Application credentials - Access Rules

Guide for managing access rules with application credentials

Overview

This guide will help you get started with how to create different access rules for various resources in OpenStack. The access rules are applied to application credentials and enables a way to set more fine-grained access control for applications to specific resources.

Good to know

Access rules are only applicable to application credentials and not to users of a project. As an example, a user can create an application credential that has read-only access to a specific container in Swift. This type of credentials can later be used by an application to read information from that container. The users within the project can still access all containers with read/write access, if they are a member of the swift operator role. The users also has access to other types of resources, such as virtual machines. If you want to completely separate user access from virtual machines and swift, you can opt-in for a separate swift project. Please see here for more information.

To see more information about the different user roles in our OpenStack, you can find it here.
For more information about application credentials, you find it here

Creating Acces Rules

Access rules are built by specifying the service. for instance Swift, the method to use, i.e type of access, for instance GET and the path to the resource, for example a container.
Rules can be specified in either JSON or YAML format. In this example we are going to use YAML.

Example 1: Read-only access to all objects in a specific container

Start by creating two empty containers. For this to work you need to have the swify operator role.
Go to “Project” > “Containers” and select Container with a plus sign. Name one container-ro and the other container-rw.

Navigate to “Identity” → “Application Credentials” in your project and select “Create Application Credential”.
In the box named “Access Rules” is where you can specify what kind of access and to which resource your application credential should have access to.

Note:
For this to work you will need to specify your project ID after AUTH_
The places of the slashes and asterisks are important.

- service: object-store
  method: GET
  path: /v1/AUTH_<project_id>/container-ro

- service: object-store
  method: GET
  path: /v1/AUTH_<project_id>/container-ro/**

- service: object-store
  method: HEAD
  path: /v1/AUTH_<project_id>/container-ro

- service: object-store
  method: HEAD
  path: /v1/AUTH_<project_id>/container-ro/**

With either openstack-cli or swift-cli, try listing all containers. This should give an Unauthorized failure as the access rules does not allow to list all containers.

$ openstack container list
Unauthorized (HTTP 401) (Request-ID: tx50f94f5e55d049ca8e10b-00694261a3)

When specifying the container directly it should work.

$ openstack container show container-ro
+----------------+---------------------------------------+
| Field          | Value                                 |
+----------------+---------------------------------------+
| account        | AUTH_<project id>                     |
| bytes_used     | 9                                     |
| container      | container-ro                          |
| object_count   | 1                                     |
| storage_policy | hdd3                                  |
+----------------+---------------------------------------+

Accessing objects in that container should also work.

$ openstack object show container-ro testfile
+----------------+---------------------------------------+
| Field          | Value                                 |
+----------------+---------------------------------------+
| account        | AUTH_<project id>                     |
| container      | container-ro                          |
| content-length | 9                                     |
| content-type   | application/octet-stream              |
| etag           | ee321721ddf85e01b4cff48b4fee3c08      |
| last-modified  | Tue, 16 Dec 2025 08:15:55 GMT         |
| object         | testfile                              |
| properties     | Orig-Filename='testfile'              |
+----------------+---------------------------------------+

Trying to upload a file is not permitted since the application credential only has read access to this container.

$ openstack object create container-ro testfile2
Unauthorized (HTTP 401) (Request-ID: tx4065d716470e4e40a2f94-00694268e0)

Example 2: Read-write access to all objects in a specific container

Create an additional application credential and add GET/HEAD/PUT with the path to your second container into the Access Rules box.

Note:
For this to work you will need to specify your project ID after AUTH_
The places of the slashes and asterisks are important.

- service: object-store
  method: GET
  path: /v1/AUTH_<project_id>/container-rw

- service: object-store
  method: GET
  path: /v1/AUTH_<project_id>/container-rw/**

- service: object-store
  method: HEAD
  path: /v1/AUTH_<project_id>/container-rw

- service: object-store
  method: HEAD
  path: /v1/AUTH_<project_id>/container-rw/**

- service: object-store
  method: PUT
  path: /v1/AUTH_<project_id>/container-rw/**

You should not be able to list all containers or the previously created container.

$ openstack container list
Unauthorized (HTTP 401) (Request-ID: tx4b6d3f10baa747148f20d-0069426bef)

$ openstack container show container-ro
Unauthorized (HTTP 401) (Request-ID: tx6e804dda54c5494eae5b5-0069426c0a

Your second container should be accessible.

$ openstack container show container-rw
+----------------+---------------------------------------+
| Field          | Value                                 |
+----------------+---------------------------------------+
| account        | AUTH_8852d8a469ac41ce9a8180ba0fa72595 |
| bytes_used     | 0                                     |
| container      | container-rw                          |
| object_count   | 0                                     |
| storage_policy | hdd3                                  |
+----------------+---------------------------------------+

You can now upload objects since the application credential has write access.

$ echo "some text" > testfile
$ openstack object create container-rw testfile
+----------+--------------+----------------------------------+
| object   | container    | etag                             |
+----------+--------------+----------------------------------+
| testfile | container-rw | ee321721ddf85e01b4cff48b4fee3c08 |
+----------+--------------+----------------------------------+

Show information on your newly created object.

$ openstack object show container-rw testfile
+----------------+---------------------------------------+
| Field          | Value                                 |
+----------------+---------------------------------------+
| account        | AUTH_<project id>                     |
| container      | container-rw                          |
| content-length | 9                                     |
| content-type   | application/octet-stream              |
| etag           | ee321721ddf85e01b4cff48b4fee3c08      |
| last-modified  | Wed, 17 Dec 2025 08:48:54 GMT         |
| object         | testfile                              |
+----------------+---------------------------------------+

Further reading

Openstack documentation on access rules can be found here

Last modified March 10, 2026: minor fixes (dd8e7cd)