> For the complete documentation index, see [llms.txt](https://docs.platform9.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/application-credentials.md).
# Application Credentials
## Overview
Application credentials allow automation scripts, CI/CD pipelines, and services to authenticate to space.vars.product\_name without using a personal username and password. Unlike user tokens, application credentials are scoped to a specific tenant (project) and role, making them safer for long-running automation.
In this guide, you will create application credentials, understand their lifecycle, and learn the constraints that apply when your account authenticates via SSO.
## How Application Credentials Work
Application credentials are a feature of the Identity Service. Each set of application credentials:
* Is owned by and tied to the user account that created them.
* Carries a role assignment scoped to a single tenant (project).
* Authenticates independently without requiring the owner's password.
* Can optionally have an expiration date.
* Can be revoked at any time by deleting them.
When you use application credentials to authenticate, the Identity Service issues a token with the same tenant scope and roles that the application credential specifies — it does not re-derive permissions from your user account at authentication time.
## Prerequisites
Before you create application credentials, ensure you have:
* An active user account in space.vars.product\_acronym with at least one role assignment in the target tenant.
* `pcdctl` installed and configured, or access to the space.vars.product\_acronym UI.
## Create Application Credentials
### Using the UI
1. Log in to space.vars.product\_acronym.
2. Navigate to **Settings** > **Application Credentials** (or go to your user account menu and select **Application Credentials**).
3. Select **Create Application Credential**.
4. Configure the following fields.
| Field | Description |
| -------------------- | --------------------------------------------------------------------------------------------- |
| **Name** | A unique name for the credential (for example, `ci-pipeline-prod`). |
| **Description** | An optional description of what this credential is used for. |
| **Tenant (Project)** | Select the tenant (project) this credential is scoped to. |
| **Role** | Select a role. You can only assign roles that your user account already holds in that tenant. |
| **Expiration** | Optionally set an expiration date and time. If left blank, the credential does not expire. |
| **Secret** | Leave blank to auto-generate a secret, or enter a custom secret. |
5. Select **Create**. The credential ID and secret are displayed once. Copy and store the secret securely — it is not retrievable after this step.
### Using the CLI
```bash
pcdctl application credential create my-automation-cred \
--role member \
--description "Credential for CI pipeline"
```
To create a credential with an expiration:
```bash
pcdctl application credential create my-automation-cred \
--role member \
--expiration "2026-12-31T00:00:00Z"
```
## Authenticate with Application Credentials
Use the application credential ID and secret in place of a username and password.
### Using environment variables with pcdctl
```bash
export OS_AUTH_TYPE=v3applicationcredential
export OS_AUTH_URL=https:///keystone/v3
export OS_APPLICATION_CREDENTIAL_ID=
export OS_APPLICATION_CREDENTIAL_SECRET=
```
Then run any `pcdctl` command normally.
### Using a `clouds.yaml` file
```yaml
clouds:
my-pcd-env:
auth:
auth_url: https:///keystone/v3
application_credential_id: ""
application_credential_secret: ""
auth_type: v3applicationcredential
```
## Application Credential Lifecycle
* **No expiration by default.** Application credentials without an expiration date remain valid until deleted. Set an expiration for credentials used in temporary contexts.
* **Tied to the owning user.** If the user account that created the credential is deleted or disabled, the application credential becomes invalid. Plan accordingly when using application credentials for shared service accounts.
* **Roles are fixed at creation.** The role assigned to an application credential does not update automatically if the user's role in the tenant changes. Delete and re-create the credential to pick up a role change.
* **Rotation.** To rotate a credential, create a new one, update all consumers to use the new credential, then delete the old one.
## List and Manage Application Credentials
### List all your credentials
```bash
pcdctl application credential list
```
### Show details of a specific credential
```bash
pcdctl application credential show
```
### Delete a credential
```bash
pcdctl application credential delete
```
## Creating Application Credentials as an SSO User
If your account authenticates via SSO, you can create application credentials, with a few behaviors specific to federated identity:
* **Create during an active SSO session, soon after logging in.** For SSO users, group memberships are derived from your identity provider's assertion at login rather than stored permanently. To let operations such as application credential creation validate your tenant roles, space.vars.product\_name retains your mapped group memberships for a limited validity window (24 hours by default) after you log in. Create the application credential within this window.
* **Role scope is limited to your SSO-assigned roles.** You can only create application credentials with roles that your SSO group mapping grants you in the target tenant. You cannot elevate permissions beyond what your IdP group assignment allows.
* **Once created, the credential authenticates independently.** After creation, the application credential remains valid until its expiration date (if set) or until you delete it, regardless of your SSO session.
{% hint style="warning" %}
**"Could not find role assignment" error when creating a credential**
If application credential creation fails with an error such as `Could not find role assignment with role ...`, your federated group-membership validity window has likely expired. Log out, log back in via SSO, and create the application credential again promptly.
{% endhint %}
{% hint style="info" %}
**Self-Hosted deployments only**
The membership validity window is governed by the Identity Service `[federation] default_authorization_ttl` setting (in minutes; 24 hours by default in space.vars.product\_name). Changing it requires management plane access. In SaaS deployments Platform9 operates the management plane — contact Platform9 Support for adjustments.
{% endhint %}
## Next Steps
* To understand which roles you can assign to application credentials, see [RBAC Roles and Permissions](/private-cloud-director/identity-and-multi-tenancy/rbac-roles-and-permissions.md).
* To configure or troubleshoot SSO, see [Enterprise SSO](/private-cloud-director/identity-and-multi-tenancy/enterprise-sso.md).
* To adjust how long tokens remain valid, see [Token Lifetime Configuration](/private-cloud-director/identity-and-multi-tenancy/token-lifetime.md).
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.platform9.com/private-cloud-director/identity-and-multi-tenancy/application-credentials.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.