Authentication
Our Site Reliability Guardian incorporates the Cloud Automation use cases. To ensure an optimal experience, we recommend upgrading your environment or contacting your account team for assistance.
For more information, see Upgrade from Cloud Automation to Site Reliability Guardian.
Cloud Automation provides its own API. For details, see Keptn API.
To interact with the Dynatrace Cloud Automation API, you can generate an OAuth 2.0 client (recommended), or use the Cloud Automation API token.
OAuth-based Authentication
You can connect third-party integrations to your Cloud Automation instance. To authenticate the integration, the OAuth 2.0 client credentials flow is used.
Make sure that you trust the integration, verify its developers, and check what kind of information the integration is going to access.
Generate an OAuth 2.0 client
To generate an OAuth 2.0 client
- Open Account Management. If you have more than one account, select the account you want to manage.
- Select Identity & access management > OAuth clients.
- Select Create client.
Enter a client description and the user email.
- Under Cloud Automation, select at least the following scopes for a typical third-party integration.
- View resources—
cloudautomation:resources:read - View events—
cloudautomation:events:read - Send events—
cloudautomation:events:write - Create and edit logs—
cloudautomation:logs:write - View integrations—
cloudautomation:integrations:read - Create and edit integrations—
cloudautomation:integrations:write - Delete integrations—
cloudautomation:integrations:delete - View secrets—
cloudautomation:secrets:read
- View resources—
- Scroll down and select Create client.
- Copy your client ID, client secret, and Dynatrace account URN. These settings are required for the Client credentials flow.
The OAuth 2.0 client cannot have wider permissions than the user who requested the client.
Test the OAuth 2.0 client for retrieving an access token
-
Authenticate with your client ID and client secret obtained above to retrieve the access token.
1curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token?grant_type=client_credentials&client_id=<YOUR-CLIENT-ID>&client_secret=<YOUR-CLIENT-SECRET>&resource=<YOUR-DYNATRACE-ACCOUNT-URN>&scope=cloudautomation:events:read' \2--header 'Content-Type: application/x-www-form-urlencoded' -
Copy the retrieved access token.
-
To request data, run the command below, making sure to replace:
<YOUR-CLOUD-AUTOMATION-URL>with your Cloud Automation URL.<YOUR-ACCESS-TOKEN>with the previously retrieved access token.
1curl --location --request GET 'https://<YOUR-CLOUD-AUTOMATION-URL>/api/controlPlane/v1/event/triggered/sh.keptn.event.approval.triggered' \2--header 'Authorization: Bearer <YOUR-ACCESS-TOKEN>'
Token-based Authentication (deprecated)
In the Cloud Automation UI (bridge), go to your user menu in the upper-right corner and copy the API token, which is used for authenticating API calls.
To access the token, the user needs to be assigned the cloudautomation:metadata:read policy statement. For details about the API, see API.
Migrate to OAuth 2.0-based authentication
Token-based authentication is deprecated. Adapt your integrations to use OAuth 2.0-based authentication instead.
Keptn CLI usage
If you are using the Keptn CLI to communicate with the API, you can use the keptn auth command
for OAuth 2.0-based authentication.
Stop using token-based authentication like this.
1keptn auth --endpoint=https://<YOUR-CLOUD-AUTOMATION-URL>/api --api-token=<API_TOKEN>
Use the OAuth 2.0-based authentication instead.
1keptn auth --oauth \2 --oauth-discovery=https://sso.dynatrace.com/.well-known/openid-configuration \3 --oauth-client-id=dt0s03.dynatrace-cloudautomation-cli-prod \4 --endpoint=https://<YOUR-CLOUD-AUTOMATION-URL>/api \5 --oauth-scopes=cloudautomation:resources:read,cloudautomation:resources:write,cloudautomation:resources:delete,cloudautomation:metadata:read,cloudautomation:events:read,cloudautomation:events:write,cloudautomation:projects:write,cloudautomation:projects:read,cloudautomation:projects:delete,cloudautomation:stages:read,cloudautomation:services:read,cloudautomation:services:write,cloudautomation:services:delete,cloudautomation:secrets:read,cloudautomation:secrets:write,cloudautomation:secrets:delete
CLI usage in automation code
If you are using the Keptn CLI to communicate with the API in automation code, replace this command with HTTP requests using OAuth 2.0-based authentication because the CLI requires user interaction for authentication.
