Chapter 1. The OpenStack Client

The openstack client is a common OpenStack command-line interface (CLI). This chapter documents the main options for openstack version 4.0.2 .

Command-line interface to the OpenStack APIs

Usage:

openstack [--version] [-v | -q] [--log-file LOG_FILE] [-h] [--debug]
                 [--os-cloud <cloud-config-name>]
                 [--os-region-name <auth-region-name>]
                 [--os-cacert <ca-bundle-file>] [--os-cert <certificate-file>]
                 [--os-key <key-file>] [--verify | --insecure]
                 [--os-default-domain <auth-domain>]
                 [--os-interface <interface>]
                 [--os-service-provider <service_provider>]
                 [--os-remote-project-name <remote_project_name> | --os-remote-project-id <remote_project_id>]
                 [--os-remote-project-domain-name <remote_project_domain_name> | --os-remote-project-domain-id <remote_project_domain_id>]
                 [--timing] [--os-beta-command] [--os-profile hmac-key]
                 [--os-compute-api-version <compute-api-version>]
                 [--os-identity-api-version <identity-api-version>]
                 [--os-image-api-version <image-api-version>]
                 [--os-network-api-version <network-api-version>]
                 [--os-object-api-version <object-api-version>]
                 [--os-volume-api-version <volume-api-version>]
                 [--os-queues-api-version <queues-api-version>]
                 [--os-database-api-version <database-api-version>]
                 [--os-tripleoclient-api-version <tripleoclient-api-version>]
                 [--os-data-processing-api-version <data-processing-api-version>]
                 [--os-data-processing-url OS_DATA_PROCESSING_URL]
                 [--os-loadbalancer-api-version <loadbalancer-api-version>]
                 [--os-workflow-api-version <workflow-api-version>]
                 [--os-container-infra-api-version <container-infra-api-version>]
                 [--os-baremetal-api-version <baremetal-api-version>]
                 [--inspector-api-version INSPECTOR_API_VERSION]
                 [--inspector-url INSPECTOR_URL]
                 [--os-orchestration-api-version <orchestration-api-version>]
                 [--os-dns-api-version <dns-api-version>]
                 [--os-key-manager-api-version <key-manager-api-version>]
                 [--os-metrics-api-version <metrics-api-version>]
                 [--os-alarming-api-version <alarming-api-version>]
                 [--os-auth-type <auth-type>] [--os-auth-url <auth-auth-url>]
                 [--os-trust-id <auth-trust-id>]
                 [--os-username <auth-username>] [--os-user-id <auth-user-id>]
                 [--os-password <auth-password>] [--os-token <auth-token>]
                 [--os-system-scope <auth-system-scope>]
                 [--os-domain-id <auth-domain-id>]
                 [--os-domain-name <auth-domain-name>]
                 [--os-project-id <auth-project-id>]
                 [--os-project-name <auth-project-name>]
                 [--os-project-domain-id <auth-project-domain-id>]
                 [--os-project-domain-name <auth-project-domain-name>]
                 [--os-user-domain-id <auth-user-domain-id>]
                 [--os-user-domain-name <auth-user-domain-name>]
                 [--os-application-credential-secret <auth-application-credential-secret>]
                 [--os-application-credential-id <auth-application-credential-id>]
                 [--os-application-credential-name <auth-application-credential-name>]
                 [--os-identity-provider <auth-identity-provider>]
                 [--os-protocol <auth-protocol>]
                 [--os-identity-provider-url <auth-identity-provider-url>]
                 [--os-service-provider-endpoint <auth-service-provider-endpoint>]
                 [--os-service-provider-entity-id <auth-service-provider-entity-id>]
                 [--os-endpoint <auth-endpoint>]
                 [--os-access-token <auth-access-token>]
                 [--os-roles <auth-roles>]
                 [--os-aodh-endpoint <auth-aodh-endpoint>]
                 [--os-client-id <auth-client-id>]
                 [--os-client-secret <auth-client-secret>]
                 [--os-openid-scope <auth-openid-scope>]
                 [--os-access-token-endpoint <auth-access-token-endpoint>]
                 [--os-discovery-endpoint <auth-discovery-endpoint>]
                 [--os-access-token-type <auth-access-token-type>]
                 [--os-redirect-uri <auth-redirect-uri>]
                 [--os-code <auth-code>]
                 [--os-consumer-key <auth-consumer-key>]
                 [--os-consumer-secret <auth-consumer-secret>]
                 [--os-access-key <auth-access-key>]
                 [--os-access-secret <auth-access-secret>]
                 [--os-default-domain-id <auth-default-domain-id>]
                 [--os-default-domain-name <auth-default-domain-name>]
                 [--os-user <auth-user>] [--os-passcode <auth-passcode>]
                 [--os-auth-methods <auth-auth-methods>]

