Keystone projects can have any number of members, each is given a per-project role which defines the environments a member has access to.
All Keystone users are identified by a member id,
composed as such:
service-name is the service used to authentify
ks login (currently, that’s either
username is the username on that service.
For example, if you used your GitHub account to login,
and your GitHub username is
your Keystone member id is
In doubt, use
ks whoami to display your Keystone member id.
When adding members to a project with
ks member add,
you will be asked to assign them a role among four:
developer: has read-write access only to the
devenvironment, they cannot read nor write the others;
developer (invite): same as
developerbut can add and remove developer members;
devops: has read-write access to all environments, and can add and remove developer and devops members;
admin: has read-write acces to all environments, can add all types of members, can destroy the project.
Add and Remove Members, Setting Roles
admin users can add and remove members, or change their role. Moreover, a member cannot add, remove or change the role of a member that “ranks” higher than them.
“developer” < “developer (invite)” < “devops” < “admin”
For example, a
developer (invite) member can add, or remove
but cannot add, nor remove a
devops member, and so on.
For an exhaustive list of possible command regarding members, see: