This blog assumes that you have already setup a Ceph RadosGW with Keystone authentication.
The keystone admin token is the old, unsecure and deprecated method to authenticate against an OpenStack Identity server. It's been used to bootstrap OpenStack users and projects creation, and a good practice was to disable this feature completely to avoid bad security surprises.
But the Ceph RadosGW documentation for the stable releases - jewel as of this writing - clearly states that you need to use this admin token, and that there's no other way to connect with Keystone:
Well that's not true.
Support for authentication using a service account has been supported in quite a while, but never documented. Keystone v3 is also supported since the jewel release. The master docs have nice updates:
For keystone v3 you can use something like this in your ceph.conf:
[client.rgw.HOSTNAME] rgw keystone url = http://keystone.host:35357 rgw keystone admin user = ceph rgw keystone admin password = S3Cr3t rgw keystone admin project = admin rgw keystone admin domain = default rgw keystone api version = 3 ...
You need to create a ceph service account and give it the admin role:
$ openstack user create ceph --password-prompt $ openstack role add --user ceph --project admin admin
Don't forget to disable the admin_token_auth filter from your paste-deploy pipeline in /etc/keystone/keystone-paste.ini.