LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • Manage service tokens
  • Create service tokens
  • Set up a bootstrap service token
  • List service tokens
  • Delete service tokens
  • Use service tokens
  • SUSE Observability sts CLI
  • SUSE Observability APIs
  1. Self-hosted setup
  2. Security
  3. Authentication

Service tokens

SUSE Observability Self-hosted

PreviousKeyCloakNextTroubleshooting

Last updated 3 months ago

Overview

Using Service tokens it's possible to authenticate to SUSE Observability without having configured a user account. This is useful for situations where you want to use SUSE Observability from headless services like a CI server. In such a scenario you typically don't want to provision a user account in your identity provider.

Manage service tokens

Service tokens can be managed via the . The following commands are available:

> sts service-token --help
Manage service tokens.

Usage:
  sts service-token [command]

Available Commands:
  create      Create a service token
  delete      Delete a service token
  list        List service tokens

Use "sts service-token [command] --help" for more information about a command.

It's also possible to when installing SUSE Observability.

Create service tokens

To create a service token for an installed instance of SUSE Observability, you can use the new sts CLI.

sts service-token create

Note that the service token will only be displayed once. It isn't possible to see the token again.

This command takes the following command line arguments:

Flag
Description

--name

The name of the service token

--expiration

The expiration date of the service token, the format is yyyy-MM-dd. The expiration is optional.

--roles

A comma separated list of roles to assign to the service token

For example, the command below will create a service token with the name my-service-token and the role stackstate-power-user:

> sts service-token create --name my-service-token --roles stackstate-power-user
✅ Service token created: svctok-aaaaa-bbbb-ccccc-ddddd

Set up a bootstrap service token

When installing SUSE Observability, it's possible to bootstrap it with a (temporary) service token. This allows for using the CLI without first interacting with SUSE Observability and obtaining an API token from the UI. In order to set this up, you can add the following snippet to the SUSE Observability configuration file:

To configure SUSE Observability to create a bootstrap service token on Kubernetes, The following values need to be added to the file authentication.yaml. For example

stackstate:
  authentication:
    serviceToken:
      bootstrap:
        token: <token>
        roles:
          - stackstate-power-user
        ttl: 24h

Follow the steps below to configure SUSE Observability to create a bootstrap service token:

  1. In authentication.yaml - add the bootstrap token:

    • token - The token that will be created on (initial) start of SUSE Observability.

    • roles - An array of roles that will be assigned to the bootstrap token.

    • ttl - Optional. The time-to-live for the service token, expressed as a duration string.

  2. Store the file authentication.yaml together with the values.yaml from the SUSE Observability installation instructions.

  3. Run a Helm upgrade to apply the changes.

    helm upgrade \
      --install \
      --namespace suse-observability \
      --values values.yaml \
      --values authentication.yaml \
    suse-observability \
    suse-observability/suse-observability

Note:

  • The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.

  • Include authentication.yaml on every helm upgrade run.

  • The authentication configuration is stored as a Kubernetes secret.

Setup the bootstrap service token from an external secret

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
  bootstrap_token: <base64 of token>

This token can be added to the secret next to the data that is already there.

List service tokens

The ID, name, expiration date and roles of all created service tokens can be seen using the new sts CLI. For example:

> sts service-token list
ID              | NAME             | EXPIRATION | ROLES
107484341630693 | my-service-token |            | [stackstate-power-user]

Delete service tokens

A service token can be deleted using the new sts CLI. Pass the ID of the service token as an argument. For example:

> sts service-token delete 107484341630693
✅ Service token deleted: 107484341630693

Use service tokens

Once created, a service token can be used to authenticate to SUSE Observability from a headless service. To do this you can either use the CLI or directly talk to the API.

SUSE Observability sts CLI

SUSE Observability APIs

To use a service token to talk directly to the SUSE Observability Base API, add it to the header of the request in one of the following ways:

  • In the Authorization header:

    > curl -X GET -H "Authorization: ApiKey <TOKEN>" http://localhost:8080/api/server/status
  • In the X-API-Key header:

    > curl -X GET -H "X-API-Key: <TOKEN>" http://localhost:8080/api/server/status

When the bootstrap token should come from an external secret, follow and add the following data:

A service token can be used for authentication with the sts CLI. For details, see .

➡️

🚀
sts CLI
set up a bootstrap service token
these steps
the CLI documentation
Learn more about the SUSE Observability APIs