Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From sapcc
Create and securely store OpenStack application credentials for MCP server authentication. Triggers: setup credentials, configure auth, application credential, MCP server setup, first time setup, rotate credentials
npx claudepluginhub notque/openstack-agent-toolkit --plugin sapccHow this skill is triggered — by the user, by Claude, or both
Slash command
/sapcc:credential-setupThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Create, store, and configure OpenStack application credentials for MCP server authentication. Handles first-time setup, rotation, and multi-project configurations.
Guides technical evaluation of code review feedback: read fully, restate for understanding, verify against codebase, respond with reasoning or pushback before implementing.
Share bugs, ideas, or general feedback.
Create, store, and configure OpenStack application credentials for MCP server authentication. Handles first-time setup, rotation, and multi-project configurations.
| Tool | Purpose |
|---|---|
keystone_token_info | Check current auth context (project, roles, expiry) |
keystone_create_application_credential | Create app credential (secret shown ONCE) |
keystone_list_application_credentials | List existing credentials for current user/project |
keystone_delete_application_credential | Delete/revoke a credential by ID or name |
These will save you from the most common failures:
Secret shown ONLY ONCE at creation. The API returns the secret exactly once in the creation response. If you don't capture it immediately, it's gone forever. You must create a new credential.
Always list existing credentials first. Call keystone_list_application_credentials before creating. Duplicates cause confusion during rotation and waste the 25-credential limit per user.
Roles are frozen at creation time. The credential inherits whatever roles the user has at the moment of creation. If roles are added/removed later, the credential is unaffected. To pick up new roles, create a new credential.
Naming convention is load-bearing. Use mcp-server-{project}-{region} (e.g., mcp-server-cc-demo-eu-de-1). The keychain lookup command embeds this name — inconsistent naming breaks secret retrieval.
Deletion is immediate revocation. The instant you delete a credential, any process using it loses access. Always verify the replacement works BEFORE deleting the old one.
Set expiration to force rotation. Recommended: 1 year for development, 90 days for production. Credentials without expiry become forgotten attack surface.
App credentials cannot create other app credentials. This is an intentional anti-escalation design. The MCP server authenticated via app credential cannot mint new credentials — only a user-scoped token can.
Call keystone_token_info to determine:
If already using app credentials, determine whether this is rotation or new setup.
Call keystone_list_application_credentials and inspect results:
mcp-server-* naming patternIf a valid credential exists and user wants fresh setup, proceed to rotation flow (create new first, then delete old in Phase 7).
Call keystone_create_application_credential with:
name: mcp-server-{project_name}-{region}
description: "MCP server credential for {project_name} in {region}. Created {YYYY-MM-DD}."
expires_at: {calculated expiry} # ISO 8601 format
roles: [{minimal required roles}] # omit to inherit all current roles
IMMEDIATELY capture the id and secret from the response. The secret will not be retrievable again.
macOS:
security add-generic-password -a "mcp-server-{project}-{region}" -s "openstack-appcred" -w "{secret}"
Linux (GNOME Keyring / libsecret):
secret-tool store --label="OpenStack App Credential" service openstack-appcred account "mcp-server-{project}-{region}"
(Prompts for the secret value via stdin)
Verify storage immediately:
# macOS
security find-generic-password -a "mcp-server-{project}-{region}" -s "openstack-appcred" -w
# Linux
secret-tool lookup service openstack-appcred account "mcp-server-{project}-{region}"
Output the configuration block for Claude Code settings (~/.claude/settings.json or project .claude/settings.json):
{
"mcpServers": {
"sapcc": {
"command": "openstack-mcp-server",
"env": {
"OS_AUTH_URL": "https://identity-3.{region}.cloud.example.com/v3",
"OS_APPLICATION_CREDENTIAL_ID": "{id}",
"OS_APPCRED_SECRET_CMD": "security find-generic-password -a mcp-server-{project}-{region} -s openstack-appcred -w",
"OS_REGION_NAME": "{region}"
}
}
}
}
For Linux, replace OS_APPCRED_SECRET_CMD value with:
secret-tool lookup service openstack-appcred account mcp-server-{project}-{region}
keystone_token_info — confirm it returns valid auth contextIf verification fails, check:
Only after Phase 6 succeeds:
keystone_delete_application_credential with old credential ID# macOS
security delete-generic-password -a "old-credential-name" -s "openstack-appcred"
| Practice | Rationale |
|---|---|
| One credential per purpose | Revoke one without affecting others |
Descriptive names (mcp-server-{project}-{region}) | Keychain lookup depends on exact name |
| Set expiration | Forces rotation, limits blast radius of leaked creds |
| Minimum roles | Don't grant admin for read-only MCP access |
| Keychain storage | Never store in env files, dotfiles, or git |
| Test before delete | Verify new cred works before revoking old |
| Document creation date in description | Know when rotation is overdue |
| Symptom | Likely Cause | Fix |
|---|---|---|
| "Authentication required" after setup | Secret retrieval command fails | Run OS_APPCRED_SECRET_CMD manually in terminal; check keychain entry name matches exactly |
| "Credential not found" | Credential was deleted or expired | keystone_list_application_credentials to confirm; create new if missing |
| Wrong project scope in token | Credential was created under different project | Check keystone_token_info project field; recreate credential under correct project scope |
| "Unauthorized" with valid credential | Roles insufficient for requested operation | List credential roles vs. required roles; recreate with correct role set |
| MCP server won't start | Malformed config JSON or missing binary | Validate JSON syntax; confirm openstack-mcp-server is in PATH |
| Works in terminal but not in Claude Code | Environment differences (PATH, keychain access) | Ensure Claude Code's process has keychain access; use full path to security/secret-tool |
| User need | Action |
|---|---|
| Authentication methods comparison | Read auth-methods.md |