Skip to content

Automation Credentials in Cyso Cloud

Estimated time to read: 3 minutes

When you create an application credential in Cyso Cloud, the dashboard lets you download it in four formats. Each format is tailored to a different tool or workflow. All formats are generated from the same underlying credential — if you rotate the credential, download fresh files for every tool using it.

Prerequisites:

  • An active Cyso Cloud account

Downloading your credentials

  1. Log in at https://my.cyso.cloud and go to Access > Credentials.
  2. Create a new credential if you don't have one. The password is shown only once — save it in a password manager immediately.
  3. Click the format link matching the tool you want to use. The available formats are described below.

OpenRC

The OpenRC file (openrc.sh) is a shell script that exports your credentials as environment variables. It is the standard way to authenticate the OpenStack CLI and any tool that reads OpenStack environment variables.

source ~/cyso-cloud.sh

After sourcing, environment variables like OS_AUTH_URL, OS_USERNAME, and OS_PROJECT_ID are set in your current shell session. Any subsequent openstack CLI command or API call will use these automatically.

Use this for: OpenStack CLI, custom scripts, Ansible with the openstack.cloud collection.

See OpenStack & Automation for examples.

Clouds.yaml

clouds.yaml is a YAML configuration file recognised by the OpenStack SDK and CLI. It lets you store multiple named cloud profiles in a single file, which is useful when working with several environments or regions. An example is given below.

clouds:
  fuga:
    auth:
      auth_url: "$KEYSTONE_REGIONAL_API_ENDPOINT"
      application_credential_id: "$CREDENTIAL_ID"
      application_credential_secret: "$CREDENTIAL_SECRET"
    region_name: "ams2"
    auth_type: v3applicationcredential
    identity_api_version: 3

Place the file at ~/.config/openstack/clouds.yaml. You can then target it by name:

openstack --os-cloud cyso-cloud server list

Use this for: OpenStack CLI with multiple environments, any tool built on the OpenStack SDK (including some Terraform and Ansible setups).

Terraform

The Terraform credentials file contains a pre-filled provider block for the OpenStack Terraform provider. Drop its contents into your provider.tf to authenticate Terraform against Cyso Cloud without manually setting variables. An example is given below.

provider "openstack" {
  auth_url = "<KEYSTONE_REGIONAL_API_ENDPOINT>"
  region = "ams2"
  application_credential_id = "<id>"
  application_credential_secret = "<secret>"
}

Use this for: Terraform infrastructure-as-code workflows. See Deploy an instance using Terraform for a full example.

Dockerfile

The Dockerfile credential format exports your credentials as ENV instructions, suitable for building container images that interact with the Cyso Cloud API. Inject these variables into a base image that has the openstack CLI or SDK installed. An example is given below.

FROM fugacloud/openstackcli
LABEL Description="This image provides access to Cyso Cloud using the Openstack CLI" Vendor="Cyso Cloud"

ARG OS_APPLICATION_CREDENTIAL_SECRET
ENV OS_AUTH_URL="$KEYSTONE_REGIONAL_API_ENDPOINT" \ 
  OS_APPLICATION_CREDENTIAL_ID=$CREDENTIAL_ID \ 
  OS_APPLICATION_CREDENTIAL_SECRET=$OS_APPLICATION_CREDENTIAL_SECRET \ 
  OS_REGION_NAME="ams2" \ 
  OS_AUTH_TYPE="v3applicationcredential" \ 
  OS_IDENTITY_API_VERSION=3

CMD openstack

Warning

Never commit a Dockerfile containing credentials to a public repository. Use Docker build secrets or a secrets manager for production workloads.

Use this for: CI/CD pipelines and containers that automate OpenStack operations.