Access tokens and permissions

Access tokens are used to authenticate and authorize API calls, ensuring that only authorized services can interact with your Dynatrace environment. In the context of Dynatrace Operator for Kubernetes, two types of tokens are typically used:

  • Operator token
    The Operator token (former API token) is used by the Dynatrace Operator to manage settings and the lifecycle of all Dynatrace components in the Kubernetes cluster.

  • Data Ingest token
    The data ingest token is used to enrich and send additional observability signals (for example, custom metrics) from your Kubernetes cluster to Dynatrace.

Create token

Repeat the following steps for both the Operator and Data Ingest tokens.

  1. Go to Access Tokens.
  2. Select Generate new token.
  3. Provide a meaningful name for the token.
  4. Enable the required permissions for the token.
    1. For the Operator token, select the template in Template > Kubernetes: Dynatrace Operator. This will automatically add the required scopes (see Operator token)
    2. For the Data Ingest token, select the template in Template > Kubernetes: Data Ingest. This will automatically add the required scopes (see Data Ingest token)
  5. Select Generate token to create the token.
  6. Ensure to copy the token and store it in a secure place.

Token Scopes

Operator token

The Operator token requires the following scopes:

Scope
Usage
Minimum DTO version
PaaS - Installer (Installer download)
Manages OneAgent and ActiveGate lifecycle.
Any version
Access problem and event feed, metrics, and topology (API v1 - DataExport)
Notifies the Dynatrace Cluster of graceful shutdown.
Any version
Read settings (API v2 - settings.read)
Manage the ActiveGate object for Kubernetes API monitoring.
0.4.0+
Write settings (API v2 - settings.write)
Manage the ActiveGate object for Kubernetes API monitoring.
0.4.0+
Read entities (API v2 - entities.read)
Checks if the ActiveGate object exists for Kubernetes API monitoring.
0.4.0+
Create ActiveGate token (API v2 - activeGateTokenManagement.create)
Creates an authentication token for your ActiveGate to connect to the Dynatrace Cluster.1
0.9.0+
1

The token is rotated by Dynatrace Operator every 30 days. When an authentication token is rotated, the affected ActiveGate is automatically deleted and redeployed.

Data ingest token

Recommended token scopes:

Scope
Usage
Minimum DTO version
Ingest metrics (API v2 - metrics.ingest)
Enables metadata enrichment for custom metrics.
0.4.0+
Ingest logs (API v2 - logs.ingest)
Send logs through Log Monitoring API v2.
0.4.0+
Ingest OpenTelemetry traces (API v2 - openTelemetryTrace.ingest)
Send OpenTelemetry traces to Dynatrace
0.4.0+

Related topics