How to create ec2 credentials with openstacksdk or boto3?

Question

I need to create ec2 credentials, analog to CLI command:
openstack ec2 credentials create which should return me access and secret keys.
I had run over https://docs.openstack.org/openstacksdk/latest/user/connection.html documentation and only found keypairs methods, but they are about public/private keys.
I had run over documentation and found an API for working with secrets, but it is not what I am looking for.
Is there an implementation or just maybe a REST API method from OpenStack (Openstack Swift) which I could wrap in requests by myself?
I need those credentials to work with S3 buckets and stuff. Basically, for this:

import boto3

s3 = boto3.resource(
    's3',
    region_name='us-east-1',
    aws_access_key_id=KEY_ID,
    aws_secret_access_key=ACCESS_KEY
)
content="String content to write to a new S3 file"
s3.Object('my-bucket-name', 'newfile.txt').put(Body=content)

So the method I looking for should return me:
access_key (32 char long)
secret (32 char long)
optionable links, user_id, trust_id

Answer 1

Openstack has an entire page about his Identity API. What you want is called credentials in Openstack, and as you said, it needs the EC2 Credentials in order to connect to any S3 Browser with Swift.

The url is "v3/credentials" and you need to send a POST request along with your token.

So, in resume you'd first create your token (you can find the token inside the header called X-Subject-Token, that's why we use the -i flag for curl):

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "YOUR_ADMIN_NAME (YOU ALSO HAVE AND ATTRIBUTE CALLED ID)",
          "domain": { "id": "YOUR_DOMAIN_ID" },
          "password": "YOUR_ADMIN_PASSWORD"
        }
      }
    }
  }
}' \
  "YOUR_KEYSTONE_URL/v3/auth/tokens" ; echo

Then, you'd create the EC2 Credentials, like this:

curl -i -X POST "YOUR_KEYSTONE_URL/v3/credentials" -H "Content-Type: application/json" -H "X-Auth-Token: YOUR_TOKEN_PREVIOUS_FETCHED" -d '{
    "credential": {
        "blob": "{\"access\":\"123456\",\"secret\":\"SOME_SECRET_KEY\"}",
        "project_id": "THE_PROJECT_ID_OF_USER",
        "type": "ec2",
        "user_id": "THE_USER_WHO_NEEDS_CREDENTIALS"
    }
}'

And the response is something like:

{"token": {"methods": ["password"], "user": {"domain": {"id": "DOMAIN_ID", "name": "DOMAIN_NAME"}, "id": "USER_ID", "name": "USER_NAME", "password_expires_at": null}, "audit_ids": ["3S7UdvgpQS-rhD4eqD7xMQ"], "expires_at": "2021-09-23T17:43:58.000000Z", "issued_at": "2021-09-22T17:43:58.000000Z"}}

Ideally you'd look for this response to has the status 201 CREATED.

If you want to take a look at the Keystone API, this is the link: https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=create-credential-detail#credentials