The keystone client is the command-line interface (CLI) for the OpenStack Identity API and its extensions. For help on a specific keystone command, enter: $ keystone help COMMAND

[--os-username <auth-user-name>] [--os-password <auth-password>] [--os-tenant-name <auth-tenant-name>] [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>] [--os-region-name <region-name>] [--os-identity-api-version <identity-api-version>] [--os-token <service-token>] [--os-endpoint <service-endpoint>] [--os-cacert <ca-certificate>] [--insecure] [--os-cert <certificate>] [--os-key <key>] [--os-cache] [--force-new-token] [--stale-duration <seconds>] <subcommand> ...

<subcommand> catalog List service catalog, possibly filtered by service. ec2-credentials-create Create EC2-compatible credentials for user per tenant. ec2-credentials-delete Delete EC2-compatible credentials. ec2-credentials-get Display EC2-compatible credentials. ec2-credentials-list List EC2-compatible credentials for a user endpoint-create Create a new endpoint associated with a service. endpoint-delete Delete a service endpoint. endpoint-get Find endpoint filtered by a specific attribute or service type. endpoint-list List configured service endpoints. password-update Update own password. role-create Create new role. role-delete Delete role. role-get Display role details. role-list List all roles. service-create Add service to Service Catalog. service-delete Delete service from Service Catalog. service-get Display service from Service Catalog. service-list List all services in Service Catalog. tenant-create Create new tenant. tenant-delete Delete tenant. tenant-get Display tenant details. tenant-list List all tenants. tenant-update Update tenant name, description, enabled status. token-get Display the current user token. user-create Create new user user-delete Delete user user-get Display user details. user-list List users. user-password-update Update user password. user-role-add Add role to user user-role-list List roles granted to a user user-role-remove Remove role from user user-update Update user's name, email, and enabled status. discover Discover Keystone servers, supported API versions and extensions. bootstrap Grants a new role to a new user on a new tenant, after creating each. bash-completion Prints all of the commands and options to stdout. help Display help about this program or one of its subcommands.

--version Shows the client version and exits --timeout <seconds> Set request timeout (in seconds) --os-username <auth-user-name> Name used for authentication with the OpenStack Identity service. Defaults to env[OS_USERNAME] --os-password <auth-password> Password used for authentication with the OpenStack Identity service. Defaults to env[OS_PASSWORD] --os-tenant-name <auth-tenant-name> Tenant to request authorization on. Defaults to env[OS_TENANT_NAME] --os-tenant-id <tenant-id> Tenant to request authorization on. Defaults to env[OS_TENANT_ID] --os-auth-url <auth-url> Specify the Identity endpoint to use for authentication. Defaults to env[OS_AUTH_URL] --os-region-name <region-name> Defaults to env[OS_REGION_NAME] --os-identity-api-version <identity-api-version> Defaults to env[OS_IDENTITY_API_VERSION] or 2.0 --os-token <service-token> Specify an existing token to use instead of retrieving one via authentication (e.g. with username & password). Defaults to env[OS_SERVICE_TOKEN] --os-endpoint <service-endpoint> Specify an endpoint to use instead of retrieving one from the service catalog (via authentication). Defaults to env[OS_SERVICE_ENDPOINT] --os-cacert <ca-certificate> Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT] --insecure Explicitly allow keystoneclient to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution. --os-cert <certificate> Defaults to env[OS_CERT] --os-key <key> Defaults to env[OS_KEY] --os-cache Use the auth token cache. Defaults to env[OS_CACHE] --force-new-token If the keyring is available and in use, token will always be stored and fetched from the keyring until the token has expired. Use this option to request a new token and replace the existing one in the keyring. --stale-duration <seconds> Stale duration (in seconds) used to determine whether a token has expired when retrieving it from keyring. This is useful in mitigating process or network delays. Default is 30 seconds.

usage: keystone bootstrap [--user-name <user-name>] --pass <password> [--role-name <role-name>] [--tenant-name <tenant-name>] Grants a new role to a new user on a new tenant, after creating each. Arguments: --user-name <user-name> The name of the user to be created (default="admin"). --pass <password> The password for the new user. --role-name <role-name> The name of the role to be created and granted to the user (default="admin"). --tenant-name <tenant-name> The name of the tenant to be created (default="admin").

usage: keystone catalog [--service <service-type>] List service catalog, possibly filtered by service. Arguments: --service <service-type> Service type to return

usage: keystone discover Discover Keystone servers, supported API versions and extensions. Usage:: $ keystone discover Keystone found at http://localhost:35357 - supports version v1.0 (DEPRECATED) here http://localhost:35357/v1.0 - supports version v1.1 (CURRENT) here http://localhost:35357/v1.1 - supports version v2.0 (CURRENT) here http://localhost:35357/v2.0 - and RAX-KSKEY: Rackspace API Key Authentication Admin Extension - and RAX-KSGRP: Rackspace Keystone Group Extensions

usage: keystone ec2-credentials-create [--user-id <user-id>] [--tenant-id <tenant-id>] Create EC2-compatible credentials for user per tenant. Arguments: --user-id <user-id> User ID --tenant-id <tenant-id> Tenant ID

usage: keystone ec2-credentials-delete [--user-id <user-id>] --access <access-key> Delete EC2-compatible credentials. Arguments: --user-id <user-id> User ID --access <access-key> Access Key

usage: keystone ec2-credentials-get [--user-id <user-id>] --access <access-key> Display EC2-compatible credentials. Arguments: --user-id <user-id> User ID --access <access-key> Access Key