Table 1.1. Optional Arguments

ValueSummary

--version

Show program’s version number and exit

-v, --verbose

Increase verbosity of output. can be repeated.

-q, --quiet

Suppress output except warnings and errors.

--log-file LOG_FILE

Specify a file to log output. disabled by default.

-h, --help

Show help message and exit.

--debug

Show tracebacks on errors.

--os-cloud <cloud-config-name>

Cloud name in clouds.yaml (env: os_cloud)

--os-region-name <auth-region-name>

Authentication region name (env: os_region_name)

--os-cacert <ca-bundle-file>

Ca certificate bundle file (env: os_cacert)

--os-cert <certificate-file>

Client certificate bundle file (env: os_cert)

--os-key <key-file>

Client certificate key file (env: os_key)

--verify

Verify server certificate (default)

--insecure

Disable server certificate verification

--os-default-domain <auth-domain>

Default domain id, default=default. (env: OS_DEFAULT_DOMAIN)

--os-interface <interface>

Select an interface type. valid interface types: [admin, public, internal]. default=public, (Env: OS_INTERFACE)

--os-service-provider <service_provider>

Authenticate with and perform the command on a service provider using Keystone-to-keystone federation. Must also specify the remote project option.

--os-remote-project-name <remote_project_name>

Project name when authenticating to a service provider if using Keystone-to-Keystone federation.

--os-remote-project-id <remote_project_id>

Project id when authenticating to a service provider if using Keystone-to-Keystone federation.

--os-remote-project-domain-name <remote_project_domain_name>

Domain name of the project when authenticating to a service provider if using Keystone-to-Keystone federation.

--os-remote-project-domain-id <remote_project_domain_id>

Domain id of the project when authenticating to a service provider if using Keystone-to-Keystone federation.

--timing

Print api call timing info

--os-beta-command

Enable beta commands which are subject to change

--os-profile hmac-key

Hmac key for encrypting profiling context data

--os-compute-api-version <compute-api-version>

Compute api version, default=2.1 (env: OS_COMPUTE_API_VERSION)

--os-identity-api-version <identity-api-version>

Identity api version, default=3 (env: OS_IDENTITY_API_VERSION)

--os-image-api-version <image-api-version>

Image api version, default=2 (env: OS_IMAGE_API_VERSION)

--os-network-api-version <network-api-version>

Network api version, default=2.0 (env: OS_NETWORK_API_VERSION)

--os-object-api-version <object-api-version>

Object api version, default=1 (env: OS_OBJECT_API_VERSION)

--os-volume-api-version <volume-api-version>

Volume api version, default=3 (env: OS_VOLUME_API_VERSION)

--os-queues-api-version <queues-api-version>

Queues api version, default=2 (env: OS_QUEUES_API_VERSION)

--os-database-api-version <database-api-version>

Database api version, default=1 (env: OS_DATABASE_API_VERSION)

--os-tripleoclient-api-version <tripleoclient-api-version>

Tripleo client api version, default=1 (env: OS_TRIPLEOCLIENT_API_VERSION)

