How to increase OpenStack Keystone Ticket Timeout?

Solution Verified - Updated -


  • Red Hat Enterprise Linux OpenStack Platform 6. (RHELOP)
  • Red Hat Enterprise Linux OpenStack Platform 7. (RHELOP)
  • Red Hat OpenStack Platform 8. (RHOSP)
  • Red Hat OpenStack Platform 9. (RHOSP)
  • Red Hat OpenStack Platform 10. (RHOSP)
  • Red Hat OpenStack Platform 11. (RHOSP)
  • Red Hat OpenStack Platform 12. (RHOSP) or later follow:


  • How to increase the OpenStack Keystone Ticket Timeout?
  • Some operations are getting a Timeout from Keystone before it completes. Is it possible to increase the ticket validation?


  • If you are experiencing some kind of timeout or the Keystone Ticket is expiring during an operation, for instance when you upload a glance image and it takes more time than the ticket, you can increase the keystone ticket changing the keystone.conf file:
    Inside the /etc/keystone/keystone.conf you have the following option:
# Amount of time a token should remain valid (in seconds).
# (integer value)

You can safely change it to a new value in order to fit in your needs, for instance 7200 or another value:

# Amount of time a token should remain valid (in seconds).
# (integer value)

Afterwards keystone needs to be restarted.

Note: If you have more than one controller and runs it behind an HAProxy, you can safely change the parameter expiration in the keystone.conf in each controller and then restart each one separately. HAProxy will take care to redirect the services to a active service.

The keystone expiration setting can be configured via Director using the following parameter file:

        keystone::token_expiration: 28800

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


For OSP 7, BZ 1235908 shows that the default was increased to 14400 (4 hours)

That is only for undercloud. For overcloud, it's still 3600 ie 1 hour.

Hi, Can we increase the timeout for certain users and not all of them? Thanks

No I don't think you can. It's a global setting.