This guide shows you how to create an OAuth client for use with Dynatrace Configuration as Code via Monaco.
Go to Account Management.
Select Identity & access management > OAuth clients.
Select Create client.
Enter the email address of the user who owns the client.
Enter a description of the new client.
Select the required scopes.
Each available type of Platform configuration requires specific OAuth scopes. For details, see Monaco API support and access permission handling.
Generally, OAuth client credentials for the Dynatrace Monaco CLI should have these scopes:
| Purpose | Scopes |
|---|---|
| Access Platform metadata like Classic URLs and version information | app-engine:apps:run |
| Manage Settings 2.0 objects and its all-users permission | settings:objects:read, settings:objects:write |
| View Settings 2.0 schemas | settings:schemas:read |
| Manage automation workflows | automation:workflows:read, automation:workflows:write, automation:calendars:read, automation:calendars:write, automation:rules:read, automation:rules:write |
| Access all Automation Workflows1 | automation:workflows:admin |
| Manage Grail buckets | storage:bucket-definitions:read, storage:bucket-definitions:write, storage:bucket-definitions:delete |
| Manage documents | document:documents:read, document:documents:write, document:documents:delete, document:trash.documents:delete |
| Manage OpenPipelines2 | openpipeline:configurations:read, openpipeline:configurations:write |
| Manage segments | storage:filter-segments:read, storage:filter-segments:write, storage:filter-segments:delete, storage:filter-segments:admin |
| Manage Service-Level Objectives (SLOs) | slo:slos:read, slo:slos:write |
To use the automation:workflows:admin scope, you need to create a custom policy granting that scope, bind a group to it, and assign your user to that group in Account Management before creating the OAuth client. For detailed information on managing policies, see Manage IAM policies.
To manage OpenPipeline configurations, ensure that the user belongs to a group with the policy Data Processing and Storage assigned to it before creating the OAuth client.
Select Create client.
Copy the generated client ID and secret and store them in a safe place.
You can only access your client secret once upon creation. You can't reveal it afterward.
In addition to the scopes available to the OAuth client, permissions can be further limited via policies applied to the user's groups.
For details on how permissions can be controlled, see Working with policies.
To ensure that your OAuth client works as intended, verify that the service user's groups grant the same scopes as the OAuth client you have created for all environments you want to use it with.