usage: keystone ec2-credentials-list [--user-id <user-id>] List EC2-compatible credentials for a user Arguments: --user-id <user-id> User ID

usage: keystone endpoint-create [--region <endpoint-region>] --service <service> --publicurl <public-url> [--adminurl <admin-url>] [--internalurl <internal-url>] Create a new endpoint associated with a service. Arguments: --region <endpoint-region> Endpoint region --service <service>, --service-id <service>, --service_id <service> Name or ID of service associated with Endpoint --publicurl <public-url> Public URL endpoint --adminurl <admin-url> Admin URL endpoint --internalurl <internal-url> Internal URL endpoint

usage: keystone endpoint-delete <endpoint-id> Delete a service endpoint. Arguments: <endpoint-id> ID of endpoint to delete

usage: keystone endpoint-get --service <service-type> [--endpoint-type <endpoint-type>] [--attr <service-attribute>] [--value <value>] Find endpoint filtered by a specific attribute or service type. Arguments: --service <service-type> Service type to select --endpoint-type <endpoint-type> Endpoint type to select --attr <service-attribute> Service attribute to match for selection --value <value> Value of attribute to match

usage: keystone endpoint-list List configured service endpoints.

usage: keystone password-update [--current-password <current-password>] [--new-password <new-password>] Update own password. Arguments: --current-password <current-password> Current password, Defaults to the password as set by --os-password or OS_PASSWORD --new-password <new-password> Desired new password

usage: keystone role-create --name <role-name> Create new role. Arguments: --name <role-name> Name of new role

usage: keystone role-delete <role> Delete role. Arguments: <role> Name or ID of role to delete

usage: keystone role-get <role> Display role details. Arguments: <role> Name or ID of role to display

usage: keystone role-list List all roles.

usage: keystone service-create --name <name> --type <type> [--description <service-description>] Add service to Service Catalog. Arguments: --name <name> Name of new service (must be unique) --type <type> Service type (one of: identity, compute, network, image, object-store, or other service identifier string) --description <service-description> Description of service

usage: keystone service-delete <service> Delete service from Service Catalog. Arguments: <service> Name or ID of service to delete

usage: keystone service-get <service> Display service from Service Catalog. Arguments: <service> Name or ID of service to display

usage: keystone service-list List all services in Service Catalog.

usage: keystone tenant-create --name <tenant-name> [--description <tenant-description>] [--enabled <true|false>] Create new tenant. Arguments: --name <tenant-name> New tenant name (must be unique) --description <tenant-description> Description of new tenant (default is none) --enabled <true|false> Initial tenant enabled status (default true)

usage: keystone tenant-delete <tenant> Delete tenant. Arguments: <tenant> Name or ID of tenant to delete

usage: keystone tenant-get <tenant> Display tenant details. Arguments: <tenant> Name or ID of tenant to display

usage: keystone tenant-list List all tenants.

usage: keystone tenant-update [--name <tenant_name>] [--description <tenant-description>] [--enabled <true|false>] <tenant> Update tenant name, description, enabled status. Arguments: --name <tenant_name> Desired new name of tenant --description <tenant-description> Desired new description of tenant --enabled <true|false> Enable or disable tenant <tenant> Name or ID of tenant to update

usage: keystone token-get [--wrap <integer>] Display the current user token. Arguments: --wrap <integer> wrap PKI tokens to a specified length, or 0 to disable

usage: keystone user-create --name <user-name> [--tenant <tenant>] [--pass <pass>] [--email <email>] [--enabled <true|false>] Create new user Arguments: --name <user-name> New user name (must be unique) --tenant <tenant>, --tenant-id <tenant> New user default tenant --pass <pass> New user password --email <email> New user email address --enabled <true|false> Initial user enabled status (default true)

usage: keystone user-delete <user> Delete user Arguments: <user> Name or ID of user to delete

usage: keystone user-get <user> Display user details. Arguments: <user> Name or ID of user to display

usage: keystone user-list [--tenant <tenant>] List users. Arguments: --tenant <tenant>, --tenant-id <tenant> Tenant; lists all users if not specified

usage: keystone user-password-update [--pass <password>] <user> Update user password. Arguments: --pass <password> Desired new password <user> Name or ID of user to update password

usage: keystone user-role-add --user <user> --role <role> [--tenant <tenant>] Add role to user Arguments: --user <user>, --user-id <user>, --user_id <user> Name or ID of user --role <role>, --role-id <role>, --role_id <role> Name or ID of role --tenant <tenant>, --tenant-id <tenant> Name or ID of tenant

usage: keystone user-role-list [--user <user>] [--tenant <tenant>] List roles granted to a user Arguments: --user <user>, --user-id <user> List roles granted to a user --tenant <tenant>, --tenant-id <tenant> List roles granted on a tenant

usage: keystone user-role-remove --user <user> --role <role> [--tenant <tenant>] Remove role from user Arguments: --user <user>, --user-id <user>, --user_id <user> Name or ID of user --role <role>, --role-id <role>, --role_id <role> Name or ID of role --tenant <tenant>, --tenant-id <tenant> Name or ID of tenant

usage: keystone user-update [--name <user-name>] [--email <email>] [--enabled <true|false>] <user> Update user's name, email, and enabled status. Arguments: --name <user-name> Desired new user name --email <email> Desired new email address --enabled <true|false> Enable or disable user <user> Name or ID of user to update