OpenStack Keystone Client Library

Warnings

• deprecated The `keystone` command-line interface (CLI) is deprecated in favor of the `openstack` CLI provided by `python-openstackclient`.
  Fix: Migrate CLI operations to `python-openstackclient`. Install it via `pip install python-openstackclient` and use `openstack <service> <command>` instead (e.g., `openstack user list`).
• deprecated Non-session based authentication (passing username, password directly to `keystoneclient.Client` without a `keystoneauth1.session.Session` object) is deprecated.
  Fix: Always use `keystoneauth1.session.Session` with an authentication plugin (e.g., `keystoneauth1.identity.v3.Password`) and pass the session to the `keystoneclient.Client` constructor. This provides more robust and flexible authentication.
• deprecated `keystoneclient` authentication plugins are deprecated in favor of `keystoneauth1` plugins.
  Fix: Ensure you are using authentication plugins directly from the `keystoneauth1.identity` module, not `keystoneclient.auth.identity`.
• breaking The exception classes previously found under `keystoneclient.apiclient.exceptions` were removed and mapped to `keystoneauth1.exceptions`. Direct imports from `keystoneclient.apiclient.exceptions` will fail.
  Fix: Update import statements to use `from keystoneclient import exceptions` and refer to the appropriate exception classes (which are aliases to `keystoneauth1` exceptions).
• gotcha When bundling applications with PyInstaller, `python-keystoneclient` (and its dependency `keystoneauth1`) may encounter `PackageNotFoundError` or issues related to `pbr` versioning.
  Fix: Provide explicit hidden imports and copy metadata for `keystoneclient`, `keystoneauth1`, and `os_service_types` in your PyInstaller `.spec` file. Example additions to `hiddenimports` and `added_files` can be found in Stack Overflow solutions.

Install

• pip install python-keystoneclient Install latest version

Imports

• v3.Password

  from keystoneauth1.identity import v3

• session.Session

  from keystoneauth1 import session

• client.Client

  from keystoneclient.v3 import client

• keystoneclient.exceptions.ClientException

  from keystoneclient import exceptions

  The keystoneclient.apiclient.exceptions module was removed in version 2.1.0; exceptions are now mapped to keystoneauth1.exceptions.

Quickstart

This quickstart demonstrates how to authenticate with OpenStack Keystone using the V3 API and session-based authentication, then lists available projects. It leverages environment variables for credentials, which is a common and secure practice in OpenStack environments.

import os
from keystoneauth1.identity import v3
from keystoneauth1 import session
from keystoneclient.v3 import client

# Environment variables for authentication (recommended practice)
AUTH_URL = os.environ.get('OS_AUTH_URL', 'http://localhost:5000/v3')
USERNAME = os.environ.get('OS_USERNAME', 'admin')
PASSWORD = os.environ.get('OS_PASSWORD', 'password')
PROJECT_NAME = os.environ.get('OS_PROJECT_NAME', 'admin')
USER_DOMAIN_ID = os.environ.get('OS_USER_DOMAIN_ID', 'default')
PROJECT_DOMAIN_ID = os.environ.get('OS_PROJECT_DOMAIN_ID', 'default')

# 1. Authenticate using a session (V3 API example)
auth = v3.Password(
    auth_url=AUTH_URL,
    username=USERNAME,
    password=PASSWORD,
    project_name=PROJECT_NAME,
    user_domain_id=USER_DOMAIN_ID,
    project_domain_id=PROJECT_DOMAIN_ID
)
sess = session.Session(auth=auth)

# 2. Initialize the Keystone client
keystone = client.Client(session=sess)

# 3. Perform an operation (e.g., list projects)
try:
    projects = keystone.projects.list()
    print(f"Successfully connected to Keystone. Found {len(projects)} projects.")
    for project in projects:
        print(f"  - {project.name} (ID: {project.id})")
except exceptions.ClientException as e:
    print(f"Error connecting to Keystone: {e}")
except Exception as e:
    print(f"An unexpected error occurred: {e}")