Establish TMS Credentials

Try on DesignSafe

Establish TMS Credentials#

by Silvia Mazzoni, DesignSafe, 2025

Before you can submit jobs via Tapis, you need to establish your TMS credentials on the execution system you plan to submit to.
This needs to be done only once per “execution system”, such as stampede3, per account.

We will set this up for the three common systems used in DesignSafe: systems = [“stampede3”, “ls6”, “frontera”]

TMS = Trust Management System: https://tms-documentation.readthedocs.io/en/latest/

What is TMS?#

TMS is a multi-tenant web application exposing a REST API to manage SSH keys, client applications, user delegations, user/MFA authentication, hosts, and user/host account mappings. TMS also has a modules that run on hosts, such as High Performance Computing (HPC) login nodes, VMs or IoT devices.

Set up User Credentials#

The tapis.systems.checkUserCredential function in the Tapis v3 Python SDK (tapipy) is used to check whether the authenticated user has valid credentials on a given Tapis system.
Specifically, it answers the question: “Can this user run jobs or access files on this system (e.g., a cluster or storage system)?

tapis.systems.checkUserCredential#

  • Usage

    t.systems.checkUserCredential(systemId='your-system-id')

  • Parameters

    systemId (string): The ID of the Tapis system you want to check (e.g., a compute system like stampede3.tacc.utexas.edu or a storage system).

  • Returns

    A response indicating whether valid credentials are available (usually a boolean or success message, depending on how the SDK formats it).

  • Typical Use Case

    Before submitting a job or transferring files, you might want to verify that the Tapis user has valid SSH or access credentials installed for the remote system. For example:

    resp = t.systems.checkUserCredential(systemId='stampede3.tacc.utexas.edu')
print(resp.result)  # Will be True if credentials exist, False otherwise

    If False, the user needs to:

    • Add credentials (e.g., via systems.createUserCredential)

    • Or re-authenticate if the current credentials expired

  • Learn more: Tapis Documentation – Systems

User Input#

username = 'silvia'
systems = ["stampede3", "ls6", "frontera"]

Connect to Tapis#

t=OpsUtils.connect_tapis()

 -- Checking Tapis token --
 Token loaded from file. Token is still valid!
 Token expires at: 2025-08-22T07:29:28+00:00
 Token expires in: 3:31:47.660505
-- LOG IN SUCCESSFUL! --

Remove your Existing TMS Credentials (Optional)#

Do this only if you must!
So it should be commented-out. A simple python function to do this has been saved in DesignSafe Community.

# for system_id in systems:
#     OpsUtils.revoke_tms_credentials(t,system_id,username)

-- CREDENTIALS REMOVED SUCCESSFULLY!!! --
-- CREDENTIALS REMOVED SUCCESSFULLY!!! --
-- CREDENTIALS REMOVED SUCCESSFULLY!!! --

Establish TMS Credentials#

The python function checks whether the user has TMS credentials in the system, if not, it creates new ones.

establish_tms_credentials.py 
# /home/jupyter/CommunityData/OpenSees/TrainingMaterial/training-OpenSees-on-DesignSafe/OpsUtils/OpsUtils/Tapis/establish_tms_credentials.py
def establish_tms_credentials(tapis, system_id: str, username: str):
    """
    Ensure that a user has valid TMS (Tapis Managed System) credentials on a given system.

    This function checks if the specified user already has credentials (such as TMS_KEYS) 
    registered on the specified Tapis system. If the credentials are missing, it 
    automatically establishes them (for systems that use TMS_KEYS authentication).

    This is essential for enabling file operations, data transfers, and job submissions
    that require user-level credentials on systems like DesignSafe storage.

    Parameters
    ----------
    tapis : Tapis
        An authenticated Tapis client (from connect_tapis()).

    system_id : str
        The ID of the Tapis-registered system (e.g. 'designsafe.storage.default').

    username : str
        The Tapis username for which to check or establish credentials.

    Returns
    -------
    None
        Prints status messages indicating whether credentials were found or established.

    Example
    -------
    establish_tms_credentials(
        tapis, 
        system_id='designsafe.storage.default', 
        username='smazzoni'
    )
    """
    # Silvia Mazzoni, 2025
    print(" -- TMS User Credentials --")
    """
    Check if user has system credentials on system.
    If not, it will set them.
    """
    from tapipy.errors import UnauthorizedError
    print('username:',username)
    print('system_id:',system_id)
    try:
        tapis.systems.checkUserCredential(systemId=system_id, userName=username)
        print(f"Found {username}'s system credentials.")
        return
    except UnauthorizedError:
        print(f"User {username} is missing system credentials.")
        print(f"Establishing new credentials")
        system_def = tapis.systems.getSystem(systemId=system_id)
        if system_def.get("defaultAuthnMethod") == "TMS_KEYS":
            tapis.systems.createUserCredential(
                systemId=system_id,
                userName=username,
                createTmsKeys=True,
            )
        print(f"Established {username}'s system credentials.")
    print('-- CREDENTIALS ESTABLISHED SUCCESSFULLY!!! --')

for system_id in systems:
    OpsUtils.establish_tms_credentials(t,system_id,username)

 -- TMS User Credentials --
username: silvia
system_id: stampede3
User silvia is missing system credentials.
Establishing new credentials
Established silvia's system credentials.
-- CREDENTIALS ESTABLISHED SUCCESSFULLY!!! --
 -- TMS User Credentials --
username: silvia
system_id: ls6
User silvia is missing system credentials.
Establishing new credentials
Established silvia's system credentials.
-- CREDENTIALS ESTABLISHED SUCCESSFULLY!!! --
 -- TMS User Credentials --
username: silvia
system_id: frontera
User silvia is missing system credentials.
Establishing new credentials
Established silvia's system credentials.
-- CREDENTIALS ESTABLISHED SUCCESSFULLY!!! --
Contents