Once Keystone is installed and running, you set up users, tenants, and roles to authenticate against. These are used to allow access to services and endpoints, described in the next section. Typically, you would use a username and password to authenticate with the Identity service. At this point, however, we have not created any users, so we have to use the authorization token created in the previous section. You can pass this with the --token option to the keystone command or set the OS_SERVICE_TOKEN environment variable. We'll set OS_SERVICE_TOKEN, as well as OS_SERVICE_ENDPOINT to specify where the Identity Service is running. Replace FCAF3E... with your authorization token. # export OS_SERVICE_TOKEN=FCAF3E... # export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 First, create a tenant for an administrative user and a tenant for other OpenStack services to use. # keystone tenant-create --name=admin --description="Admin Tenant" # keystone tenant-create --name=service --description="Service Tenant" Next, create an administrative user called admin. Choose a password for the admin user and specify an email address for the account. # keystone user-create --name=admin --pass=ADMIN_PASS --email=admin@example.com Create a role for administrative tasks called admin. Any roles you create should map to roles specified in the policy.json files of the various OpenStack services. The default policy files use the admin role to allow access to most services. # keystone role-create --name=admin Finally, you have to add roles to users. Users always log in with a tenant, and roles are assigned to users within roles. Add the admin role to the admin user when logging in with the admin tenant. # keystone user-role-add --user=admin --tenant=admin --role=admin