Skip to main content
Prowler currently supports public cloud OpenStack providers (OVH, Infomaniak, Vexxhost, etc.). Support for self-deployed OpenStack environments is not yet available and will be added in future releases.
This guide shows how to obtain OpenStack credentials and configure Prowler to scan your OpenStack infrastructure using the recommended clouds.yaml authentication method.

Quick Start: Getting Your OpenStack Credentials

Step 1: Create an OpenStack User with Reader Role

Before using Prowler, create a dedicated user in your OVH Public Cloud account:
  1. Log into the OVH Control Panel
  2. Navigate to “Public Cloud” → Select your project
  3. Click “Users & Roles” in the left sidebar OVH Users & Roles
  4. Click “Add User”
  5. Enter a user description (e.g., Prowler Audit User)
  6. Assign the “Infrastructure Supervisor” role (this is the reader role) or specific read-only operator roles (if needed to audit only specific services) OVH Select Roles
  7. Click “Generate” to create the user
  8. Copy the password and store it securely
Avoid using administrator or member roles for security auditing. Reader or operator roles provide sufficient access for Prowler while maintaining security best practices.

Step 2: Access the Horizon Dashboard

  1. From the OVH Control Panel, go to “Public Cloud” → Your project
  2. Click “Horizon” in the left sidebar (or access the Horizon URL provided by OVH) OVH Horizon
  3. Log in with the user credentials created in Step 1. Ensure the correct user is selected; logging in with the root user will download root user credentials. If the wrong user is logged in, log out and log in again with the correct user.

Step 3: Navigate to API Access

Once logged into Horizon:
  1. In the left sidebar, click “Project”
  2. Navigate to “API Access” OVH API Access
  3. You’ll see the API Access page with information about your OpenStack endpoints

Step 4: Download the clouds.yaml File

The clouds.yaml file contains all necessary credentials in the correct format for Prowler:
  1. On the API Access page, look for the “Download OpenStack RC File” dropdown button
  2. Click the dropdown and select “OpenStack clouds.yaml File” OVH Download RC File
  3. The file will be downloaded to your computer
The clouds.yaml file contains your password in plain text. Ensure you store it securely with appropriate file permissions (see Security Best Practices below).

Step 5: Configure clouds.yaml for Prowler

Save the file to the default OpenStack configuration directory:
# Create the directory if it doesn't exist
mkdir -p ~/.config/openstack

# Move or copy the downloaded clouds.yaml file
mv ~/Downloads/clouds.yaml ~/.config/openstack/clouds.yaml

# Set secure file permissions
chmod 600 ~/.config/openstack/clouds.yaml
The downloaded file will look similar to this:
clouds:
  openstack:
    auth:
      auth_url: https://auth.cloud.ovh.net/v3
      username: user-xxxxxxxxxx
      password: your-password-here
      project_id: your-project-id
      project_name: your-project-name
      user_domain_name: Default
      project_domain_name: Default
    region_name: GRA7
    interface: public
    identity_api_version: 3
You can customize the cloud name (e.g., change openstack to ovh-production):
clouds:
  ovh-production:
    auth:
      auth_url: https://auth.cloud.ovh.net/v3
      username: user-xxxxxxxxxx
      password: your-password-here
      project_id: your-project-id
      user_domain_name: Default
      project_domain_name: Default
    region_name: GRA7
    identity_api_version: "3"
Alternatively, save the file to a custom location and specify the path when running Prowler:
# Save the clouds.yaml file to a custom location
mv ~/Downloads/clouds.yaml /path/to/my/clouds.yaml

# Set secure file permissions
chmod 600 /path/to/my/clouds.yaml

Step 6: Run Prowler

Now you can scan your OVH OpenStack infrastructure:Using the default location:
prowler openstack --clouds-yaml-cloud openstack
Or if you customized the cloud name:
prowler openstack --clouds-yaml-cloud ovh-production
Using a custom location:
prowler openstack --clouds-yaml-file /path/to/my/clouds.yaml --clouds-yaml-cloud openstack
Prowler will authenticate with your OVH OpenStack cloud and begin scanning.

Managing Multiple OpenStack Environments

To scan multiple OpenStack projects or providers, add multiple cloud configurations to your clouds.yaml: 
clouds:
  ovh-production:
    auth:
      auth_url: https://auth.cloud.ovh.net/v3
      username: user-prod
      password: prod-password
      project_id: prod-project-id
      user_domain_name: Default
      project_domain_name: Default
    region_name: GRA7
    identity_api_version: "3"

  ovh-staging:
    auth:
      auth_url: https://auth.cloud.ovh.net/v3
      username: user-staging
      password: staging-password
      project_id: staging-project-id
      user_domain_name: Default
      project_domain_name: Default
    region_name: SBG5
    identity_api_version: "3"

  infomaniak-production:
    auth:
      auth_url: https://api.pub1.infomaniak.cloud/identity/v3
      username: infomaniak-user
      password: infomaniak-password
      project_id: infomaniak-project-id
      user_domain_name: Default
      project_domain_name: Default
    region_name: dc3-a
    identity_api_version: "3"
Then scan each environment separately: 
prowler openstack --clouds-yaml-cloud ovh-production --output-directory ./reports/ovh-prod/
prowler openstack --clouds-yaml-cloud ovh-staging --output-directory ./reports/ovh-staging/
prowler openstack --clouds-yaml-cloud infomaniak-production --output-directory ./reports/infomaniak/

Creating a User With Reader Role

For security auditing, Prowler only needs read-only access to your OpenStack resources.

