Skip to main content
Prowler supports OpenStack both from the CLI and from Prowler Cloud. This guide walks you through the requirements, how to connect the provider in the UI, and how to run scans from the command line.
Prowler currently supports public cloud OpenStack providers (OVH, Infomaniak, Vexxhost, etc.). Support for self-deployed OpenStack environments is not yet available, if you are interested in this feature, please open an issue or contact us.

Prerequisites

Before running Prowler with the OpenStack provider, ensure you have:
  1. An OpenStack public cloud account with at least one project
  2. Access to the Horizon dashboard or provider control panel
  3. An OpenStack user with the Reader role assigned to your project (see detailed instructions in the Authentication guide)
  4. Access to Prowler CLI (see Installation) or an account created in Prowler Cloud

Prowler Cloud

Onboard OpenStack using Prowler Cloud

Prowler CLI

Onboard OpenStack using Prowler CLI

Prowler Cloud

Step 1: Add the Provider

  1. Navigate to “Providers” and click “Add Provider”. Providers List
  2. Select “OpenStack” from the provider list.
  3. Enter the “Project ID” from the OpenStack provider. Add project ID form
  4. (Optional) Add a friendly alias to identify this project in dashboards.

Step 2: Provide Credentials

  1. Click “Next” to open the credentials form.
  2. Paste the full content of the clouds.yaml file into the “Clouds YAML Content” field. This file is available in the OpenStack provider’s Horizon dashboard (see the Authentication guide for detailed instructions).
  3. Enter the “Cloud Name” — this is the key that identifies the cloud entry inside the clouds.yaml file (e.g., mycloud). Credentials form

Step 3: Test the Connection and Start Scanning

  1. Click “Test connection” to ensure Prowler Cloud can reach the OpenStack API. Test connection
  2. The provider will appear in the list with its current connection status.
  3. Launch a scan from the provider row or from the “Scans” page.

Prowler CLI

Step 1: Set Up Authentication

Download the clouds.yaml file from your OpenStack provider (see Authentication guide for detailed instructions) and save it to ~/.config/openstack/clouds.yaml:
Prowler supports multiple authentication methods: Option 1: Using clouds.yaml (Recommended)
Option 2: Using Environment Variables
Option 3: Using Flags (CLI Arguments)
For detailed step-by-step instructions with screenshots, see the OpenStack Authentication guide.

Step 2: Run Your First Scan

Run a baseline scan of your OpenStack cloud:
Replace openstack with the custom cloud name defined in the clouds.yaml file (e.g., ovh-production). Prowler will automatically discover and audit all supported OpenStack services in your project. Scan a specific OpenStack service:
Run specific security checks:
Filter by check severity:
Generate specific output formats:
Scan multiple OpenStack clouds: Configure clouds.yaml with multiple cloud configurations:
Run audits against each environment:
Scan all regions in a single run: If your OpenStack project spans multiple regions, replace region_name with a regions list in your clouds.yaml:
Prowler will connect to each region and scan resources across all of them. See the Authentication guide for more details.
You must use either region_name (single region) or regions (multi-region list), not both.
Use mutelist to suppress findings: Create a mutelist file to suppress known findings:
Run with mutelist:

Step 3: Review the Results

Prowler outputs findings to the console and generates reports in multiple formats. By default, Prowler generates reports in the output/ directory:
  • CSV format: output/prowler-output-{timestamp}.csv
  • JSON format: output/prowler-output-{timestamp}.json
  • HTML dashboard: output/prowler-output-{timestamp}.html

Supported OpenStack Services

Prowler currently supports security checks for the following OpenStack services:
Support for additional OpenStack services will be added in future releases. Check the release notes for updates.

Troubleshooting

Authentication Errors

If encountering authentication errors:
  1. Verify credentials are correct:
  2. Check network connectivity to the authentication endpoint:
  3. Verify the Identity API version is v3:
For detailed troubleshooting, see the Authentication guide.

Permission Errors

If checks are failing due to insufficient permissions:
  • Ensure your OpenStack user has the Reader role assigned to the project
  • Check role assignments in your provider’s control panel or Horizon dashboard
  • Verify that your user has access to all required services (Compute, Networking, Identity, etc.)
  • Contact your OpenStack provider support if you need additional permissions

Keystone/Identity Service Limitations

Public cloud OpenStack providers (OVH, Infomaniak, Vexxhost, etc.) typically do not expose the Keystone/Identity service API to customers for security reasons. This means that Identity-related security checks may not be available or may return limited information.This is expected behavior, not an error. This limitation explains why those checks are not currently available in Prowler.
If you see errors related to the Identity service:
  • This is expected behavior for public cloud providers
  • Identity-related checks will be added for self-deployed OpenStack environments in future releases
  • Focus on other available services (Compute, Networking, Storage, etc.)

OpenStack Additional Resources

  • Supported OpenStack versions: Stein (2019.1) and later
  • Minimum Identity API version: v3
  • Tested providers: OVH Public Cloud, OpenStack-Ansible, DevStack
  • Cloud compatibility: Fully compatible with standard OpenStack APIs