This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Service User for secure API automation

mark_bley
Dynatrace Champion
Dynatrace Champion

‎19 May 2025 10:36 AM - edited ‎20 May 2025 09:14 AM

Service users in Dynatrace are special types of users created to enable automated access to the Dynatrace API. Unlike regular users, service users are not associated with a person but are used by systems or applications (e.g., CI/CD tools or monitoring scripts) that need to interact with Dynatrace programmatically. These users are assigned permissions through groups and policies, and they authenticate using OAuth client credentials (client ID and secret). This setup allows secure, automated, and controlled access to Dynatrace resources. 

Follow this steps to generate a user for secure automations:

Create a service user. Through the account management page (a service user needs a name, e.g., what function they are supposed to perform).

mark_bley_0-1747646756497.png

After creating the service user, assign the service user to a group

-> Edit service user and, as usual, assign a group that contains the necessary permissions as if it were a normal user.

mark_bley_1-1747646811382.png

(Save the service user email to clipboard)

mark_bley_2-1747646839843.png

Create an OAuth client using the service user that we will use for environment token creation and automation

mark_bley_3-1747646921340.png

Enter the service user email as the subject user email.

mark_bley_4-1747647010247.png

Assign at least following permissions to the OAuth client: environment-api:api-tokens:write , environment-api:api-tokens:read , environment-api:deployment:download

curl --location 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=dt0s02.NEHYTCAK' \
--data-urlencode 'client_secret=dt0s02.NEHYTCAK.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--data-urlencode 'resource=urn:dtaccount:456bce5cxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
--data-urlencode 'scope=environment-api:api-tokens:write environment-api:api-tokens:read'

 

Then generate the Environment API token using the bearer

curl --location 'https://<tenant_app_url>/platform/classic/environment-api/v2/apiTokens' \
--header 'Authorization: Bearer xxxxxxxx' \
--header 'Content-Type: application/json' \
--data '{
  "expirationDate": "now+14d",
  "name": "tokenName",
  "personalAccessToken": false,
  "scopes": [
    "metrics.read"
  ]
}'

mark_bley_5-1747647203484.png

 

0 Kudos
Reply
0 REPLIES 0
Ask a question

Featured Posts