Comment 8 for bug 1464750

Yeah, I agree with the better documentation aspect. Using V3 APIs along with the policy.v3cloudsample.json policy file, token validation only need the "service" role.

https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L104

If you don't want an interactive service account at all, you may want to consider the X.509 tokenless authz feature once it landed.

https://review.openstack.org/#/c/156870/

With this patch, services can just use SSL client certs to talk to Keystone.