--os-data-processing-api-version <data-processing-api-version>

Data processing api version, default=1.1 (env: OS_DATA_PROCESSING_API_VERSION)

--os-data-processing-url OS_DATA_PROCESSING_URL

Data processing api url, (env: OS_DATA_PROCESSING_API_URL)

--os-loadbalancer-api-version <loadbalancer-api-version>

Osc plugin api version, default=2.0 (env: OS_LOADBALANCER_API_VERSION)

--os-workflow-api-version <workflow-api-version>

Workflow api version, default=2 (env: OS_WORKFLOW_API_VERSION)

--os-container-infra-api-version <container-infra-api-version>

Container-infra api version, default=1 (env: OS_CONTAINER_INFRA_API_VERSION)

--os-baremetal-api-version <baremetal-api-version>

Bare metal api version, default="latest" (the maximum version supported by both the client and the server). (Env: OS_BAREMETAL_API_VERSION)

--inspector-api-version INSPECTOR_API_VERSION

Inspector api version, only 1 is supported now (env: INSPECTOR_VERSION).

--inspector-url INSPECTOR_URL

Inspector url, defaults to localhost (env: INSPECTOR_URL).

--os-orchestration-api-version <orchestration-api-version>

Orchestration api version, default=1 (env: OS_ORCHESTRATION_API_VERSION)

--os-dns-api-version <dns-api-version>

Dns api version, default=2 (env: os_dns_api_version)

--os-key-manager-api-version <key-manager-api-version>

Barbican api version, default=1 (env: OS_KEY_MANAGER_API_VERSION)

--os-metrics-api-version <metrics-api-version>

Metrics api version, default=1 (env: OS_METRICS_API_VERSION)

--os-alarming-api-version <alarming-api-version>

Queues api version, default=2 (env: OS_ALARMING_API_VERSION)

--os-auth-type <auth-type>

Select an authentication type. available types: v2password, v2token, v3applicationcredential, v3adfspassword, noauth, v1password, v3oidcaccesstoken, aodh-noauth, v3token, v3oidcauthcode, admin_token, v3oauth1, none, password, token, v3tokenlessauth, v3oidcpassword, gnocchi-basic, gnocchi-noauth, v3samlpassword, v3password, v3totp, v3multifactor, v3oidcclientcredentials. Default: selected based on --os-username/--os-token (Env: OS_AUTH_TYPE)

--os-auth-url <auth-auth-url>

With v2password: authentication url with v2token: Authentication URL With v3applicationcredential: Authentication URL With v3adfspassword: Authentication URL With v1password: Authentication URL With v3oidcaccesstoken: Authentication URL With v3token: Authentication URL With v3oidcauthcode: Authentication URL With v3oauth1: Authentication URL With password: Authentication URL With token: Authentication URL With v3tokenlessauth: Authentication URL With v3oidcpassword: Authentication URL With v3samlpassword: Authentication URL With v3password: Authentication URL With v3totp: Authentication URL With v3multifactor: Authentication URL With v3oidcclientcredentials: Authentication URL (Env: OS_AUTH_URL)

--os-trust-id <auth-trust-id>

With v2password: trust id with v2token: trust id with v3applicationcredential: Trust ID With v3adfspassword: Trust ID With v3oidcaccesstoken: Trust ID With v3token: Trust ID With v3oidcauthcode: Trust ID With password: Trust ID With token: Trust ID With v3oidcpassword: Trust ID With v3samlpassword: Trust ID With v3password: Trust ID With v3totp: Trust ID With v3multifactor: Trust ID With v3oidcclientcredentials: Trust ID (Env: OS_TRUST_ID)

--os-username <auth-username>

With v2password: username to login with with v3applicationcredential: Username With v3adfspassword: Username With v1password: Username to login with With password: Username With v3oidcpassword: Username With v3samlpassword: Username With v3password: Username With v3totp: Username (Env: OS_USERNAME)

