Openstack trust workflow

Your Flow — Reviewed and Corrected

Step 1: Real User Gets Domain-Scoped Token

✅ Yes. This allows you to query projects the user can access:

bash

GET /v3/auth/projects

---

Step 2: You Identify the Target Project ID

✅ You now know which project the trust will apply to.

Step 3:

----------------------------------------------

1. You:

   • Create services and endpoints.

   • Create a service user (let’s say super-service) with admin role in a project (service or admin).

   • This user can access all services — so it's a powerful identity.

2. Then, you:

   • Create a trust:

     • trustor_user_id = service user (the admin-level one)

     • trustee_user_id = real user (e.g., myuser)

     • impersonation=true

     • roles = admin or member

     • project_id = typically the service project

3. Your real user (myuser) uses this trust to request a token.

✅ Result: myuser gets a token that impersonates the service user, scoped to the service project, with access to all services the service user has.

Then obtain a project scoped token for my user

{

  "auth": {

    "identity": {

      "methods": ["token"],

      "token": {

        "id": "<token-from-myuser>"

      }

    },

    "scope": {

      "OS-TRUST:trust": {

        "id": "<trust-id>"

      }

    }

  }

}