export OS_TOKEN=$(curl -g -i -s -D -x-suebject-token -X POST https://$KEYSTONE_SP_ID/v3/OS-FEDERATION/identity_providers/my-foo/protocols/openid/auth -H "Authorization: Bearer $KEYCLOAK_KEYSTONE_SCOPED_TOKEN" | grep x-subject-token: | cut -d" " -f2 | tr -d '\r')
 
export OS_AUTH_URL=https://keystone.service.${OS_ENV}.example.com/v3
export OS_REGION_NAME=eu-south
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=foo
export OS_PROJECT_NAME=bar
export OS_AUTH_TYPE=v3token
 
OS_AC_NAME=my-${OS_ENV}-${KEYCLOAK_USER_NAME}-ac
OS_AC=$(openstack application credential create ${OS_AC_NAME} --unrestricted -f json)
OS_AC_ID=$(echo ${OS_AC} | jq -r .id)
OS_AC_SECRET=$(echo ${OS_AC} | jq -r .secret)
 
mkdir -p /home/${KEYCLOAK_USER_NAME}/.config/openstack
 
cat <<EOF>> /home/${KEYCLOAK_USER_NAME}/.config/openstack/clouds.yaml
clouds:
  ${OS_AC_NAME}:
    auth:
      auth_url: https://keystone.service.dev.example.com/v3
      application_credential_id: "${OS_AC_ID}"
      application_credential_secret: "${OS_AC_SECRET}"
    region_name: "eu-south"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"
EOF
 
chown -R ${KEYCLOAK_USER_NAME}. /home/${KEYCLOAK_USER_NAME}/.config
 
echo "export OS_CLOUD=${OS_AC_NAME}" >> /home/${KEYCLOAK_USER_NAME}/.bashrc
 
# optional: execute user postdeploy script
su -l ${KEYCLOAK_USER_NAME} -c ~/${OS_AC_NAME}-postdeploy.sh"