Identity API v3

updated: 2025-10-09 15:32

Identity API v3

For details on how to use identity, see Using OpenStack Identity

The Identity v3 Class

The identity high-level interface is available through the identity member of a Connection object. The identity member will only be added if the service is detected.

Credential Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_credential(**attrs)

Create a new credential from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Credential, comprised of the properties on the Credential class.

Returns:

The results of credential creation

Return type:

Credential

delete_credential(credential, ignore_missing=True)

Delete a credential

Parameters:

  • credential – The value can be either the ID of a credential or a Credential instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the credential does not exist. When set to True, no exception will be set when attempting to delete a nonexistent credential.

Returns:

None

find_credential(name_or_id, ignore_missing=True)

Find a single credential

Parameters:

  • name_or_id – The name or ID of a credential.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Credential or None

get_credential(credential)

Get a single credential

Parameters:

credential – The value can be the ID of a credential or a Credential instance.

Returns:

One Credential

Raises:

ResourceNotFound when no resource can be found.

credentials(**query)

Retrieve a generator of credentials

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of credentials instances.

Return type:

Credential

update_credential(credential, **attrs)

Update a credential

Parameters:

credential – Either the ID of a credential or a Credential instance.

Attrs kwargs:

The attributes to update on the credential represented by value.

Returns:

The updated credential

Return type:

Credential

Domain Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_domain(**attrs)

Create a new domain from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Domain, comprised of the properties on the Domain class.

Returns:

The results of domain creation

Return type:

Domain

delete_domain(domain, ignore_missing=True)

Delete a domain

Parameters:

  • domain – The value can be either the ID of a domain or a Domain instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the domain does not exist. When set to True, no exception will be set when attempting to delete a nonexistent domain.

Returns:

None

find_domain(name_or_id, ignore_missing=True)

Find a single domain

Parameters:

  • name_or_id – The name or ID of a domain.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Domain or None

get_domain(domain)

Get a single domain

Parameters:

domain – The value can be the ID of a domain or a Domain instance.

Returns:

One Domain

Raises:

ResourceNotFound when no resource can be found.

domains(**query)

Retrieve a generator of domains

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of domain instances.

Return type:

Domain

update_domain(domain, **attrs)

Update a domain

Parameters:

domain – Either the ID of a domain or a Domain instance.

Attrs kwargs:

The attributes to update on the domain represented by value.

Returns:

The updated domain

Return type:

Domain

Endpoint Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_endpoint(**attrs)

Create a new endpoint from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Endpoint, comprised of the properties on the Endpoint class.

Returns:

The results of endpoint creation

Return type:

Endpoint

delete_endpoint(endpoint, ignore_missing=True)

Delete an endpoint

Parameters:

  • endpoint – The value can be either the ID of an endpoint or a Endpoint instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the endpoint does not exist. When set to True, no exception will be set when attempting to delete a nonexistent endpoint.

Returns:

None

find_endpoint(name_or_id, ignore_missing=True)

Find a single endpoint

Parameters:

  • name_or_id – The name or ID of a endpoint.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Endpoint or None

get_endpoint(endpoint)

Get a single endpoint

Parameters:

endpoint – The value can be the ID of an endpoint or a Endpoint instance.

Returns:

One Endpoint

Raises:

ResourceNotFound when no resource can be found.

endpoints(**query)

Retrieve a generator of endpoints

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of endpoint instances.

Return type:

Endpoint

update_endpoint(endpoint, **attrs)

Update a endpoint

Parameters:

endpoint – Either the ID of a endpoint or a Endpoint instance.

Attrs kwargs:

The attributes to update on the endpoint represented by value.

Returns:

The updated endpoint

Return type:

Endpoint

Group Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_group(**attrs)

Create a new group from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Group, comprised of the properties on the Group class.

Returns:

The results of group creation

Return type:

Group

delete_group(group, ignore_missing=True)

Delete a group

Parameters:

  • group – The value can be either the ID of a group or a Group instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the group does not exist. When set to True, no exception will be set when attempting to delete a nonexistent group.

Returns:

None

find_group(name_or_id, ignore_missing=True, **kwargs)

Find a single group

Parameters:

  • name_or_id – The name or ID of a group.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Group or None

get_group(group)

Get a single group

Parameters:

group – The value can be the ID of a group or a Group instance.

