Mohammed NaserEliminate static API keys and credential sprawl with our open-source Vault and OpenBao plugin that generates short-lived OpenStack application credentials on demand—now with multi-project support.
Today we're releasing major updates to our OpenStack Secrets Engine. The plugin now works with both HashiCorp Vault and OpenBao.
Why ephemeral credentials matter
Static API keys are a liability. They end up scattered across config files, CI/CD pipelines, and environment variables. When credentials don't expire, neither does your exposure window.
Our secrets engine flips this model. Applications request credentials when they need them, use them immediately, and watch them expire minutes later.
No rotation schedules. No keys to track. No emergency revocations after incidents.
What's new
- Multi-project support. This was our most requested feature. You can now define project-scoped rolesets that generate credentials for specific OpenStack projects—each with precisely the roles needed.
- Modernized codebase. We've rebuilt on Gophercloud v2 and Go 1.25. Configuration now uses OpenStack-native naming—parameters like
user_domain_idandproject_domain_namematch standard tooling.
Compliance gets simpler
Dynamic credentials change the audit conversation. Instead of explaining rotation policies and access reviews, you demonstrate that credentials physically cannot be long-lived.
Every request is authenticated, authorized, and logged. This aligns with zero-trust principles that SOC 2, ISO 27001, and PCI DSS frameworks increasingly expect.
Open source
The plugin is Apache 2.0 licensed. We built it because we needed it—we run it in production on VEXXHOST infrastructure.
Installation takes minutes. See the README for details.