LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Dynamic Threshold monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Ingestion API Keys
  • Manage Ingestion API Keys
  • Create Ingestion API Keys
  • List Ingestion API Keys
  • Delete Ingestion API Keys
  • Authenticate using Ingestion API keys
  • suse-observability-agent
  • OTel Collector
  1. Security

API Keys

SUSE Observability

API keys are used for sending telemetry data to SUSE Observability. It now offers two types of API keys:

  • Receiver API Key: This key is typically generated during the initial installation of your SUSE Observability instance, and it never expires

  • Ingestion API Key: You can create Ingestion API Keys using the SUSE Observability CLI (STS). These keys offer expiration dates, requiring periodic rotation for continued functionality.

The receiver API key can be found in your values.yaml as the receiverApiKey, but you can also find it in the installation instructions of the stackpacks. For example if you installed the Kubernetes stackpack:

  1. Open SUSE Observability

  2. Navigate to StackPacks and select the Kubernetes StackPack

  3. Open one of the installed instances

  4. Scroll down to the first set of installation instructions. It shows the API key as STACKSTATE_RECEIVER_API_KEY in text and as 'stackstate.apiKey' in the command.

Ingestion API Keys

Ingestion API Keys are used by external tools to ingest data (like metrics, events, traces and so on) to the SUSE Observability cluster. These tools can be STS Agent or/and OTel Collector.

Manage Ingestion API Keys

Keys can be managed via the sts CLI. The following commands are available:

> sts ingestion-api-key --help
Manage API Keys used by ingestion pipelines, means data (spans, metrics, logs an so on) send by STS Agent, OTel and so on.

Usage:
  sts ingestion-api-key [command]

Available Commands:
  create      Create a new Ingestion Api Key
  delete      Delete an Ingestion Api Key
  list        List Ingestion Api Keys

Use "sts ingestion-api-key [command] --help" for more information about a command.

Create Ingestion API Keys

To create a Key in your instance of SUSE Observability, you can use the sts CLI.

> sts ingestion-api-key create --name {NAME}

Note that the Key will only be displayed once. It isn't possible to see the token again.

This command takes the following command line arguments:

Flag
Description

--name

The name of the Key.

--description

Optional description of the API Key.

--expiration

The expiration date of the Key, the format is yyyy-MM-dd. The expiration is optional.

For example, the command below will create a Key with the name my-ingestion-api-key:

> sts ingestion-api-key create --name my-ingestion-api-key
✅ Ingestion API Key generated: iapikeyok-aaaaa-bbbb-ccccc-ddddd

List Ingestion API Keys

The ID, name, expiration date and description of all created Ingestion API Keys can be seen using the sts CLI. For example:

> sts ingestion-api-key list                              
ID              | NAME                 | EXPIRATION | DESCRIPTION                                                                                                                                                                             
250558013078953 | my-ingestion-api-key |            | - 

Delete Ingestion API Keys

An Ingestion API Key can be deleted using the sts CLI. Pass the ID of the Key as an argument. For example:

> sts ingestion-api-key delete  --id 250558013078953
✅ Ingestion Api Key deleted: 250558013078953

Authenticate using Ingestion API keys

Once created, an Ingestion API Key can be used to authenticate:

  • suse-observability-agent

  • OTel Collector

suse-observability-agent

The SUSE Observability agent requires an API key for communication, historically known as the Receiver API Key. SUSE Observability now offers two options for authentication:

  • Receiver API Key: This key is typically generated during the initial installation of your SUSE Observability instance,

  • Ingestion API Key: You can create Ingestion API Keys using the SUSE Observability CLI (STS). These keys offer expiration dates, requiring periodic rotation for continued functionality.

OTel Collector

When using the SUSE Observability collector, you'll need to include an Authorization header in your configuration. The collector accepts either a Receiver API Key or an Ingestion API Key for authentication. The following code snippet provides an example configuration:

extensions:
  bearertokenauth:
    scheme: SUSE Observability
    token: "${env:API_KEY}"
exporters:
  otlp/suse-observability:
    auth:
      authenticator: bearertokenauth
    endpoint: <otlp-suse-observability-endpoint>:443
  # or
  otlphttp/suse-observability:
    auth:
      authenticator: bearertokenauth
    endpoint: https://<otlp-http-suse-observability-endpoint>
PreviousService TokensNextUser Management

Last updated 1 month ago

🔐