Despite the Neutron API allowing us to view the security groups a project has defined as their rules, the Nova API doesn't let us see which instances have which security groups:
>>> novaclient.Client("2.0", session=get_keystone_session('deployment-prep')).servers.list()[0].list_security_group()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/novaclient/v2/servers.py", line 481, in list_security_group
return self.manager.list_security_group(self)
File "/usr/lib/python2.7/dist-packages/novaclient/v2/servers.py", line 1583, in list_security_group
security_groups.SecurityGroup)
File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 242, in _list
resp, body = self.api.client.get(url)
File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 173, in get
return self.request(url, 'GET', **kwargs)
File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 94, in request
raise exceptions.from_response(resp, body, url, method)
novaclient.exceptions.Forbidden: Policy doesn't allow os_compute_api:os-security-groups to be performed. (HTTP 403) (Request-ID: req-2a00537c-a54e-47cd-b7b8-9878e9e3d144)