Understanding OpenStack Roles

OpenStack uses a role-based access control (RBAC) system. Common read-only roles include:
RoleAccess LevelRecommended for Prowler
ReaderRead-only access to all resourcesRecommended
ViewerRead-only access (older deployments)Recommended
Compute/Network/ObjectStore OperatorService-specific read-only accessRecommended (OVH)
MemberRead and limited write access⚠️ Too permissive
AdminFull administrative accessNot recommended
Avoid using administrator or member roles for security auditing. Reader or Viewer roles provide sufficient access for Prowler while maintaining security best practices.

How to Assign the Reader Role

The process for creating a user with the Reader role is covered in the Quick Start section above. Select your provider’s tab (OVH or Generic Public Cloud) for detailed instructions.

Verifying Read-Only Access

After assigning read-only roles, verify the user cannot make changes:
  1. Log into Horizon with the Prowler user credentials
  2. Attempt to create or modify a resource (e.g., create an instance)
  3. The action should be denied or the UI should show read-only mode
Some OpenStack deployments may use custom role names. Consult your OpenStack administrator to identify the appropriate read-only role for your environment.

Alternative Authentication Methods

While clouds.yaml is the recommended method, Prowler also supports these alternatives:

Environment Variables

Set OpenStack credentials as environment variables: 
export OS_AUTH_URL="https://openstack.example.com:5000/v3"
export OS_USERNAME="prowler-audit"
export OS_PASSWORD="your-secure-password"
export OS_PROJECT_ID="your-project-id"
export OS_REGION_NAME="RegionOne"
export OS_IDENTITY_API_VERSION="3"
export OS_USER_DOMAIN_NAME="Default"
export OS_PROJECT_DOMAIN_NAME="Default"
Then run Prowler: 
prowler openstack

Command-Line Arguments (Flags)

Pass credentials directly via CLI flags: 
prowler openstack \
  --os-auth-url https://openstack.example.com:5000/v3 \
  --os-username prowler-audit \
  --os-password your-secure-password \
  --os-project-id your-project-id \
  --os-user-domain-name Default \
  --os-project-domain-name Default \
  --os-identity-api-version 3
Avoid passing passwords via command-line arguments in production environments. Commands may appear in shell history, process listings, or logs. Use clouds.yaml or environment variables instead.

Authentication Priority

When multiple authentication methods are configured, Prowler uses this priority order:
  1. clouds.yaml (if --clouds-yaml-file or --clouds-yaml-cloud is provided)
  2. Command-line arguments + Environment variables (CLI arguments override environment variables)

Security Best Practices

File Permissions

Protect your clouds.yaml file from unauthorized access: 
# Set read/write for owner only
chmod 600 ~/.config/openstack/clouds.yaml

# Verify permissions
ls -la ~/.config/openstack/clouds.yaml
# Should show: -rw------- (600)

Credential Management

  • Use dedicated audit users: Create separate OpenStack users specifically for Prowler audits
  • Use read-only roles: Assign only Reader or Viewer roles to limit access
  • Rotate credentials regularly: Change passwords and regenerate credentials periodically
  • Use Application Credentials: For advanced setups, use OpenStack Application Credentials with scoped permissions and expiration dates
  • Avoid hardcoding passwords: Never commit clouds.yaml files with passwords to version control
  • Use secrets managers: For production environments, consider using tools like HashiCorp Vault or AWS Secrets Manager to store credentials

Network Security

  • Use HTTPS: Always connect to OpenStack endpoints via HTTPS
  • Verify SSL certificates: Avoid using --insecure flag in production
  • Restrict network access: Use firewall rules to limit access to OpenStack APIs
  • Use VPN or private networks: When possible, run Prowler from within your private network

Troubleshooting

”Missing mandatory OpenStack environment variables” Error

This error occurs when required credentials are not configured: 
# Check current environment variables
env | grep OS_

# Verify clouds.yaml exists and is readable
cat ~/.config/openstack/clouds.yaml
Solution: Ensure all required credentials are configured using one of the authentication methods above.

”Failed to create OpenStack connection” Error

This error indicates authentication failure. Verify:
  • ✅ Auth URL is correct and accessible: curl -k https://auth-url/v3
  • ✅ Username and password are correct
  • ✅ Project ID exists and you have access
  • ✅ Network connectivity to the OpenStack endpoint
  • ✅ SSL/TLS certificates are valid
Solution: Test authentication using the OpenStack CLI: 
openstack --os-cloud openstack server list
If this fails, your credentials or network connectivity need attention.

”Cloud ‘name’ not found in clouds.yaml” Error

This error occurs when the specified cloud name doesn’t exist in clouds.yaml: Solution:
  • Verify the cloud name matches exactly (case-sensitive)
  • Check your clouds.yaml file for the correct cloud name: 
    cat ~/.config/openstack/clouds.yaml
  • Ensure proper YAML syntax (use a YAML validator if needed)

Permission Denied Errors

If specific checks fail due to insufficient permissions:
  1. Verify role assignments: 
    openstack role assignment list --user prowler-audit --project your-project
  2. Ensure the user has Reader or Viewer roles
  3. Check if specific services require additional permissions (consult your OpenStack administrator)
Using Public Cloud credentials can limit Keystone API access, so the command above may not work. Verify permissions in the provider’s control panel instead.

Next Steps

Additional Resources

Provider-Specific Documentation

OpenStack References