Despite the Neutron API allowing us to view the security groups a project has defined as their rules, the Nova API doesn't let us see which instances have which security groups:
>>> novaclient.Client("2.0", session=get_keystone_session('deployment-prep')).servers.list()[0].list_security_group() Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/novaclient/v2/servers.py", line 481, in list_security_group return self.manager.list_security_group(self) File "/usr/lib/python2.7/dist-packages/novaclient/v2/servers.py", line 1583, in list_security_group security_groups.SecurityGroup) File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 242, in _list resp, body = self.api.client.get(url) File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 173, in get return self.request(url, 'GET', **kwargs) File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 94, in request raise exceptions.from_response(resp, body, url, method) novaclient.exceptions.Forbidden: Policy doesn't allow os_compute_api:os-security-groups to be performed. (HTTP 403) (Request-ID: req-2a00537c-a54e-47cd-b7b8-9878e9e3d144)