cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

API Tokens for integrations

Julius_Loman
Leader

Hi all,

Dynatrace API requires API tokens for access and it is always bound to specific Dynatrace user. Users may leave the organization and API tokens should be revoked

I wonder how others are managing technical accounts? I mean API tokens for connecting 3rd party systems that require API token. So that integrations won't break after someone leaves the organization and his/her account is deleted including tokens.

I can think of creating the API tokens as cluster admin user (Managed only) or create a "technical user account" that will be used solely for the purpose of token management. It is possible to create tokens using API, however, the token for API token management must be bound to a user and so will the newly created tokens.

Just wanted to know your practices to avoid any future pitfalls.

TEMPEST a.s., Slovakia, Dynatrace Master Partner
5 REPLIES 5

Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru

Julius, we are working on automatic revoking tokens for users no longer existing in Dynatrace - this would work when using Internal user repository or LDAP (as cluster can query LDAP if user exists). When using SSO it's not that easy.

Anyway, there's REST API for managing users - if you automate that, when a user leaves a company, then you call a REST to cluster, then cluster itself automatically revokes tokens.

What do you think?

Senior Technical Product Manager,
Dynatrace Managed expert

This can be automated already and it's not really what I'm trying to solve. But automatic token revocation will be appreciated.

I'm asking how others are managing the API tokens for integrations. Integration should not bound to a user account or person. Just an example: API token for pushing external events or annotations from a 3rd party system. At the moment you have to create an API token and it will be bound to the user account who created this token of course. If the user gets disabled and with proper security revoking all his/her tokens, the integration will stop working without someone even noticing.

Traditionally this is solved by "technical user accounts" that are solely used for such purpose.

I'm just asking how others are solving this situation and what is their practice. The only solution I can think of would be to create such technical user account in Dynatrace and create all integration tokens with this account.

TEMPEST a.s., Slovakia, Dynatrace Master Partner

In Managed - we are using embedded "admin" account.

Senior Technical Product Manager,
Dynatrace Managed expert

Yes, exactly this was in my first post. Any ideas for SaaS?

A "dedicated" user account (not person related) will be always a solution. Just trying to find out if someone did not come with something more sophisticated.

TEMPEST a.s., Slovakia, Dynatrace Master Partner

We (Dynatrace Admins) are creating API tokens for other teams to use, usually for reading metrics are sending in custom metrics.

The problem is the API tokens are always owned by the person that created the token, not the team that is using it. Therefore, deleting the token when a Dynatrace Admin leaves does not make sense.

We cannot sign on with local admin to create tokens because we have integrated with SSO.

An option in the API to update the owner is needed. (Note, this will almost never be the actual user of the token, but rather the person that created it.) It looks like you can only update the token name in the API. Any admin to view and update any token, this is a big limitation in the UI.

So the situation we are in now is that one of our admins is no longer with the team and all of the tokens he created cannot be updated at all.