Can a non-admin add a fixed floating ip from Heat [closed]

asked 2017-06-06 09:30:48 -0600

jkrah gravatar image

updated 2017-06-08 07:51:28 -0600

Looking at the doco for OS::Neutron::FloatingIP

The default policy setting in Neutron restricts usage of this property to administrative users only.

As the admin user I have allocated some foating IPs to my project. And these unused floating ips are available (not assigned to any ports / instances) in my (non admin) project ..

As the (non admin) project user I can run server add floating ip <VM> 172.x.y.62 and successfully add the specific one of these floating ip to my running instance.

Just wondering if there is a doing this in heat ? ie, assigning a specific (existing) floating IP in Heat (that has already been allocated to my project) or do need to tweak some permissions somewhere ? Thanks heaps in advance !!

I've tried this

    type: OS::Neutron::FloatingIP
      floating_network: public
      port_id: { get_resource: dmzhost-port }
      floating_ip_address: 172.x.y.62

but it fails with.. (its trying to create a new floating ip - not assign an existing one ?)

2017-06-06 22:37:59Z [net.dmzhost-port-floating-ip]: CREATE_FAILED  Forbidden: resources.dmzhost-port-floating-ip: {'description': '', 'subnet_id': None, 'tenant_id': u'4739ddaec8f1460b9a886d676f2e33eb', u'floating_network_id': u'88ad5648-62ee-4c3a-8cf1-8299573b4878', 'fixed_ip_address': None, u'floating_ip_address': u'17
edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by jkrah
close date 2017-06-08 07:51:50.405788

2 answers

Sort by ยป oldest newest most voted

answered 2017-06-06 18:34:35 -0600

updated 2017-06-07 02:57:23 -0600

Your example confuses creation of a new Floating IP with adding an existing Floating IP to a port/instance.

The doc is in line with Neutron's Floating IP API:

Default policy settings enable only administrative users to set floating IP addresses and some non-administrative users might require a floating IP address. If you do not specify a floating IP address in the request, the operation automatically allocates one

Which means, IMO, that a normal user can't request a specific IP address and must accept whatever address the system allocates.

EDIT: To add an existing Floating IP to a server, use the OS::Nova::Server resource. Example from the doc:

   type: OS::Nova::Server
            networks: [{"floating_ip": String, "port": String, "network": String, ...
edit flag offensive delete link more


Thanks for the reply Bernd .. I was wondering if if the Heat syntax was trying to create a new one..

jkrah gravatar imagejkrah ( 2017-06-06 23:20:54 -0600 )edit

As the admin I have already allocated some floating ips to my project. (I will add this to the question description as its probably quite relevant.) And I can choose one of these specific address (as the proejct user) whan using the CLI : server add floating ip dmzhost 172.x.y.62 ..

jkrah gravatar imagejkrah ( 2017-06-06 23:24:08 -0600 )edit

I updated my answer.

Bernd Bausch gravatar imageBernd Bausch ( 2017-06-07 02:52:40 -0600 )edit

Thanks Bernd !! its working !! :-) I had to use the floating-ip "uuid". I'm now also directly set the fixed ip .. which allowed me to remove the port definition.. which is nice..

    - subnet:  dmz-sub
      floating_ip: 09c37...
jkrah gravatar imagejkrah ( 2017-06-08 06:08:46 -0600 )edit

There's also OS::Neutron::FloatingIPAssociation if you prefer.

zaneb gravatar imagezaneb ( 2017-06-08 10:04:21 -0600 )edit

answered 2017-06-06 10:51:52 -0600

zaneb gravatar image

It depends on your permissions in Neutron's policy.json.

Nothing in Heat will enforce it as far as I know, it will just fail when it calls Neutron if you don't have permissions.

edit flag offensive delete link more


Thanks (again!!) Zaneb - At face value it looks to me like heat is enforcing something.. as heat definitely fails but CLI: server add floating ip dmzhost x.x.x.x works fine .. (as the same (non admin) project/tenant/user) .. I will add some more detail to my question. Thanks again ! :-)

jkrah gravatar imagejkrah ( 2017-06-06 17:49:13 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2017-06-06 09:30:48 -0600

Seen: 1,013 times

Last updated: Jun 08 '17