Keystone: unable to use the public endpoint

asked 2015-06-07 17:35:05 -0500

jlausuch gravatar image

updated 2015-06-07 17:40:54 -0500


I am trying to run commands from an external machine using the public API towards my OpenStack installation. This is the error I get for example when trying keystone commands:

keystone  user-list
Unable to establish connection to
  • The public ip range is and the OS management is
  • The env var OS_AUTH_URL is set to

Only when I configure an IP in the mgmt range from my external machine everything works. Actually, keystone catalog shows (along with other things):

Service: identity
|   Property  |              Value               |
|   adminURL  |   |
|      id     | 341bfbcf86f44f219357f8527c3c8b15 |
| internalURL |   |
|  publicURL  |   |
|    region   |            RegionOne             |


$ keystone discover
Keystone found at
    - supports version v2.0 (stable) here
        - and OS-REVOKE: OpenStack Revoke API
        - and OS-FEDERATION: OpenStack Federation APIs
        - and OS-KSCRUD: OpenStack Keystone User CRUD
        - and OS-EC2: OpenStack EC2 API
        - and OS-SIMPLE-CERT: OpenStack Simple Certificate API

But I want to avoid having an IP in the OS-mgmt range on my external machine. What am I missing here, if I'm telling OS to use with OS_AUTH_URL ?

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2020-03-06 16:18:38 -0500

It seems that parameter --os-interface=public or env export OS_INTERFACE=public works.

edit flag offensive delete link more

answered 2015-06-07 23:27:49 -0500

updated 2015-06-07 23:34:29 -0500

You can't use the public endpoint as keystone client is hardcoded to use admin endpoint. OS_AUTH_URL is only used to get the initial token, after that the admin endpoint in the catalog is used.

If you want a work around , you can do

 keystone token-get
 Once you get the token, do 
keystone --os-token token_got_in_previous_step  --os-service-endpoint  your_public_endpoint user-list 

BTW please use openstack client as keystone command line client is deprecated.

BTW we are working on fixing this by adding one more environment variable which can be used to select the endpoint. This will be available only for keystone v3 apis using openstack client. I will update once that fix lands.

edit flag offensive delete link more

answered 2015-06-08 03:24:04 -0500

jlausuch gravatar image

Ok. That clarifies my question. Thanks!

My problem is that I run a tool which uses keystone CLI internally, and cannot change that code (at least easily) using --os-service-endpoint. I was trying to reproduce the problem for this example using a simple keystone command.

So, I guess my only option for now is to have an IP in the OS-mgmt network, right?

edit flag offensive delete link more


Yes. This is only for keystone client. All other clients use public endpoint

Haneef Ali gravatar imageHaneef Ali ( 2015-06-08 11:01:52 -0500 )edit

Ok. Thanks a lot!

jlausuch gravatar imagejlausuch ( 2015-06-08 11:28:49 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-06-07 17:35:05 -0500

Seen: 2,006 times

Last updated: Jun 08 '15