3.7. Create the Identity Service Endpoint

⁠3.7. Create the Identity Service Endpoint

Once the Identity service has been started its API endpoint must be defined. Some OpenStack services including the dashboard will not work unless this record is present.

All steps listed in this procedure must be performed while logged in to the Identity server as the root user.

⁠

Procedure 3.9. Creating the Identity Service Endpoint

Set the SERVICE_TOKEN Environment Variable
Set the SERVICE_TOKEN environment variable to the administration token. This is done by reading the token file created when setting the administration token.
```
# export SERVICE_TOKEN=`cat ~/ks_admin_token`
```
Set the SERVICE_ENDPOINT Environment Variable
Set the SERVICE_ENDPOINT environment variable to point to the server hosting the Identity service.
```
# export SERVICE_ENDPOINT="http://IP:35357/v2.0"
```
Replace IP with the IP address or host name of your Identity server.

Create a Service Entry

Create a service entry for the Identity service using the keystone service-create command.

# keystone service-create --name=keystone --type=identity \
        --description="Keystone Identity service" 
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |     Keystone Identity service    |
| id          | a8bff1db381f4751bd8ac126464511ae |
| name        |             keystone             |
| type        |             identity             |
+-------------+----------------------------------+

Create an Endpoint for the API

Create an endpoint entry for the v2.0 API Identity service using the keystone endpoint-create command.

# keystone endpoint-create \
        --service keystone \
        --publicurl 'http://IP:5000/v2.0' \
        --adminurl 'http://IP:35357/v2.0' \
        --internalurl 'http://IP:5000/v2.0'
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| adminurl    |       http://IP:35357/v2.0       |
| id          | 1295011fdc874a838f702518e95a0e13 |
| internalurl |       http://IP:5000/v2.0        |
| publicurl   |       http://IP:5000/v2.0        |
| region      |             regionOne            |
| service_id  |                 ID               |
+-------------+----------------------------------+

Replace IP with the IP address or host name of the Identity server.

Note

By default, the endpoint is created in the default region, regionOne. If you need to specify a different region when creating an endpoint use the --region argument to provide it.

The Identity service and endpoint entry has been created. The final step in Identity service configuration is the creation of the default user accounts, roles, and tenants.

⁠3.7.1. Service Regions

Each service cataloged in the Identity service is identified by its region, which typically represents a geographical location, and its endpoint. In a cloud with multiple Compute deployments, regions allow for the discrete separation of services, and are a robust way to share some infrastructure between Compute installations, while allowing for a high degree of failure tolerance.

Administrators determine which services are shared between regions and which services are used only with a specific region. By default when an endpoint is defined and no region is specified it is created in the region named regionOne.

To begin using separate regions specify the --region argument when adding service endpoints.

$ keystone endpoint-create --region REGION \
   --service SERVICENAME\   
   --publicurl PUBLICURL
   --adminurl ADMINURL
   --internalurl INTERNALURL

Replace REGION with the name of the region that the endpoint belongs to. When sharing an endpoint between regions create an endpoint entry containing the same URLs for each applicable region. For information on setting the URLs for each service refer to the Identity service configuration information of the service in question.

⁠

Example 3.1. Endpoints within Discrete Regions

In this example the APAC and EMEA regions share an Identity server (identity.example.com) endpoint while providing region specific compute API endpoints.

$ keystone endpoint-list
+---------+--------+------------------------------------------------------+
|   id    | region |                      publicurl                       |
+---------+--------+------------------------------------------------------+
| 0d8b... |  APAC  |         http://identity.example.com:5000/v3          |
| 769f... |  EMEA  |         http://identity.example.com:5000/v3          |
| 516c... |  APAC  |  http://nova-apac.example.com:8774/v2/$(tenant_id)s  |
| cf7e... |  EMEA  |  http://nova-emea.example.com:8774/v2/$(tenant_id)s  |
+---------+--------+------------------------------------------------------+