Public bug reported: This is similar to #1773967 and #2030061 but I think it's distinctly different. I'm using 2024.2 of keystone and attempting to create an application credential.
Here's the error: ❯ openstack application credential create terraform-cred --restricted BadRequestException: 400: Client Error for url: https://keystone.local./v3/users/b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec/application_credentials, Invalid application credential: Could not find role assignment with role: 4a5321ded95d4c2caa3ebb329fd12dd5, user or group: b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec, project, domain, or system: 9c5848c68f1c41d181365eea45ed804b. Here's the permission that I believe should be giving me this access: +----------------------------------+------+----------------------------------+---------+---------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+------+----------------------------------+---------+---------+--------+-----------+ | 4a5321ded95d4c2caa3ebb329fd12dd5 | | 74903141bbe74b148f7aac29b8ac83eb | | default | | True | +----------------------------------+------+----------------------------------+---------+---------+--------+-----------+ ❯ openstack project show 9c5848c68f1c41d181365eea45ed804b +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | enabled | True | | id | 9c5848c68f1c41d181365eea45ed804b | | is_domain | False | | name | doug-test | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ You can see the role has access to everything in the default domain via the group. The issue I believe is that my user "b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec" is a federated user that is granted membership to the "74903141bbe74b148f7aac29b8ac83eb" group. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2091317 Title: unable to create application credential with inherited role Status in OpenStack Identity (keystone): New Bug description: This is similar to #1773967 and #2030061 but I think it's distinctly different. I'm using 2024.2 of keystone and attempting to create an application credential. Here's the error: ❯ openstack application credential create terraform-cred --restricted BadRequestException: 400: Client Error for url: https://keystone.local./v3/users/b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec/application_credentials, Invalid application credential: Could not find role assignment with role: 4a5321ded95d4c2caa3ebb329fd12dd5, user or group: b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec, project, domain, or system: 9c5848c68f1c41d181365eea45ed804b. Here's the permission that I believe should be giving me this access: +----------------------------------+------+----------------------------------+---------+---------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+------+----------------------------------+---------+---------+--------+-----------+ | 4a5321ded95d4c2caa3ebb329fd12dd5 | | 74903141bbe74b148f7aac29b8ac83eb | | default | | True | +----------------------------------+------+----------------------------------+---------+---------+--------+-----------+ ❯ openstack project show 9c5848c68f1c41d181365eea45ed804b +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | enabled | True | | id | 9c5848c68f1c41d181365eea45ed804b | | is_domain | False | | name | doug-test | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ You can see the role has access to everything in the default domain via the group. The issue I believe is that my user "b22322eb26e893803f1839640e7de6c9647892c8cffe75b7603f9b168ef1afec" is a federated user that is granted membership to the "74903141bbe74b148f7aac29b8ac83eb" group. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2091317/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
