Access tokens and permissions
Access tokens are used to authenticate and authorize API calls, ensuring that only authorized services can interact with your Dynatrace environment. In the context of Dynatrace Operator for Kubernetes, two types of tokens are typically used:
-
Operator token
The Operator token (former API token) is used by the Dynatrace Operator to manage settings and the lifecycle of all Dynatrace components in the Kubernetes cluster. -
Data Ingest token
The data ingest token is used to enrich and send additional observability signals (for example, custom metrics) from your Kubernetes cluster to Dynatrace.
Create token
Repeat the following steps for both the Operator and Data Ingest tokens.
- Go to Access Tokens.
- Select Generate new token.
Provide a meaningful name for the token.
- Enable the required permissions for the token.
- For the Operator token, select the template in Template > Kubernetes: Dynatrace Operator. This will automatically add the required scopes (see Operator token)
- For the Data Ingest token:
- Ingest metrics (
metrics.ingest) - Ingest log (
logs.ingest) - Ingest events (
events.ingest)
- Ingest metrics (
- Select Generate token to create the token.
Ensure to copy the token and store it in a secure place.
Token Scopes
Operator token
The Operator token requires the following scopes:
| Scope | Usage | Minimum DTO version |
|---|---|---|
PaaS - Installer (Installer download) | Manages OneAgent and ActiveGate lifecycle. | Any version |
Access problem and event feed, metrics, and topology (API v1 - DataExport) | Notifies the Dynatrace Cluster of graceful shutdown. | Any version |
Read settings (API v2 - settings.read) | Manage the ActiveGate object for Kubernetes API monitoring. | 0.4.0+ |
Write settings (API v2 - settings.write) | Manage the ActiveGate object for Kubernetes API monitoring. | 0.4.0+ |
Read entities (API v2 - entities.read) | Checks if the ActiveGate object exists for Kubernetes API monitoring. | 0.4.0+ |
Create ActiveGate token (API v2 - activeGateTokenManagement.create) | Creates an authentication token for your ActiveGate to connect to the Dynatrace Cluster.1 | 0.9.0+ |
1 The token is rotated by Dynatrace Operator every 30 days. When an authentication token is rotated, the affected ActiveGate is automatically deleted and redeployed. |
Data ingest token
Recommended token scopes:
| Scope | Usage | Minimum DTO version |
|---|---|---|
Ingest metrics (API v2 - metrics.ingest) | Enables metadata enrichment for custom metrics. | 0.4.0+ |
Ingest logs (API v2 - logs.ingest) | Send logs through Log Monitoring API v2. | 0.4.0+ |
Ingest events (API v2 - events.ingest) | Send business events to Dynatrace | 0.4.0+ |