Configure the Keystone Token Expiration TimeΒΆ

You can change the default Keystone token expiration setting. This may be required to provide sustained access for operations that take more than an hour.

About this task

By default, the Keystone token expiration time is set to 3600 seconds (1 hour). This is the amount of time a token remains valid. The new setting must be between 3600 seconds and 14400 seconds.


  1. On the active controller, become the Keystone admin user.

    $ source /etc/platform/openrc
  2. Ensure that the token_expiration parameter is defined for the identity service.

    $ system service-parameter-list | grep token_expiration
    | 712e4a45-777c-4e83-9d56-5042cde482f7 | identity | config | token_expiration | 3600
  3. Modify the service parameter using the following command:

    $ system service-parameter-modify identity config token_expiration=7200
  4. Apply the configuration change.

    $ system service-parameter-apply identity
    Applying identity service parameters

    Allow a few minutes for the change to take an effect.