--os-user-id <auth-user-id>

With v2password: user id to login with with v3applicationcredential: User ID With noauth: User ID With aodh-noauth: User ID With password: User id With gnocchi-noauth: User ID With v3password: User ID With v3totp: User ID (Env: OS_USER_ID)

--os-password <auth-password>

With v2password: password to use with v3adfspassword: Password With v1password: Password to use With password: User’s password With v3oidcpassword: Password With v3samlpassword: Password With v3password: User’s password (Env: OS_PASSWORD)

--os-token <auth-token>

With v2token: token with v3token: token to authenticate with With admin_token: The token that will always be used With token: Token to authenticate with (Env: OS_TOKEN)

--os-system-scope <auth-system-scope>

With v3applicationcredential: scope for system operations With v3adfspassword: Scope for system operations With v3oidcaccesstoken: Scope for system operations With v3token: Scope for system operations With v3oidcauthcode: Scope for system operations With password: Scope for system operations With token: Scope for system operations With v3oidcpassword: Scope for system operations With v3samlpassword: Scope for system operations With v3password: Scope for system operations With v3totp: Scope for system operations With v3multifactor: Scope for system operations With v3oidcclientcredentials: Scope for system operations (Env: OS_SYSTEM_SCOPE)

--os-domain-id <auth-domain-id>

With v3applicationcredential: domain id to scope to With v3adfspassword: Domain ID to scope to With v3oidcaccesstoken: Domain ID to scope to With v3token: Domain ID to scope to With v3oidcauthcode: Domain ID to scope to With password: Domain ID to scope to With token: Domain ID to scope to With v3tokenlessauth: Domain ID to scope to With v3oidcpassword: Domain ID to scope to With v3samlpassword: Domain ID to scope to With v3password: Domain ID to scope to With v3totp: Domain ID to scope to With v3multifactor: Domain ID to scope to With v3oidcclientcredentials: Domain ID to scope to (Env: OS_DOMAIN_ID)

--os-domain-name <auth-domain-name>

With v3applicationcredential: domain name to scope to With v3adfspassword: Domain name to scope to With v3oidcaccesstoken: Domain name to scope to With v3token: Domain name to scope to With v3oidcauthcode: Domain name to scope to With password: Domain name to scope to With token: Domain name to scope to With v3tokenlessauth: Domain name to scope to With v3oidcpassword: Domain name to scope to With v3samlpassword: Domain name to scope to With v3password: Domain name to scope to With v3totp: Domain name to scope to With v3multifactor: Domain name to scope to With v3oidcclientcredentials: Domain name to scope to (Env: OS_DOMAIN_NAME)

--os-project-id <auth-project-id>

With v3applicationcredential: project id to scope to With v3adfspassword: Project ID to scope to With noauth: Project ID With v3oidcaccesstoken: Project ID to scope to With aodh-noauth: Project ID With v3token: Project ID to scope to With v3oidcauthcode: Project ID to scope to With password: Project ID to scope to With token: Project ID to scope to With v3tokenlessauth: Project ID to scope to With v3oidcpassword: Project ID to scope to With gnocchi-noauth: Project ID With v3samlpassword: Project ID to scope to With v3password: Project ID to scope to With v3totp: Project ID to scope to With v3multifactor: Project ID to scope to With v3oidcclientcredentials: Project ID to scope to (Env: OS_PROJECT_ID)

--os-project-name <auth-project-name>

With v3applicationcredential: project name to scope to With v3adfspassword: Project name to scope to With v1password: Swift account to use With v3oidcaccesstoken: Project name to scope to With v3token: Project name to scope to With v3oidcauthcode: Project name to scope to With password: Project name to scope to With token: Project name to scope to With v3tokenlessauth: Project name to scope to With v3oidcpassword: Project name to scope to With v3samlpassword: Project name to scope to With v3password: Project name to scope to With v3totp: Project name to scope to With v3multifactor: Project name to scope to With v3oidcclientcredentials: Project name to scope to (Env: OS_PROJECT_NAME)

