Authentication

Upgrade to Site Reliability Guardian & Workflows

Our Site Reliability Guardian & Workflows incorporate the Cloud Automation use cases. As Cloud Automation support will be discontinued on December 31, 2024, we recommend a timely Upgrade from Cloud Automation to Site Reliability Guardian. Please contact your account team for additional information and assistance.

Cloud Automation provides its own API. For details, see Keptn API.

To interact with the Dynatrace Cloud Automation API, you can generate an OAuth 2.0 client (recommended), or use the Cloud Automation API token.

OAuth-based Authentication

You can connect third-party integrations to your Cloud Automation instance. To authenticate the integration, the OAuth 2.0 client credentials flow is used.

Make sure that you trust the integration, verify its developers, and check what kind of information the integration is going to access.

Generate an OAuth 2.0 client

To generate an OAuth 2.0 client

Go to Account Management. If you have more than one account, select the account you want to manage.
Select Identity & access management > OAuth clients.
Select Create client.
Enter a client description and the user email.
Under Cloud Automation, select at least the following scopes for a typical third-party integration.
- View resources—cloudautomation:resources:read
- View events—cloudautomation:events:read
- Send events—cloudautomation:events:write
- Create and edit logs—cloudautomation:logs:write
- View integrations—cloudautomation:integrations:read
- Create and edit integrations—cloudautomation:integrations:write
- Delete integrations—cloudautomation:integrations:delete
- View secrets—cloudautomation:secrets:read
Scroll down and select Create client.
Copy your client ID, client secret, and Dynatrace account URN. These settings are required for the Client credentials flow.

The OAuth 2.0 client cannot have wider permissions than the user who requested the client.

Test the OAuth 2.0 client for retrieving an access token

Authenticate with your client ID and client secret obtained above to retrieve the access token.

curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token?grant_type=client_credentials&client_id=<YOUR-CLIENT-ID>&client_secret=<YOUR-CLIENT-SECRET>&resource=<YOUR-DYNATRACE-ACCOUNT-URN>&scope=cloudautomation:events:read' \
--header 'Content-Type: application/x-www-form-urlencoded'

Copy the retrieved access token.

To request data, run the command below, making sure to replace:

<YOUR-CLOUD-AUTOMATION-URL> with your Cloud Automation URL.
<YOUR-ACCESS-TOKEN> with the previously retrieved access token.

curl --location --request GET 'https://<YOUR-CLOUD-AUTOMATION-URL>/api/controlPlane/v1/event/triggered/sh.keptn.event.approval.triggered' \
--header 'Authorization: Bearer <YOUR-ACCESS-TOKEN>'

Authenticate with your client ID and client secret obtained above to retrieve the access token.

$Body = @{
   grant_type = 'client_credentials'
   client_id = '<YOUR-CLIENT-ID>'
   client_secret = '<YOUR-CLIENT-SECRET>'
   resource = '<YOUR-DYNATRACE-ACCOUNT-URN>'
   scope = 'cloudautomation:events:read'
}
$ContentType = 'application/x-www-form-urlencoded'
$Uri = 'https://sso.dynatrace.com/sso/oauth2/token'
Invoke-WebRequest -Method POST -Uri $Uri -Body $Body -ContentType $ContentType | ConvertFrom-Json

Copy the retrieved access token.

To request data, run the command below, making sure to replace:

<YOUR-CLOUD-AUTOMATION-URL> with your Cloud Automation URL.
<YOUR-ACCESS-TOKEN> with the previously retrieved access token.

$Headers = @{
   'Authorization' = 'Bearer <YOUR-ACCESS-TOKEN>'
}
$Uri = 'https://<YOUR-CLOUD-AUTOMATION-URL>/api/controlPlane/v1/event/triggered/sh.keptn.event.approval.triggered'
Invoke-WebRequest -Uri $Uri -Headers $Headers

Token-based Authentication (deprecated)

In the Cloud Automation UI (bridge), go to your user menu in the upper-right corner and copy the API token, which is used for authenticating API calls.

To access the token, the user needs to be assigned the cloudautomation:metadata:read policy statement. For details about the API, see API.

Migrate to OAuth 2.0-based authentication

Token-based authentication is deprecated. Adapt your integrations to use OAuth 2.0-based authentication instead.

API interaction in automation code

If you are sending HTTP requests to communicate with the API, you potentially add the x-token header to authenticate the request with the provided token. Please adapt your HTTP requests to leverage OAuth 2.0-based authentication.

Create an OAuth 2.0 client.

Replace

curl -X POST "<YOUR-CLOUD-AUTOMATION-URL>/api/v1/event" \
--header "accept: application/json" \
--header "x-token: <CLOUD_AUTOMATION_API_TOKEN>" \
--header "Content-Type: application/json" \
-d "<EVENT_PAYLOAD>"

with

API_RESULT=$(curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
  --data 'grant_type=client_credentials&client_id=<YOUR-CLIENT-ID>&client_secret=<YOUR-CLIENT-SECRET>&resource=<YOUR-DYNATRACE-ACCOUNT-URN>&scope=cloudautomation:events:read cloudautomation:events:write' \
  --header 'Content-Type: application/x-www-form-urlencoded')

ACCESS_TOKEN=$(jq -r '.access_token' <<<"$API_RESULT")

curl --location --request 'POST' \
  'https://<YOUR-CLOUD-AUTOMATION-URL>/api/v1/event' \
  --header 'accept: application/json' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer ${ACCESS_TOKEN}" \
  --data-raw '<EVENT-PAYLOAD>'

These instructions make use of jq, which is a tool to parse a JSON object for deriving the access token. You can use your preferred JSON parser instead.

Create an OAuth 2.0 client.

Replace

$Headers = @{
   'accept' = 'application/json'
   'Content-Type' = 'application/json'
   'x-token' = '<CLOUD_AUTOMATION_API_TOKEN>'
}
$Body = @'
   <EVENT-PAYLOAD-JSON>
'@
$Uri = 'https://<YOUR-CLOUD-AUTOMATION-URL>/api/v1/event'
Invoke-WebRequest -Method POST -Uri $Uri -Body $Body -Headers $Headers

with

$Body = @{
   grant_type = 'client_credentials'
   client_id = '<YOUR-CLIENT-ID>'
   client_secret = '<YOUR-CLIENT-SECRET>'
   resource = '<YOUR-DYNATRACE-ACCOUNT-URN>'
   scope = 'cloudautomation:events:read cloudautomation:events:write'
}
$ContentType = 'application/x-www-form-urlencoded'
$Uri = 'https://sso.dynatrace.com/sso/oauth2/token'
$tokenResponse = Invoke-WebRequest -Method POST -Uri $Uri -Body $Body -ContentType $ContentType | ConvertFrom-Json

$Headers = @{
   'accept' = 'application/json'
   'Content-Type' = 'application/json'
   'Authorization' = 'Bearer ' + $tokenResponse.access_token
}
$Body = @'
   <EVENT-PAYLOAD-JSON>
'@
$Uri = 'https://<YOUR-CLOUD-AUTOMATION-URL>/api/v1/event'
Invoke-WebRequest -Method POST -Uri $Uri -Body $Body -Headers $Headers