The project is documented as being optional when creating credentials via the v3/credentials API, but not providing a project when creating ec2 credentials, then validating a signed request signed with those credentials via ec2tokens fails:
2014-01-14 13:53:19.390 10908 ERROR keystone.common.wsgi [-] object of type 'NoneType' has no len()
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/common/wsgi.py", line 213, in __call__
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi result = method(context, **params)
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi File "/opt/stack/keystone/keystone/contrib/ec2/controllers.py", line 103, in authenticate
2014-01-14 13:53:19.390 10908 TRACE keystone.common.wsgi tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id'])
So we should probably raise an error when creating the credential, since we can never create an appropriately scoped token in ec2tokens without knowing the user and project associated with the credentials.
IIRC, this was the exact use case that landed project_id in the API spec for /v3/credentials at all -- is it not used at all?