--os-project-domain-id <auth-project-domain-id>

With v3applicationcredential: domain id containing project With v3adfspassword: Domain ID containing project With v3oidcaccesstoken: Domain ID containing project With v3token: Domain ID containing project With v3oidcauthcode: Domain ID containing project With password: Domain ID containing project With token: Domain ID containing project With v3tokenlessauth: Domain ID containing project With v3oidcpassword: Domain ID containing project With v3samlpassword: Domain ID containing project With v3password: Domain ID containing project With v3totp: Domain ID containing project With v3multifactor: Domain ID containing project With v3oidcclientcredentials: Domain ID containing project (Env: OS_PROJECT_DOMAIN_ID)

--os-project-domain-name <auth-project-domain-name>

With v3applicationcredential: domain name containing project With v3adfspassword: Domain name containing project With v3oidcaccesstoken: Domain name containing project With v3token: Domain name containing project With v3oidcauthcode: Domain name containing project With password: Domain name containing project With token: Domain name containing project With v3tokenlessauth: Domain name containing project With v3oidcpassword: Domain name containing project With v3samlpassword: Domain name containing project With v3password: Domain name containing project With v3totp: Domain name containing project With v3multifactor: Domain name containing project With v3oidcclientcredentials: Domain name containing project (Env: OS_PROJECT_DOMAIN_NAME)

--os-user-domain-id <auth-user-domain-id>

With v3applicationcredential: user’s domain id with password: User’s domain id With v3password: User’s domain id With v3totp: User’s domain id (Env: OS_USER_DOMAIN_ID)

--os-user-domain-name <auth-user-domain-name>

With v3applicationcredential: user’s domain name with password: User’s domain name With v3password: User’s domain name With v3totp: User’s domain name (Env: OS_USER_DOMAIN_NAME)

--os-application-credential-secret <auth-application-credential-secret>

With v3applicationcredential: application credential auth secret (Env: OS_APPLICATION_CREDENTIAL_SECRET)

--os-application-credential-id <auth-application-credential-id>

With v3applicationcredential: application credential ID (Env: OS_APPLICATION_CREDENTIAL_ID)

--os-application-credential-name <auth-application-credential-name>

With v3applicationcredential: application credential name (Env: OS_APPLICATION_CREDENTIAL_NAME)

--os-identity-provider <auth-identity-provider>

With v3adfspassword: identity provider’s name with v3oidcaccesstoken: Identity Provider’s name With v3oidcauthcode: Identity Provider’s name With v3oidcpassword: Identity Provider’s name With v3samlpassword: Identity Provider’s name With v3oidcclientcredentials: Identity Provider’s name (Env: OS_IDENTITY_PROVIDER)

--os-protocol <auth-protocol>

With v3adfspassword: protocol for federated plugin With v3oidcaccesstoken: Protocol for federated plugin With v3oidcauthcode: Protocol for federated plugin With v3oidcpassword: Protocol for federated plugin With v3samlpassword: Protocol for federated plugin With v3oidcclientcredentials: Protocol for federated plugin (Env: OS_PROTOCOL)

--os-identity-provider-url <auth-identity-provider-url>

With v3adfspassword: an identity provider url, where the SAML authentication request will be sent. With v3samlpassword: An Identity Provider URL, where the SAML2 authentication request will be sent. (Env: OS_IDENTITY_PROVIDER_URL)

--os-service-provider-endpoint <auth-service-provider-endpoint>

With v3adfspassword: service provider’s endpoint (env: OS_SERVICE_PROVIDER_ENDPOINT)

--os-service-provider-entity-id <auth-service-provider-entity-id>

With v3adfspassword: service provider’s saml entity id (Env: OS_SERVICE_PROVIDER_ENTITY_ID)