Returns:

One Group

Raises:

ResourceNotFound when no resource can be found.

groups(**query)

Retrieve a generator of groups

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of group instances.

Return type:

Group

update_group(group, **attrs)

Update a group

Parameters:

group – Either the ID of a group or a Group instance.

Attrs kwargs:

The attributes to update on the group represented by value.

Returns:

The updated group

Return type:

Group

add_user_to_group(user, group)

Add user to group

Parameters:

  • user – Either the ID of a user or a User instance.

  • group – Either the ID of a group or a Group instance.

Returns:

None

remove_user_from_group(user, group)

Remove user to group

Parameters:

  • user – Either the ID of a user or a User instance.

  • group – Either the ID of a group or a Group instance.

Returns:

None

check_user_in_group(user, group)

Check whether user belongsto group

Parameters:

  • user – Either the ID of a user or a User instance.

  • group – Either the ID of a group or a Group instance.

Returns:

A boolean representing current relation

Policy Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_policy(**attrs)

Create a new policy from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Policy, comprised of the properties on the Policy class.

Returns:

The results of policy creation

Return type:

Policy

delete_policy(policy, ignore_missing=True)

Delete a policy

Parameters:

  • policy – The value can be either the ID of a policy or a Policy instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the policy does not exist. When set to True, no exception will be set when attempting to delete a nonexistent policy.

Returns:

None

find_policy(name_or_id, ignore_missing=True)

Find a single policy

Parameters:

  • name_or_id – The name or ID of a policy.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Policy or None

get_policy(policy)

Get a single policy

Parameters:

policy – The value can be the ID of a policy or a Policy instance.

Returns:

One Policy

Raises:

ResourceNotFound when no resource can be found.

policies(**query)

Retrieve a generator of policies

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of policy instances.

Return type:

Policy

update_policy(policy, **attrs)

Update a policy

Parameters:

policy – Either the ID of a policy or a Policy instance.

Attrs kwargs:

The attributes to update on the policy represented by value.

Returns:

The updated policy

Return type:

Policy

Project Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_project(**attrs)

Create a new project from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Project, comprised of the properties on the Project class.

Returns:

The results of project creation

Return type:

Project

delete_project(project, ignore_missing=True)

Delete a project

Parameters:

  • project – The value can be either the ID of a project or a Project instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the project does not exist. When set to True, no exception will be set when attempting to delete a nonexistent project.

Returns:

None

find_project(name_or_id, ignore_missing=True, **attrs)

Find a single project

Parameters:

  • name_or_id – The name or ID of a project.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Project or None

get_project(project)

Get a single project

Parameters:

project – The value can be the ID of a project or a Project instance.

Returns:

One Project

Raises:

ResourceNotFound when no resource can be found.

projects(**query)

Retrieve a generator of projects

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of project instances.

Return type:

Project

update_project(project, **attrs)

Update a project

Parameters:

project – Either the ID of a project or a Project instance.

Attrs kwargs:

The attributes to update on the project represented by value.

Returns:

The updated project

Return type:

Project

Region Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_region(**attrs)

Create a new region from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Region, comprised of the properties on the Region class.

Returns:

The results of region creation.

Return type:

Region

delete_region(region, ignore_missing=True)

Delete a region

Parameters:

  • region – The value can be either the ID of a region or a Region instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the region does not exist. When set to True, no exception will be thrown when attempting to delete a nonexistent region.

Returns:

None

find_region(name_or_id, ignore_missing=True)

Find a single region

Parameters:

  • name_or_id – The name or ID of a region.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the region does not exist. When set to True, None will be returned when attempting to find a nonexistent region.

Returns:

One Region or None

get_region(region)

Get a single region

Parameters:

region – The value can be the ID of a region or a Region instance.

Returns:

One Region

Raises:

ResourceNotFound when no matching region can be found.

regions(**query)

Retrieve a generator of regions

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the regions being returned.

Returns:

A generator of region instances.

Return type:

Region

update_region(region, **attrs)

Update a region

Parameters:

region – Either the ID of a region or a Region instance.

Attrs kwargs:

The attributes to update on the region represented by value.

Returns:

The updated region.

