When you work with multiple OpenStack clouds, you could be working across multiple projects, regions, and/or Keystone API versions within a given cloud. Additionally, you may have to maintain separate OpenStack RC files to store authentication credentials for each cloud.

This approach to manage multiple cloud environments in Platform9 Managed OpenStack has the following drawbacks.

  • Multiple OpenStack RC files must be maintained.
  • Plain-text passwords are stored in-line with non-sensitive authentication information.
  • Automation can be difficult when utilizing credentials from multiple files.

The aforementioned problems can be resolved by leveraging the additional functionality available in the openstack CLI command which reads authentication credentials from configuration files to authenticate and manage clouds.

Effectively Managing Multiple Clouds

You can make effective use of the openstack CLI command to manage multiple clouds. The openstack CLI command internally uses the os-client-config library for centralized management and maintenance of authentication credentials for more than one clouds.

Security of authentication information is critical when it comes to storing access credentials. Although it is not possible to store encrypted passwords in OpenStack, you can work around this problem by placing passwords and other authentication information into separate files.

You can store your non-sensitive OpenStack configuration in ​~/.config/openstack/clouds.yaml​ and your passwords in ​​~/.config/openstack/secure.yaml​. The passwords would still be in plain-text, but you can protect secure.yaml with Unix file permissions, to enhance the security of sensitive password data.

Here’s an example of authentication credentials from clouds.yaml and secure.yaml.

# ~/.config/openstack/clouds.yaml
    region_name: Region1

      auth_url: https://cloud1.platform9.net/keystone/v2.0
      username: john.doe@examplecloudone.com
      project_name: service
    region_name: Region2
    identity_api_version: 3
      auth_url: https://cloud2.platform9.net/keystone/v3
      username: jane.doe@examplecloudtwo.com
      project_name: service
      project_domain_name: default
      user_domain_name: default
# ~/.config/openstack/secure.yaml
      password: my_secure_password
      password: theother_secure_password

Using os-client-config from the CLI

You can specify multiple clouds within the YAML files in order to centralize the storage of authentication credentials. The users can then simply switch between clouds by specifying the desired cloud when invoking the openstack CLI command (for example, openstack –os-cloud cloud1).

$ openstack --os-cloud cloud1
(openstack) server list
(openstack) volume list

Using os-client-config from the API

Scripting or automation code can also leverage os-client-config in order to manage credentials in a uniform way across CLI and API.

#!/usr/bin/env python
import os_client_config
def main():
    """Main Entry point."""
    # Create Nova And Cinder Clients.
    # If 'cloud' is left blank, the credentials will be automatically
    # discovered by os-client-config
    nova = os_client_config.make_client('compute', cloud='cloud1')
    cinder = os_client_config.make_client('volume', cloud='cloud1')

    # List Nova Instances
    for server in nova.servers.list():
        print server.name

    # List Cinder Volumes
    for volume in cinder.volumes.list():
        print volume.name

Centralized storage of authentication information simplifies management of authentication information on multiple clouds. You can quickly switch clouds through the command-line, simplifying the process of managing multiple clouds or tenants within a cloud. In case of scripting, os-client-config offers separation of authentication information code while providing a simplified, unified method to access credentials.