Ask Your Question

How to retrieve a list of tenants/projects for user from keystone API

asked 2014-11-14 13:39:03 -0500

markdav gravatar image

Using the keystone API for any user (i.e. not necessarily admin), is it possible to view the list of projects/tenants that they are members of i.e. to recreate the little dropdown that you see in horizon which lets you switch between your assigned projects?

Getting an unscoped token (is this right?):  POST

    "auth": {
        "identity": {
            "methods": [
            "password": {
                "user": {
                    "domain": {
                        "name": "default"
                    "name": "my-ks-user",
                    "password": "my-ks-passwd"

Returns the id for my default tenant/project, but doesn't seem to give the means of listing the other projects I am a member of? e.g. GET to /projects, etc seems to yield unauthorized - what am I missing here.. is it even possible?

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted

answered 2014-11-17 10:49:52 -0500

Try /v3/users/​{user_id}​/projects

BTW you are using unscoped token. Unscoped token doesn't have any role associated with it. You can't do any operation with unscoped token. Use either project scoped or domain scoped token. Both of them require a role on them for that user.

edit flag offensive delete link more


thanks, I am doing something wrong so - even when I pass a scope in the body it doesn't seem to work. I was expecting/ that a user would be able to inspect which projects keystone knows is available to them, without first having to set their context to a specific project. Will keep trying!

markdav gravatar imagemarkdav ( 2014-11-17 11:31:43 -0500 )edit

answered 2016-10-29 11:26:35 -0500

updated 2016-10-29 11:28:21 -0500

This one is not obvious or published, but this is what Horizon does:

curl -H "X-Auth-Token: $AUTH_TOKEN" -H "Content-type: application/json" $OS_AUTH_URL/v3/auth/projects

{"links": {"self": "", "previous": null, "next": null}, "projects": [{"is_domain": false, "description": "Auto created account", "links": {"self": ""}, "enabled": true, "id": "38db4610673545e58a99d7c0ea708174", "parent_id": null, "domain_id": "default", "name": "facebook665086733"}]}

In general, without a scoped token, keystone operations can only be performed against the AUTH_URL. Thus, the enumeration of user specific information must be under OS_AUTH_URL/v3/auth

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-11-14 13:39:03 -0500

Seen: 3,497 times

Last updated: Oct 29 '16