Yeah, I agree with the better documentation aspect. Using V3 APIs along with the policy.v3cloudsample.json policy file, token validation only need the "service" role.
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L104
If you don't want an interactive service account at all, you may want to consider the X.509 tokenless authz feature once it landed.
https://review.openstack.org/#/c/156870/
With this patch, services can just use SSL client certs to talk to Keystone.
Yeah, I agree with the better documentation aspect. Using V3 APIs along with the policy. v3cloudsample. json policy file, token validation only need the "service" role.
https:/ /github. com/openstack/ keystone/ blob/master/ etc/policy. v3cloudsample. json#L104
If you don't want an interactive service account at all, you may want to consider the X.509 tokenless authz feature once it landed.
https:/ /review. openstack. org/#/c/ 156870/
With this patch, services can just use SSL client certs to talk to Keystone.