Monaco API support and access permission handling

  • Latest Dynatrace
  • Reference
  • 1-min read

Dynatrace offers different options to authenticate API calls. Dynatrace Monaco supports the following authentication options:

  • Platform tokens
  • OAuth clients

For details about Dynatrace Identity and Access Management (including platform tokens,API tokens, and OAuth clients), see Tokens and OAuth clients.

Create a platform token for the Dynatrace Monaco CLI

To create a platform token, follow the steps described in Create a platform token for the Dynatrace Monaco CLI. Each available type of platform configuration requires specific OAuth scopes.

Create an OAuth client for the Dynatrace Monaco CLI

To create an OAuth client, follow the steps described in Create an OAuth2 client.

Each available type of platform configuration requires specific OAuth scopes.

To use the automation:workflows:admin scope, you need to do the following before creating the OAuth client.

  1. Create a custom policy granting that scope.
  2. Bind a group to it.
  3. Assign your user to that group.

For detailed information on managing policies, see IAM policy reference.

To manage OpenPipeline configurations, ensure that the user belongs to a group with the policy Data Processing and Storage assigned to it. Do this before creating the OAuth client.

In addition to the scopes available to the OAuth client, permissions can be further limited via policies applied to the user's groups.

When working with a service user, ensure the service user's permissions match the OAuth scopes for all environments. For details on how permissions can be controlled, see Working with policies.

To use your OAuth client:

  1. Follow the instructions for your operating system or CI/CD tool on how to make the client ID and secret available as environment variables.
  2. Reference the environment variables you have created in the OAuth section of your manifest file
  3. Dynatrace Monaco CLI will request OAuth access tokens using your client credentials to make authenticated API calls.

API coverage

Dynatrace Monaco supports the following configuration types:

  • Settings 2.0
  • Configuration APIs
  • Platform APIs

The specific configuration types are defined in the Monaco configuration YAML file.

Settings 2.0

Settings 2.0 resources require a classic Dynatrace API access token or OAuth credentials.

The Dynatrace Monaco CLI provides general support for any Settings 2.0 schema available in your environment. For information about schemas, see Settings 2.0 - Available schemas.

For latest Dynatrace, you will need the following OAuth scopes.

PurposeScope
Manage Settings 2.0 objects and its all-users permissionsettings:objects:read, settings:objects:write
View Settings 2.0 schemassettings:schemas:read

For classic Dynatrace, you will need the following OAuth scopes.

PurposeScope
Manage Settings 2.0 objects and its all-users permissionsettings.read, settings.write

Supported platform API types

The Dynatrace platform provides a collection of platform services, each with a specific area of responsibility. OAuth credentials are required to target platform APIs.

The Dynatrace Monaco CLI provides support for Dynatrace platform API types as described in the table below.

Platform serviceConfiguration typeEndpointOAuth client permissionsMonaco CLI version

Automation

business-calendars

/platform/automation/v1/business-calendars

automation:calendars:read, automation:calendars:write

2.6.0+

scheduling-rules

/platform/automation/v1/scheduling-rules

automation:rules:read, automation:rules:write

2.6.0+

workflows

/platform/automation/v1/workflow

automation:workflows:read, automation:workflows:write

2.6.0+

Grail–-storage management

buckets

/platform/storage/management/v1/bucket-definitions

storage:bucket-definitions:read, storage:bucket-definitions:write, storage:bucket-definitions:delete

2.9.0+

Documents (Dashboards, Notebooks, Launchpads)

documents

/platform/document/v1/documents

document:documents:write, document:documents:read, document:documents:delete, document:trash.documents:delete

2.15.0+

OpenPipeline

openpipelines

/platform/openpipeline/v1/configurations

openpipeline:configurations:read, openpipeline:configurations:write

2.15.0+

Grail

segment

/platform/storage/filter-segments/v1/filter-segments

storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete, storage:filter-segments:admin

2.19.0+

SLOs

slo-v2

/platform/slo/v1/slos

slo:slos:read, slo:slos:write, slo:objective-templates:read

2.22.0+

Account Management permissions

To manage account resources, such as user management or policy handling, OAuth credentials require the following permissions:

  • account-idm-read
  • account-idm-write
  • account-env-read
  • account-env-write
  • iam-policies-management
  • iam:policies:write
  • iam:policies:read
  • iam:bindings:write
  • iam:bindings:read
  • iam:boundaries:read
  • iam:boundaries:write

Supported Configuration API types

Configuration via the Configuration API requires an API access token. Dynatrace Monaco CLI provides support for most Configuration APIs, as described in the table below. This table provides:

  • The supported configuration types.
  • Their API endpoints.
  • The access token permissions that are required to interact with any endpoint.

Note that most Configuration APIs are deprecated in favor of Settings 2.0, see Settings 2.0.

Configuration type

Constraints

Endpoint and access permission

alerting-profile

Settings API Problem alerting profiles schema: builtin:alerting.profile

RUM: allowed-beacon-origins

anomaly-detection-applications

anomaly-detection-aws

anomaly-detection-database-services

anomaly-detection-disks

anomaly-detection-hosts

anomaly-detection-metrics

Settings API Metric events schema: builtin:anomaly-detection.metric-events

anomaly-detection-services

anomaly-detection-vmware

app-detection-rule

app-detection-rule-host

application-web

application-mobile

auto-tag

Settings API Automatically applied tags schema: builtin:tags.auto-tagging

aws-credentials

It can't be downloaded.

azure-credentials

It can't be downloaded.

calculated-metrics-application-mobile

calculated-metrics-application-web

calculated-metrics-log

Settings API with SchemaID builtin:logmonitoring.schemaless-log-metric.

calculated-metrics-service

calculated-metrics-synthetic

conditional-naming-host

conditional-naming-processgroup

conditional-naming-service

content-resources

credential-vault

It can't be downloaded.

custom-service-java

custom-service-dotnet

custom-service-go

custom-service-nodejs

custom-service-php

Dashboard Classic

dashboard-share-settings classic

data-privacy

extension

It can't be downloaded.

extension-elasticsearch

failure-detection-parametersets

failure-detection-rules

frequent-issue-detection

Settings API with builtin:anomaly-detection.frequent-issues schema

geo-ip-address-mappings

geo-ip-detection-headers

hosts-auto-update

key-user-actions-mobile

key-user-actions-web

kubernetes-credentials

It can't be downloaded.

Settings API with Settings API - Connection settings schema table builtin:cloud.kubernetes and Settings API - Monitoring settings schema table builtin:cloud.kubernetes.monitoring schemas

maintenance-window

Settings API with the Maintenance windows builtin:alerting.maintenance-window schema

management-zone

Settings API with the Problem notifications builtin:problem.notifications schema

network-zone Dynatrace Monaco CLI version 2.10.0+

notification

Settings API with Problem notifications builtin:problem.notifications schema

reports

request-attributes

request-naming-service

slo classic

service-detection-full-web-request

service-detection-full-web-service

service-detection-opaque-web-request

service-detection-opaque-web-service

service-resource-naming

Services configuration API /api/config/v1/service/resourceNaming

synthetic-location

synthetic-monitor

user-action-and-session-properties-mobile

Related tags
Software Delivery