Application Credentials

Create and manage application credentials in PCD for automation and service-to-service authentication, including constraints when using SSO.

Overview

Application credentials allow automation scripts, CI/CD pipelines, and services to authenticate to Private Cloud Director without using a personal username and password. Unlike user tokens, application credentials are scoped to a specific tenant (project) and role, making them safer for long-running automation.

In this guide, you will create application credentials, understand their lifecycle, and learn the constraints that apply when your account authenticates via SSO.

How Application Credentials Work

Application credentials are a feature of the Identity Service. Each set of application credentials:

Is owned by and tied to the user account that created them.
Carries a role assignment scoped to a single tenant (project).
Authenticates independently without requiring the owner's password.
Can optionally have an expiration date.
Can be revoked at any time by deleting them.

When you use application credentials to authenticate, the Identity Service issues a token with the same tenant scope and roles that the application credential specifies — it does not re-derive permissions from your user account at authentication time.

Prerequisites

Before you create application credentials, ensure you have:

An active user account in PCD with at least one role assignment in the target tenant.
pcdctl installed and configured, or access to the PCD UI.

Create Application Credentials

Using the UI

Log in to PCD.
Navigate to Settings > Application Credentials (or go to your user account menu and select Application Credentials).
Select Create Application Credential.
Configure the following fields.

Field

Description

Name

A unique name for the credential (for example, ci-pipeline-prod).

Description

An optional description of what this credential is used for.

Tenant (Project)

Select the tenant (project) this credential is scoped to.

Role

Select a role. You can only assign roles that your user account already holds in that tenant.

Expiration

Optionally set an expiration date and time. If left blank, the credential does not expire.

Secret

Leave blank to auto-generate a secret, or enter a custom secret.

Select Create. The credential ID and secret are displayed once. Copy and store the secret securely — it is not retrievable after this step.

Using the CLI

pcdctl application credential create my-automation-cred \
  --role member \
  --description "Credential for CI pipeline"

To create a credential with an expiration:

pcdctl application credential create my-automation-cred \
  --role member \
  --expiration "2026-12-31T00:00:00Z"

Authenticate with Application Credentials

Use the application credential ID and secret in place of a username and password.

Using environment variables with pcdctl

export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https://<FQDN>/keystone/v3
export OS_APPLICATION_CREDENTIAL_ID=<credential-id>
export OS_APPLICATION_CREDENTIAL_SECRET=<credential-secret>

Then run any pcdctl command normally.

Using a `clouds.yaml` file

clouds:
  my-pcd-env:
    auth:
      auth_url: https://<FQDN>/keystone/v3
      application_credential_id: "<credential-id>"
      application_credential_secret: "<credential-secret>"
    auth_type: v3applicationcredential

Application Credential Lifecycle

No expiration by default. Application credentials without an expiration date remain valid until deleted. Set an expiration for credentials used in temporary contexts.
Tied to the owning user. If the user account that created the credential is deleted or disabled, the application credential becomes invalid. Plan accordingly when using application credentials for shared service accounts.
Roles are fixed at creation. The role assigned to an application credential does not update automatically if the user's role in the tenant changes. Delete and re-create the credential to pick up a role change.
Rotation. To rotate a credential, create a new one, update all consumers to use the new credential, then delete the old one.

List and Manage Application Credentials

List all your credentials

pcdctl application credential list

Show details of a specific credential

pcdctl application credential show <credential-id-or-name>

Delete a credential

pcdctl application credential delete <credential-id-or-name>

Creating Application Credentials as an SSO User

If your account authenticates via SSO, you can create application credentials, with a few behaviors specific to federated identity:

Create during an active SSO session, soon after logging in. For SSO users, group memberships are derived from your identity provider's assertion at login rather than stored permanently. To let operations such as application credential creation validate your tenant roles, Private Cloud Director retains your mapped group memberships for a limited validity window (24 hours by default) after you log in. Create the application credential within this window.
Role scope is limited to your SSO-assigned roles. You can only create application credentials with roles that your SSO group mapping grants you in the target tenant. You cannot elevate permissions beyond what your IdP group assignment allows.
Once created, the credential authenticates independently. After creation, the application credential remains valid until its expiration date (if set) or until you delete it, regardless of your SSO session.

"Could not find role assignment" error when creating a credential

If application credential creation fails with an error such as Could not find role assignment with role ..., your federated group-membership validity window has likely expired. Log out, log back in via SSO, and create the application credential again promptly.

Self-Hosted deployments only

The membership validity window is governed by the Identity Service [federation] default_authorization_ttl setting (in minutes; 24 hours by default in Private Cloud Director). Changing it requires management plane access. In SaaS deployments Platform9 operates the management plane — contact Platform9 Support for adjustments.

Next Steps

To understand which roles you can assign to application credentials, see RBAC Roles and Permissions.
To configure or troubleshoot SSO, see Enterprise SSO.
To adjust how long tokens remain valid, see Token Lifetime Configuration.

PreviousRBAC Roles and Permissions NextToken Lifetime Configuration

Last updated 13 days ago

Was this helpful?