Return type:

Region

Role Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_role(**attrs)

Create a new role from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Role, comprised of the properties on the Role class.

Returns:

The results of role creation.

Return type:

Role

delete_role(role, ignore_missing=True)

Delete a role

Parameters:

  • role – The value can be either the ID of a role or a Role instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the role does not exist. When set to True, no exception will be thrown when attempting to delete a nonexistent role.

Returns:

None

find_role(name_or_id, ignore_missing=True, **kwargs)

Find a single role

Parameters:

  • name_or_id – The name or ID of a role.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the role does not exist. When set to True, None will be returned when attempting to find a nonexistent role.

Returns:

One Role or None

get_role(role)

Get a single role

Parameters:

role – The value can be the ID of a role or a Role instance.

Returns:

One Role

Raises:

ResourceNotFound when no matching role can be found.

roles(**query)

Retrieve a generator of roles

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned. The options are: domain_id, name.

Returns:

A generator of role instances.

Return type:

Role

update_role(role, **attrs)

Update a role

Parameters:

  • role – Either the ID of a role or a Role instance.

  • kwargs (dict) – The attributes to update on the role represented by value. Only name can be updated

Returns:

The updated role.

Return type:

Role

Role Assignment Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
role_assignments_filter(domain=None, project=None, system=None, group=None, user=None)

Retrieve a generator of roles assigned to user/group

Parameters:

  • domain – Either the ID of a domain or a Domain instance.

  • project – Either the ID of a project or a Project instance.

  • system – Either the system name or a System instance.

  • group – Either the ID of a group or a Group instance.

  • user – Either the ID of a user or a User instance.

Returns:

A generator of role instances.

Return type:

Role

role_assignments(**query)

Retrieve a generator of role assignments

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned. The options are: group_id, role_id, scope_domain_id, scope_project_id, user_id, include_names, include_subtree.

Returns:

RoleAssignment

assign_domain_role_to_user(domain, user, role)

Assign role to user on a domain

Parameters:

  • domain – Either the ID of a domain or a Domain instance.

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

unassign_domain_role_from_user(domain, user, role)

Unassign role from user on a domain

Parameters:

  • domain – Either the ID of a domain or a Domain instance.

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

validate_user_has_domain_role(domain, user, role)

Validates that a user has a role on a domain

Parameters:

  • domain – Either the ID of a domain or a Domain instance.

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

Returns:

True if user has role in domain

assign_domain_role_to_group(domain, group, role)

Assign role to group on a domain

Parameters:

  • domain – Either the ID of a domain or a Domain instance.

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

unassign_domain_role_from_group(domain, group, role)

Unassign role from group on a domain

Parameters:

  • domain – Either the ID of a domain or a Domain instance.

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

validate_group_has_domain_role(domain, group, role)

Validates that a group has a role on a domain

Parameters:

  • domain – Either the ID of a domain or a Domain instance.

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

Returns:

True if group has role on domain

assign_project_role_to_user(project, user, role)

Assign role to user on a project

Parameters:

  • project – Either the ID of a project or a Project instance.

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

unassign_project_role_from_user(project, user, role)

Unassign role from user on a project

Parameters:

  • project – Either the ID of a project or a Project instance.

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

validate_user_has_project_role(project, user, role)

Validates that a user has a role on a project

Parameters:

  • project – Either the ID of a project or a Project instance.

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

Returns:

True if user has role in project

assign_project_role_to_group(project, group, role)

Assign role to group on a project

Parameters:

  • project – Either the ID of a project or a Project instance.

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

unassign_project_role_from_group(project, group, role)

Unassign role from group on a project

Parameters:

  • project – Either the ID of a project or a Project instance.

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

Returns:

None

validate_group_has_project_role(project, group, role)

Validates that a group has a role on a project

Parameters:

  • project – Either the ID of a project or a Project instance.

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

Returns:

True if group has role in project

assign_system_role_to_user(user, role, system)

Assign a role to user on a system

Parameters:

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

  • system – The system name

Returns:

None

unassign_system_role_from_user(user, role, system)

Unassign a role from user on a system

Parameters:

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

  • system – The system name

Returns:

None

validate_user_has_system_role(user, role, system)

Validates that a user has a role on a system

Parameters:

  • user – Either the ID of a user or a User instance.

