https://community.dynatrace.com/t5/Dynatrace-tips/Service-User-for-secure-API-automation/m-p/277471#M1645 <P><SPAN class=""><SPAN class="">Service users in Dynatrace are special types of users created to enable automated access to the Dynatrace API. Unlike regular users, service users are not associated with a person but are used by systems or applications (e.g., CI/CD tools or monitoring scripts) that need to interact with Dynatrace programmatically. These users are assigned permissions through groups and policies, and they authenticate using OAuth client credentials (client ID and secret). This setup allows secure, automated, and controlled access to Dynatrace resources.</SPAN></SPAN><SPAN class="">&nbsp;</SPAN></P><P><SPAN class="">Follow this steps to generate a user for secure automations:</SPAN></P><P><SPAN class=""><SPAN>Create a service user. Through the account management page (a service user needs a name, e.g., what function they are supposed to perform).</SPAN></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_0-1747646756497.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28063i362C29E509843E62/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_0-1747646756497.png" alt="mark_bley_0-1747646756497.png" /></span></P><P><SPAN>After creating the service user, assign the service user to a group</SPAN></P><P><SPAN>-&gt; Edit service user and, as usual, assign a group that contains the necessary permissions as if it were a normal user.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_1-1747646811382.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28064i42D42E2465F2597A/image-size/medium?v=v2&amp;px=400" role="button" title="mark_bley_1-1747646811382.png" alt="mark_bley_1-1747646811382.png" /></span></P><P><SPAN>(Save the service user email to clipboard)</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_2-1747646839843.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28065i70E6182152F10329/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_2-1747646839843.png" alt="mark_bley_2-1747646839843.png" /></span></P><P><SPAN>Create an OAuth client using the service user that we will use for environment token creation and automation</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_3-1747646921340.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28066i83C1AD0AD220C0B5/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_3-1747646921340.png" alt="mark_bley_3-1747646921340.png" /></span></P><P><SPAN>Enter the service user email as the subject user email.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_4-1747647010247.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28067iBE1DF26832CDBD99/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_4-1747647010247.png" alt="mark_bley_4-1747647010247.png" /></span></P><P>Assign at least following permissions to the OAuth client: <SPAN>environment-api:api-tokens:write</SPAN>&nbsp;,&nbsp;<SPAN>environment-api:api-tokens:read</SPAN>&nbsp;,&nbsp;environment-api:deployment:download</P><LI-CODE lang="markup">curl --location 'https://sso.dynatrace.com/sso/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=dt0s02.NEHYTCAK' \ --data-urlencode 'client_secret=dt0s02.NEHYTCAK.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ --data-urlencode 'resource=urn:dtaccount:456bce5cxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ --data-urlencode 'scope=environment-api:api-tokens:write environment-api:api-tokens:read'</LI-CODE><P>&nbsp;</P><P><SPAN>Then generate the Environment API token using the bearer</SPAN></P><LI-CODE lang="markup">curl --location 'https://&lt;tenant_app_url&gt;/platform/classic/environment-api/v2/apiTokens' \ --header 'Authorization: Bearer xxxxxxxx' \ --header 'Content-Type: application/json' \ --data '{ "expirationDate": "now+14d", "name": "tokenName", "personalAccessToken": false, "scopes": [ "metrics.read" ] }'</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_5-1747647203484.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28068iE701F5CD7D60884E/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_5-1747647203484.png" alt="mark_bley_5-1747647203484.png" /></span></P><P>&nbsp;</P> Tue, 20 May 2025 08:14:15 GMT mark_bley 2025-05-20T08:14:15Z https://community.dynatrace.com/t5/Dynatrace-tips/Service-User-for-secure-API-automation/m-p/277471#M1645 <P><SPAN class=""><SPAN class="">Service users in Dynatrace are special types of users created to enable automated access to the Dynatrace API. Unlike regular users, service users are not associated with a person but are used by systems or applications (e.g., CI/CD tools or monitoring scripts) that need to interact with Dynatrace programmatically. These users are assigned permissions through groups and policies, and they authenticate using OAuth client credentials (client ID and secret). This setup allows secure, automated, and controlled access to Dynatrace resources.</SPAN></SPAN><SPAN class="">&nbsp;</SPAN></P><P><SPAN class="">Follow this steps to generate a user for secure automations:</SPAN></P><P><SPAN class=""><SPAN>Create a service user. Through the account management page (a service user needs a name, e.g., what function they are supposed to perform).</SPAN></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_0-1747646756497.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28063i362C29E509843E62/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_0-1747646756497.png" alt="mark_bley_0-1747646756497.png" /></span></P><P><SPAN>After creating the service user, assign the service user to a group</SPAN></P><P><SPAN>-&gt; Edit service user and, as usual, assign a group that contains the necessary permissions as if it were a normal user.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_1-1747646811382.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28064i42D42E2465F2597A/image-size/medium?v=v2&amp;px=400" role="button" title="mark_bley_1-1747646811382.png" alt="mark_bley_1-1747646811382.png" /></span></P><P><SPAN>(Save the service user email to clipboard)</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_2-1747646839843.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28065i70E6182152F10329/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_2-1747646839843.png" alt="mark_bley_2-1747646839843.png" /></span></P><P><SPAN>Create an OAuth client using the service user that we will use for environment token creation and automation</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_3-1747646921340.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28066i83C1AD0AD220C0B5/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_3-1747646921340.png" alt="mark_bley_3-1747646921340.png" /></span></P><P><SPAN>Enter the service user email as the subject user email.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_4-1747647010247.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28067iBE1DF26832CDBD99/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_4-1747647010247.png" alt="mark_bley_4-1747647010247.png" /></span></P><P>Assign at least following permissions to the OAuth client: <SPAN>environment-api:api-tokens:write</SPAN>&nbsp;,&nbsp;<SPAN>environment-api:api-tokens:read</SPAN>&nbsp;,&nbsp;environment-api:deployment:download</P><LI-CODE lang="markup">curl --location 'https://sso.dynatrace.com/sso/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'client_id=dt0s02.NEHYTCAK' \ --data-urlencode 'client_secret=dt0s02.NEHYTCAK.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ --data-urlencode 'resource=urn:dtaccount:456bce5cxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \ --data-urlencode 'scope=environment-api:api-tokens:write environment-api:api-tokens:read'</LI-CODE><P>&nbsp;</P><P><SPAN>Then generate the Environment API token using the bearer</SPAN></P><LI-CODE lang="markup">curl --location 'https://&lt;tenant_app_url&gt;/platform/classic/environment-api/v2/apiTokens' \ --header 'Authorization: Bearer xxxxxxxx' \ --header 'Content-Type: application/json' \ --data '{ "expirationDate": "now+14d", "name": "tokenName", "personalAccessToken": false, "scopes": [ "metrics.read" ] }'</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mark_bley_5-1747647203484.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/28068iE701F5CD7D60884E/image-size/large?v=v2&amp;px=999" role="button" title="mark_bley_5-1747647203484.png" alt="mark_bley_5-1747647203484.png" /></span></P><P>&nbsp;</P> Tue, 20 May 2025 08:14:15 GMT https://community.dynatrace.com/t5/Dynatrace-tips/Service-User-for-secure-API-automation/m-p/277471#M1645 mark_bley 2025-05-20T08:14:15Z