--os-endpoint <auth-endpoint>

With noauth: cinder endpoint with admin_token: the endpoint that will always be used With none: The endpoint that will always be used With gnocchi-basic: Gnocchi endpoint With gnocchi-noauth: Gnocchi endpoint (Env: OS_ENDPOINT)

--os-access-token <auth-access-token>

With v3oidcaccesstoken: oauth 2.0 access token (env: OS_ACCESS_TOKEN)

--os-roles <auth-roles>

With aodh-noauth: roles with gnocchi-noauth: roles (Env: OS_ROLES)

--os-aodh-endpoint <auth-aodh-endpoint>

With aodh-noauth: aodh endpoint (env: OS_AODH_ENDPOINT)

--os-client-id <auth-client-id>

With v3oidcauthcode: oauth 2.0 client id with v3oidcpassword: OAuth 2.0 Client ID With v3oidcclientcredentials: OAuth 2.0 Client ID (Env: OS_CLIENT_ID)

--os-client-secret <auth-client-secret>

With v3oidcauthcode: oauth 2.0 client secret with v3oidcpassword: OAuth 2.0 Client Secret With v3oidcclientcredentials: OAuth 2.0 Client Secret (Env: OS_CLIENT_SECRET)

--os-openid-scope <auth-openid-scope>

With v3oidcauthcode: openid connect scope that is requested from authorization server. Note that the OpenID Connect specification states that "openid" must be always specified. With v3oidcpassword: OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that "openid" must be always specified. With v3oidcclientcredentials: OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that "openid" must be always specified. (Env: OS_OPENID_SCOPE)

--os-access-token-endpoint <auth-access-token-endpoint>

With v3oidcauthcode: openid connect provider token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document. With v3oidcpassword: OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document. With v3oidcclientcredentials: OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document. (Env: OS_ACCESS_TOKEN_ENDPOINT)

--os-discovery-endpoint <auth-discovery-endpoint>

With v3oidcauthcode: openid connect discovery document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid- configuration With v3oidcpassword: OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid- configuration With v3oidcclientcredentials: OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well- known/openid-configuration (Env: OS_DISCOVERY_ENDPOINT)

--os-access-token-type <auth-access-token-type>

With v3oidcauthcode: oauth 2.0 authorization server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: "access_token" or "id_token" With v3oidcpassword: OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: "access_token" or "id_token" With v3oidcclientcredentials: OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: "access_token" or "id_token" (Env: OS_ACCESS_TOKEN_TYPE)

--os-redirect-uri <auth-redirect-uri>

With v3oidcauthcode: openid connect redirect url (env: OS_REDIRECT_URI)

--os-code <auth-code>

With v3oidcauthcode: oauth 2.0 authorization code (Env: OS_CODE)

--os-consumer-key <auth-consumer-key>

With v3oauth1: oauth consumer id/key (env: OS_CONSUMER_KEY)

--os-consumer-secret <auth-consumer-secret>

With v3oauth1: oauth consumer secret (env: OS_CONSUMER_SECRET)

--os-access-key <auth-access-key>

With v3oauth1: oauth access key (env: os_access_key)

--os-access-secret <auth-access-secret>

With v3oauth1: oauth access secret (env: OS_ACCESS_SECRET)

--os-default-domain-id <auth-default-domain-id>

With password: optional domain id to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication. With token: Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication. (Env: OS_DEFAULT_DOMAIN_ID)

--os-default-domain-name <auth-default-domain-name>

With password: optional domain name to use with v3 api and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication. With token: Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication. (Env: OS_DEFAULT_DOMAIN_NAME)

--os-user <auth-user>

With gnocchi-basic: user (env: os_user)

--os-passcode <auth-passcode>

With v3totp: user’s totp passcode (env: os_passcode)

--os-auth-methods <auth-auth-methods>

With v3multifactor: methods to authenticate with. (Env: OS_AUTH_METHODS)