-
Create an OAuth 2.0 client
-
Replace the commands using the Keptn CLI with corresponding commands like
curlandjq.Replace
1keptn auth --endpoint=https://<YOUR-CLOUD-AUTOMATION-URL>/api --api-token=<API_TOKEN>2keptn send event --file=YOUR-FILE.jsonwith
1API_RESULT=$(curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \2 --data 'grant_type=client_credentials&client_id=<YOUR-CLIENT-ID>&client_secret=<YOUR-CLIENT-SECRET>&resource=<YOUR-DYNATRACE-ACCOUNT-URN>&scope=cloudautomation:events:read cloudautomation:events:write' \3 --header 'Content-Type: application/x-www-form-urlencoded')45ACCESS_TOKEN=$(jq -r '.access_token' <<<"$API_RESULT")67curl --location --request 'POST' \8 'https://${YOUR-CLOUD-AUTOMATION-URL}/api/v1/event' \9 --header 'accept: application/json' \10 --header 'Content-Type: application/json' \11 --header 'Authorization: Bearer ${ACCESS_TOKEN}' \12 --data-raw '<EVENT-PAYLOAD>'
These instructions make use of jq, which is a tool to parse a JSON object for deriving the access token. You can use your preferred JSON parser instead.
API interaction in automation code
If you are sending HTTP requests to communicate with the API, you potentially add the x-token header to authenticate the request with the provided token. Please adapt your HTTP requests to leverage OAuth 2.0-based authentication.
-
Create an OAuth 2.0 client.
-
Replace
1curl -X POST "<YOUR-CLOUD-AUTOMATION-URL>/api/v1/event" \2--header "accept: application/json" \3--header "x-token: <CLOUD_AUTOMATION_API_TOKEN>" \4--header "Content-Type: application/json" \5-d "<EVENT_PAYLOAD>"with
1API_RESULT=$(curl --location --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \2 --data 'grant_type=client_credentials&client_id=<YOUR-CLIENT-ID>&client_secret=<YOUR-CLIENT-SECRET>&resource=<YOUR-DYNATRACE-ACCOUNT-URN>&scope=cloudautomation:events:read cloudautomation:events:write' \3 --header 'Content-Type: application/x-www-form-urlencoded')45ACCESS_TOKEN=$(jq -r '.access_token' <<<"$API_RESULT")67curl --location --request 'POST' \8 'https://<YOUR-CLOUD-AUTOMATION-URL>/api/v1/event' \9 --header 'accept: application/json' \10 --header 'Content-Type: application/json' \11 --header "Authorization: Bearer ${ACCESS_TOKEN}" \12 --data-raw '<EVENT-PAYLOAD>'
These instructions make use of jq, which is a tool to parse a JSON object for deriving the access token. You can use your preferred JSON parser instead.
Integration with open-source connector (distributor)
If you are integrating an external tool using the distributor component, you potentially use token-based authentication. Adapt the deployment manifest (Helm Chart) of the distributor component to leverage OAuth 2.0-based authentication.
-
Create an OAuth 2.0 client.
-
Select the following scopes.
- Read resources—
cloudautomation:resources:read - Read events—
cloudautomation:events:read - Send events—
cloudautomation:events:write - Write/Edit logs—
cloudautomation:logs:write - Read integrations—
cloudautomation:integrations:read - Write/Edit integrations—
cloudautomation:integrations:write - Delete integrations—
cloudautomation:integrations:delete - Read secrets—
cloudautomation:secrets:read
- Read resources—
-
Remove the token.
1remoteControlPlane:2 api:3 token: "" -
Set
clientID,clientSecret,discovery,tokenURL, andscopes.1distributor:2 config:3 oauth:4 clientID: "<YOUR-CLIENT-ID>"5 clientSecret: "<YOUR-CLIENT-SECRET>"6 discovery: "https://sso.dynatrace.com/.well-known/openid-configuration "7 tokenURL: "https://sso.dynatrace.com/sso/oauth2/token"8 scopes: "<LIST-OF-SCOPES>"