Basic disclaimer. Still CentOS 6 + Icehouse (hope that's the last time I'll write that).

The problem

The OpenStack Python APIs are a bit, uhm, optimistically documented. As in "I'm sure people will figure it out". Well that's why I'm writing this.

I tried to get the keystone v3 API working in python using the admin token. Yes, yes, admin token bad, use other things, etc. However, sometimes in code you need an automation account that can bootstrap things.

The Solution

I think I've written this sentence before too, but "how hard can it be?"

Oh.

It took some reading of code to get this working. Here is a basic template to get a working keystone v3 connection in python using the admin token.

from keystoneclient.v3 import client as keystoneclient_v3
from keystoneclient.auth import token_endpoint
from keystoneclient import session

# Probably only needed for Icehouse era code
# Keystone Token handler is buggy, so extend so it can return the endpoint
class TokenAuth(token_endpoint.Token):
    def get_endpoint(self, session, **kwargs):
        """Return the supplied endpoint.

        Using this plugin the same endpoint is returned regardless of the
        parameters passed to the plugin.
        """
        return self.endpoint

# OS _URL is usually https://server:5000/v3
keystone_auth_v3 = TokenAuth(endpoint=os.environ['OS_URL'], token=os.environ['OS_TOKEN'])
keystone_session_v3 = session.Session(auth=keystone_auth_v3)
keystone_v3 = keystoneclient_v3.Client(session=keystone_session_v3)

There, a working keystone v3 session using the admin token. Was that so hard? Well the first time, yeah. But I hope this makes it easier.

I still have no clue how to use it for other services though.