How to activate OpenStack CLI access to WEkEO cloud using Federated IDP authorization and application credentials

In this article, you will learn how to activate OpenStack CLI access to WEkEO cloud using the following methods:

Federated IDP authorization

Application Credentials

What We Are Going To Cover

How to download the RC file

The contents of the downloaded RC file

How to activate the downloaded RC file

Authentication with Federated IDP

Authentication with Application Credentials

Duration of life for environment variables set by sourcing the RC file

Testing the connection

Resolving errors

Prerequisites

No. 1 Account

You need a WEkEO hosting account with access to the Horizon interface: https://horizon.cloudferro.com. Only accounts created on the main WEkEO website created using the form available under REGISTER link are covered by this article.

No. 2 OpenStackClient installed and available

To use OpenStackClient, you need to install it.

Install GitBash on Windows: Use OpenStackClient from a GitBash window under Windows. How to install OpenStackClient GitBash for Windows on WEkEO.
Install and run WSL (environment which allows you run Linux software on Windows): How to install OpenStackClient on Windows using Windows Subsystem for Linux on WEkEO OpenStack Hosting.
Install OpenStackClient on Linux: How to install OpenStackClient for Linux on WEkEO.

Since OpenStackClient is written in Python, it is recommended to use a dedicated virtual environment for the rest of this article.

No. 3 Application Credentials configured (optional)

To be able to authenticate using the method of application credentials, you first have to configure them. See article: How to generate or use Application Credentials via CLI on WEkEO.

No. 4 Base64 encoding (optional)

To use Federated IDP for authentication, you will have to create base64 value from a given string. Start with the user name and password and create a concatenated string such as this:

user_name:password

That is, add a colon between your user_name and password. Then find the base64 value, which can be done in several ways.

If user name is john and the password is 123123, create a concatenated string like this:

john:123123

Choose how to encode a string in base64 value:

Execute the following command:

echo -n 'john:123123' | base64

Execute the following command in command prompt:

certutil -f -encode raw.txt encoded.txt

where files raw.txt and encoded.txt contain string john:123123 and the resulting base64 value, respectively.

In PHP, this is the code to print base64 value of a string:

$str = 'john:123123';
echo base64_encode($str);

Here is Python code to print base64 value of a string:

import base64
data = b'john:123123'
encoded_data = base64.b64encode(data)
print(encoded_data)

In all cases, base64 value from john:123123 will be am9objoxMjMxMjM=.

How to download RC file

To connect to WEkEO cloud,

download the RC file and

execute it.

Location of the link to RC file

Click on account name

The top right corner of the Horizon screen contains your account name. Click on it. You will see a menu like this (e-mail address is greyed out to protect privacy):

WAW3-2

There are four relevant options in that menu. The first two,

OpenStack RC file

OpenStack RC file (2FA)

are not operational and so this article treats the other two options only:

OpenStack RC File (Federated IDP)

OpenStack RC File (App Credentials)

Select the option to use and the relevant file with .sh extension will be downloaded.

How to activate the downloaded RC file

RC file sets up environment variables which are used by the OpenStack CLI client to authenticate to the cloud.

The activation procedure will depend on the operating system you are working with:

Ubuntu

Assuming you are in the same folder in which the RC file is present, use the source, like so:

source ./cloud_078649_1-openrc-federated-user-1.sh

macOS

The same source command should work on macOS. In some versions of macOS though, an alternative command zsh could serve as well:

zsh ./cloud_078649_1-openrc-federated-user-1.sh

Note that in both cases ./ means “use the file in this very folder you already are in”.

Windows

On Windows, to use an RC file to authenticate, you need to have appropriate software.

See Prerequisite No. 3, which describes in more detail how to run .sh files under various scenarios on Windows.

Duration of life for environment variables set by sourcing the RC file

When you source the file, environment variables are set for your current shell. To prove it, open two terminal windows, source the RC file in one of them but not in the other and you won’t be able to authenticate from that second terminal window.

That is why you will need to activate your RC file each time you start a new terminal session. Once authenticated and while that terminal window is open, you can use it to issue OpenStack CLI commands at will.

Authentication with Federated IDP

When authenticating with federated IDP, you will have to enter two values:

the id of the federated Identity Provider and

the token calculated from the user name and password you are using to log into site.

The id is word wekeo.

The second question will be for token, which is a long string of characters, like digits, letters and dashes.

If you are signed into the site, you can use a special page to obtain the token.

To sign in, go to page https://www.wekeo.eu/ and click on button SIGN IN:

When you are signed in and want to get the token, visit https://www.wekeo.eu/token. On that page you can create a temporary token, which will last one hour. If you continue using it, it will refresh automatically.

To get the token, click on the upper gray rectangle and a new token will appear:

Copy the token so that you can paste it for the second question that comes up:

You can always create token in this way, even if you are not logged in.

To create a token, use Prerequisite No. 4 to create the corresponding Base64 value.

Once you have it, execute the following command to verify and return the token you are looking for:

curl -X GET --header 'Authorization: Basic am9objoxMjMxMjM=' 'https://wekeo-broker.prod.wekeo2.eu/databroker/gettoken'

In Prerequisite No. 4, we calculated the value of am9objoxMjMxMjM= from our example of john:123123 string but you will, of course, replace it with your own calculated base64 value.

The result will be a JSON string with one key and one value, and the latter is the token you are looking for:

{
  "access_token": "01bea635-0k90-2a87-ac4d-0f5de6409deS"
}

Only now activate the federated RC file with a command such as

source ./cloud_078649_1-openrc-federated-user-1.sh

or similar, depending on the operating system you are using.

Then supply word wekeo for the first question and the token for the second question:

If verified, there will be no output but nevertheless, you will be able to use openstack and other commands. The following command is a standard way of testing the connection:

openstack flavor list

You should get a list of flavors available to you on WEkEO cloud:

Authentication with Application Credentials

If your application already has a created set of credentials, you can use them to authenticate to WEkEO cloud. If you don’t have these credentials, follow Prerequisite No. 3.

Download RC file with -app-credentials in its name, for example, like this:

cloud_078649_1-openrc-app-credentials.sh

and activate with source command.

You will be required to supply the credentials ID and secret:

As with other cases of sensitive information, the values you enter will not be shown on the screen.

Resolving errors when sourcing the RC files

If you cannot resolve the error and you are certain that

there is access to the Internet and

no downtime for WEkEO services which you are using has been announced,

contact WEkEO customer support for assistance: /{{ gettingstarted }}/Help-Desk-And-Support

jq not installed

jq is an app to parse JSON input. It is required for using RC files for Federated IDP. It will be preinstalled on most Linux distros and if not, you may get a message like this:

To resolve, download from the official support page and follow the directions to install on your operating system.

If you are using Git Bash on Windows and running into this error, Step 6 of article on GitBash from Prerequisite No. 2, has proper instructions for installing jq.

Wrong values entered after sourcing the RC file

If you entered wrong values after sourcing the RC file and get an error because of that, simply source that file again, this time providing correct values.

What To Do Next

With the appropriate version of RC file activated, you should be able to create and use

instances,

volumes,

networks,

Kubernetes clusters

and, in general, use all OpenStack CLI commands.

For example, if you want to create a new virtual machine, you can follow this article:

How to create a VM using the OpenStack CLI client on WEkEO cloud

With the token you got in the process of authenticating for the federated IDP you can access various data on WEkEO 2.0 site. See the WEkEO page for Harmonized Data Access API Rest.