  • role – Either the ID of a role or a Role instance.

  • system – The system name

Returns:

True if user has role in system

assign_system_role_to_group(group, role, system)

Assign a role to group on a system

Parameters:

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

  • system – The system name

Returns:

None

unassign_system_role_from_group(group, role, system)

Unassign a role from group on a system

Parameters:

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

  • system – The system name

Returns:

None

validate_group_has_system_role(group, role, system)

Validates that a group has a role on a system

Parameters:

  • group – Either the ID of a group or a Group instance.

  • role – Either the ID of a role or a Role instance.

  • system – The system name

Returns:

True if group has role on system

Service Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_service(**attrs)

Create a new service from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Service, comprised of the properties on the Service class.

Returns:

The results of service creation

Return type:

Service

delete_service(service, ignore_missing=True)

Delete a service

Parameters:

  • service – The value can be either the ID of a service or a Service instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the service does not exist. When set to True, no exception will be set when attempting to delete a nonexistent service.

Returns:

None

find_service(name_or_id, ignore_missing=True)

Find a single service

Parameters:

  • name_or_id – The name or ID of a service.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Service or None

get_service(service)

Get a single service

Parameters:

service – The value can be the ID of a service or a Service instance.

Returns:

One Service

Raises:

ResourceNotFound when no resource can be found.

services(**query)

Retrieve a generator of services

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of service instances.

Return type:

Service

update_service(service, **attrs)

Update a service

Parameters:

service – Either the ID of a service or a Service instance.

Attrs kwargs:

The attributes to update on the service represented by value.

Returns:

The updated service

Return type:

Service

Trust Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
create_trust(**attrs)

Create a new trust from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a Trust, comprised of the properties on the Trust class.

Returns:

The results of trust creation

Return type:

Trust

delete_trust(trust, ignore_missing=True)

Delete a trust

Parameters:

  • trust – The value can be either the ID of a trust or a Trust instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the credential does not exist. When set to True, no exception will be set when attempting to delete a nonexistent credential.

Returns:

None

find_trust(name_or_id, ignore_missing=True)

Find a single trust

Parameters:

  • name_or_id – The name or ID of a trust.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One Trust or None

get_trust(trust)

Get a single trust

Parameters:

trust – The value can be the ID of a trust or a Trust instance.

Returns:

One Trust

Raises:

ResourceNotFound when no resource can be found.

trusts(**query)

Retrieve a generator of trusts

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of trust instances.

Return type:

Trust

User Operations

class openstack.identity.v3._proxy.Proxy(session, statsd_client=None, statsd_prefix=None, prometheus_counter=None, prometheus_histogram=None, influxdb_config=None, influxdb_client=None, *args, **kwargs)
user_projects(user, **query)
Retrieve a generator of projects to which the user has authorization

to access.

Parameters:

  • user – Either the user id or an instance of User

  • query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of project instances.

Return type:

UserProject

create_user(**attrs)

Create a new user from attributes

Parameters:

attrs (dict) – Keyword arguments which will be used to create a User, comprised of the properties on the User class.

Returns:

The results of user creation

Return type:

User

delete_user(user, ignore_missing=True)

Delete a user

Parameters:

  • user – The value can be either the ID of a user or a User instance.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the user does not exist. When set to True, no exception will be set when attempting to delete a nonexistent user.

Returns:

None

find_user(name_or_id, ignore_missing=True, **attrs)

Find a single user

Parameters:

  • name_or_id – The name or ID of a user.

  • ignore_missing (bool) – When set to False ResourceNotFound will be raised when the resource does not exist. When set to True, None will be returned when attempting to find a nonexistent resource.

Returns:

One User or None

get_user(user)

Get a single user

Parameters:

user – The value can be the ID of a user or a User instance.

Returns:

One User

Raises:

ResourceNotFound when no resource can be found.

users(**query)

Retrieve a generator of users

Parameters:

query (kwargs) – Optional query parameters to be sent to limit the resources being returned.

Returns:

A generator of user instances.

Return type:

User

update_user(user, **attrs)

Update a user

Parameters:

user – Either the ID of a user or a User instance.

Attrs kwargs:

The attributes to update on the user represented by value.

Returns:

The updated user

Return type:

User

updated: 2025-10-09 15:32
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

questions?