Authentication and Authorisation

Authentication and Authorisation in EGI Cloud


OpenID Connect is the main authentication protocol used on the EGI Cloud. It replaces the legacy VOMS-based authentication for all OpenStack providers.

Authentication to web based services (like the AppDB) will redirect you to the EGI Check-in authentication page. Just select your institution or social login and follow the regular authentication process.

Access to APIs or via command-line interfaces (CLI) requires the use of OAuth2.0 tokens and interaction with the OpenStack Keystone OS-FEDERATION API. The process for authentication is as follows:

  1. Obtain a valid OAuth2.0 access token from Check-in. Access tokens are short-lived credentials that can be obtained by recognised Check-in clients once a user has been authenticated.
  2. Interchange the Check-in access token for a valid unscoped Keystone token.
  3. Discover available projects from Keystone using the unscoped token.
  4. Use the unscoped Keystone token to get a scoped token for a valid project. Scoped tokens will allow the user to perform operations on the provider.


Cloud Compute service is accessed through Virtual Organisations (VOs). Users that are members of a VO will have access to the providers supporting that VO: they will be able to manage VMs, block storage and object storage available to the VO. Resources (VMs and storage) are shared across all members of the VO, please do not interfere with the VMs of other users if you are not entitled to do so (specially do not delete them).

Some users roles have special consideration in VOs:

  • Users with VO Manager, VO Deputy or VO Expert Role have extra privileges in the AppDB for managing the Virtual Appliances to be available at every provider. Check the Virtual Machine Image Management documentation for more information.

Pilot VO

The Virtual Organisation serves as a test ground for users to try the Cloud Compute service and to prototype and validate applications. It can be used for up to 6 month by any new user.

For joining this VO, please click on the enrollment URL using your EGI account.

Other VOs

Pre-existing VOs of EGI can be also used on IaaS cloud providers. Consult with your VO manager or browse the existing VOs at the EGI Operations Portal.

Check-in and access tokens

Access tokens can be obtained via several mechanisms, usually involving the use of a web server and a browser. Command-line clients/APIs without access to a browser or interactive prompt for user authentication can use refresh tokens. A refresh token is a special token that is used to generate additional access tokens. This allows you to have short-lived access tokens without having to collect credentials every single time one expires. You can request this token alongside the access and/or ID tokens as part of a user’s initial authentication flow.

If you need to obtain these kind of tokens for using it in command-line tools or APIs, you can easily do so with the EGI Check-in Token Portal. You can access the EGI Check-in Token Portal and click on 'Authorise' to log in with your Check-in credentials to obtain:

  • a client ID (token-portal)
  • a refresh token

Alternatively, you can use the oidc-agent tool that is able to manage your tokens locally, or the fedcloud client executed inside EGI Notebooks.

Discovering projects in Keystone

The access token will provide you access to a cloud provider, but you may have access to several different projects within that provider (a project can be considered equivalent to a VO allocation). In order to discover which projects are available you can do that using the Keystone API.

You can use the fedcloud client to simplify the discovery of projects.

# Get a list of sites (also available in [AppDB](
fedcloud site list
# Get list of projects that you are allowed to access
# You can either specify the name of the account in your oidc-agent configuration
# or directly a valid access token
fedcloud endpoint projects --site=<name of the site> \
         [--oidc-agent-account <account name>|--oidc-access-token <access token>]
# You can also use environment variables for the configuration
export EGI_SITE=<name of the site>
export OIDC_ACCESS_TOKEN=<your access token>
fedcloud endpoint projects
# or with  oidc-agent
export OIDC_AGENT_ACCOUNT=<account name>
fedcloud enpoint projects

Using the OpenStack API

Once you know which project to use, you can use your regular openstack cli commands for performing actual operations in the provider:

fedcloud openstack image list --site <NAME_OF_SITE> --vo <NAME_OF_VO>

For third-party tools that can use token based authentication in OpenStack, use the following command:

export OS_TOKEN=$(fedcloud openstack --site <NAME_OF_SITE> --vo <NAME_OF_VO> \
                  token issue -c id -f value)

Legacy X.509 AAI

VOMS uses X.509 proxies extended with VO information for authentication and authorisation on the providers. You can learn about X.509 certificates and VOMS in the Check-in documentation.

VOMS configuration

Valid configuration for is available on the FedCloud client VM as generated by the fedcloud-ui installation script.

VOMS client expects your certificate and private key to be available at $HOME/.globus/usercert.pem and $HOME/.globus/userkey.pem respectively.

Access the providers

VOMS authentication differs from one provider to another depending on the technology used. There are 3 different cases handled automatically by the rOCCI-cli. For accessing native OpenStack sites there are two different plugins available for Keystone that are installed with a single library:

pip install openstack-voms-auth-type

For Keystone-VOMS based installations (Keystone URL ending on /v2.0), just define the location of your proxy and v2voms as authorisation plugin:

openstack --os-auth-url https://<keystone-url>/v2.0 \
          --os-auth-type v2voms --os-x509-user-proxy /tmp/x509up_u1000 \
          token issue
| Field   | Value                                                                                                                                                              |
| expires | 2019-02-04T12:41:25+0000                                                                                                                                           |
| id      | gAAAAABcWCTlMoz6Jx9IHF5hj-ZOn-CI17CfX81FTn7yy0ZJ54jkza7QNoQTRU5-KRJkphmes55bcoSaaBRnE3g2clFgY-MR2GVUJZRkCmj9TXsLZ-hVBWXQNENiX9XxUwnavj7KqDn4b9B1K22ijTrjdDVkcdpvMw |
| user_id | 9310054c2b6f4fd28789ee08c2351221                                                                                                                                   |

For those Keystone installations supporting only v3, specify v3voms as authorisation plugin, as identity provider, mapped as protocol, and the location of your proxy:

openstack --os-auth-url https://<keystone url>/v3 \
          --os-auth-type v3voms --os-x509-user-proxy /tmp/x509up_u1000 \
          --os-identity-provider --os-protocol mapped \
          token issue
| Field   | Value                                                                                                                                                                                                        |
| expires | 2019-02-04T12:45:32+0000                                                                                                                                                                                     |
| id      | gAAAAABcWCXcXGUDpHUYnI1IDLW3MnEpDzivw_OPaau8DQDYxA7gK9XsmOqZh1pL5Uqqs8aM-tHowdJQnJURww2-UhmQVqk5PxbjdnvLeqtXPYURCLaSsbmhkQg6kB311c_ZA1jfgdT-pG6fZz3toeH66SEFX-H0bThSUy0KFLhcZVkrZIbYgTsAOIzFkTfLjOgTw_tNChS8 |
| user_id | 50fa8516b2554daeae652619ba9ebf96                                                                                                                                                                             |