> It either ends up having Client Error with admin-project-scoped auth or 401 with supposedly defalt-domain-scoped auth.
The scope_type for identity:create_endpoint is "system": https://docs.openstack.org/keystone/latest/configuration/policy.html
So neither a project- nor domain-scoped token will be usable with this policy if enforce_scope is set to true. You either need a system-scoped token or you need to set enforce_scope=false (which is the default).
> It either ends up having Client Error with admin-project- scoped auth or 401 with supposedly defalt- domain- scoped auth.
The scope_type for identity: create_ endpoint is "system": https:/ /docs.openstack .org/keystone/ latest/ configuration/ policy. html
So neither a project- nor domain-scoped token will be usable with this policy if enforce_scope is set to true. You either need a system-scoped token or you need to set enforce_scope=false (which is the default).