Comment 1 for bug 1999068

I was able to reproduce the problem on the trunk (trunks for Keystone and Glance).

According to my tests, it is not important if the application credentials were created by an admin user or a regular user (with no admin role).

The result is, the access rules are ignored if they are applied to service "identity". But they work for other services as intended. The app creds work as intended otherwise, and setting _only_ OS_AUTH_TYPE=v3applicationcredential, OS_APPLICATION_CREDENTIAL_SECRET=yyyyy, OS_APPLICATION_CREDENTIAL_ID=zzzzzzzzzz is sufficient to authenticate with user's normal roles. Seems exactly as Simon reported.

BTW, Devstack does not configure service_type=xxxx in [keystone_authtoken] for any of its services, so it needs adding as documentation explains.

Isn't it the case that Keystone API does not have keystonemiddleware in its pipeline?