1. Add an "admin_token" line to keystone.conf
A shared secret that is normally used to bootstrap Keystone can also be used if you get forgetful with the password. This "token" does not represent a user, and carries no explicit authorization. If set to None, the value is ignored and the `admin_token` log-in mechanism is effectively disabled. To completely disable `admin_token` in production (highly recommended), remove AdminTokenAuthMiddleware from your paste application pipelines (for example, in keystone-paste.ini). (string value)
You will have to add this all back in if resetting a lost password.
[DEFAULT] admin_token = <20_char_string>
2. Export your new "admin_token"
export OS_TOKEN=<20-char-string> export OS_URL=http://YOUR_HOST:35357/v3 export OS_IDENTITY_API_VERSION=3
3. Issue WHATEVER command you want. OpenStack will obey you, so go ahead and issue a new password (or anything else) with that token, you are admin!