Solved: Change Access Token Owner

ct_27 · ‎11 May 2023

Scenario: An employee creates multiple solution for a department using Dynatrace APIs. This employee used their own ID to create a API Token to be used in all of his solutions. This employee leaves the organization but we need the API Token to continue working and change it's owner.

Is there a way in Dynatrace to change the 'Owner' of an existing API Token?

HigherEd

ChadTurner · ‎11 May 2023

I think that can be done via the API in Environment V2.

-Chad

dannemca · ‎11 May 2023

Unfortunately the PUT Token API is not able to change the Token owner..
https://www.dynatrace.com/support/help/dynatrace-api/environment-api/tokens-v2/api-tokens/put-token
You can rename, enable/disable, add/remove scopes only.

Let's open an idea for that.

Site Reliability Engineer @ Kyndryl

Julius_Loman · ‎14 May 2023

The only proper solution is to rotate the tokens (manually or automatically) or use tokens created by a technical account which won't leave the company.

I don't think changing the ownership is from a security point of view.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

ct_27 · ‎15 May 2023

Thank you everyone for your feedback.

@ChadTurner - I thought so as well but looks like you can for Credential Vault but not for Access Tokens. It is a good tip to know that if you submit a change to a Credential Vault using an Access Token owned by someone else it changes the owner to the person that last edited. This actually causes a problem with our Secret Server process that changes passwords with a robot so no human knows the code, but it causes the robot to take ownership.

@dannemca - it would be a good RFE, but DT will shoot it down for security reasons. I've already had some battles in the Access Token zone with them and have lost every one.

@Julius_Loman - Correct, that's the same findings we've all had I was just hoping i was missing something. Actually the reason we want to do this is for the same security reason you say. A resource developed a few things and since we're not at a corporation security can be a bit more lax here, not discarded, just more lax. We want to move this Access Token to a technical account for security but we can't risk right now breaking the unknowns. So, we wanted to change the owner to fix the situation.

Oh well, thank you everyone for your input. DynaMights rock!!!

The solution: We're going to generate a new token under a technical account and replace what we know, I think we know of all the critical ones. Then deactivate the old account to see what breaks. Hmmm....would be cool if DT maybe provided some audit details on what's been accessing the token over the past 30+ days (cough, cough...that RFE is around here somewhere).

[UPDATE CT_27 6/2/2023] The RFE referenced above was created in Nov. 2022 please Kudo it. Here is the RFE Link

HigherEd

Julius_Loman · ‎15 May 2023

Just a quick note - if it is Dynatrace Managed - you can create such tokens with the built-in admin user. That user will never leave the company 😎

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner

ct_27 · ‎02 Jun 2023

ok, so my situation is worse than expected and it's self inflicted. So, back before Dynatrace had Private Tokens I was the sole admin and created many API Tokens for people to do things and develop applications. We were like 3 days into Dynatrace so we were still learning.

If one day i decide to leave my company I now have a huge issue on my hands. All these important Keys have me as the owner. [NOTE: I'm on SaaS, which unlike Managed doesn't have a special Admin Account]

Dynatrace......is there any way to take these old Tokens and change the ownership? (I'll open a support case now) I'm sharing this in the forum in case others are in a similar situation or can learn from my actions.

HigherEd