Comment 3 for bug 1721003

I guess it depends on what operations you want the novajoin user to be able to perform.

In the broadest case you could create a new role in IPA and add the privilege 'Vault Administrators' and assign the nova service principal. I think this should do it:

$ ipa role-add 'Vault Access'
$ ipa role-add-privilege 'Vault Access' --privilege 'Vault Administrators'
$ ipa role-add-member 'Vault Access' --service nova/undercloud.example.com

This would allow the nova keytab to manage vaults.

If you wanted to limit the operations you'd need to create a more targeted privilege and add th at to some role.