Verify that authentication is behaving as expected by using your established username and password to generate an authentication token: $ keystone --os-username=admin --os-password=secrete --os-auth-url=http://192.168.206.130:35357/v2.0 token-get +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | expires | 2012-10-04T16:08:03Z | | id | 960ad732a0eb4b2a88516f18384c1fba | | user_id | a4c2d43f80a549a19864c89d759bb3fe | +----------+----------------------------------+ You should receive a token in response, paired with your user ID. This verifies that keystone is running on the expected endpoint, and that your user account is established with the expected credentials. Next, verify that authorization is behaving as expected by requesting authorization on a tenant: $ keystone --os-username=admin --os-password=secrete --os-tenant-name=demo --os-auth-url=http://192.168.206.130:35357/v2.0 token-get +-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires | 2012-10-04T16:10:14Z | | id | 8787f264d2a34607b37aa8d58d956afa | | tenant_id | c1ac0f7f0e55448fa3940fa6b8b54911 | | user_id | a4c2d43f80a549a19864c89d759bb3fe | +-----------+----------------------------------+ You should receive a new token in response, this time including the ID of the tenant you specified. This verifies that your user account has an explicitly defined role on the specified tenant, and that the tenant exists as expected. You can also set your --os-* variables in your environment to simplify CLI usage. Best practice for bootstrapping the first administrative user is to use the OS_SERVICE_ENDPOINT and OS_SERVICE_TOKEN together as environment variables. Once the admin user credentials are established, you can set up a keystonerc file with the admin credentials and admin endpoint (note the use of port 35357): export OS_USERNAME=admin export OS_PASSWORD=secrete export OS_TENANT_NAME=demo export OS_AUTH_URL=http://192.168.206.130:35357/v2.0 Save and source the keystonerc file. $ source keystonerc Verify that your keystonerc is configured correctly by performing the same command as above, but without any --os-* arguments. $ keystone token-get +-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires | 2012-10-04T16:12:38Z | | id | 03a13f424b56440fb39278b844a776ae | | tenant_id | c1ac0f7f0e55448fa3940fa6b8b54911 | | user_id | a4c2d43f80a549a19864c89d759bb3fe | +-----------+----------------------------------+ The command returns a token and the ID of the specified tenant. This verifies that you have configured your environment variables correctly. Finally, verify that your admin account has authorization to perform administrative commands. Unlike basic authentication/authorization, which can be performed against either port 5000 or 35357, administrative commands MUST be performed against the admin API port: 35357). This means that you MUST use port 35357 in your OS_AUTH_URL or --os-auth-url setting when working with keystone CLI. $ keystone user-list +----------------------------------+---------+-------+--------+ | id | enabled | email | name | +----------------------------------+---------+-------+--------+ | 318003c9a97342dbab6ff81675d68364 | True | None | swift | | 3a316b32f44941c0b9ebc577feaa5b5c | True | None | nova | | ac4dd12ebad84e55a1cd964b356ddf65 | True | None | glance | | a4c2d43f80a549a19864c89d759bb3fe | True | None | admin | | ec47114af7014afd9a8994cbb6057a8b | True | None | ec2 | +----------------------------------+---------+-------+--------+ This verifies that your user account has the admin role, as defined in keystone's policy.json file.