Service tokens
SUSE Observability Self-hosted
Last updated
SUSE Observability
SUSE Observability Self-hosted
Last updated
Using Service tokens it's possible to authenticate to SUSE Observability without having configured a user account. This is useful for situations where you want to use SUSE Observability from headless services like a CI server. In such a scenario you typically don't want to provision a user account in your identity provider.
Service tokens can be managed via the . The following commands are available:
It's also possible to when installing SUSE Observability.
To create a service token for an installed instance of SUSE Observability, you can use the new sts CLI.
This command takes the following command line arguments:
--name
The name of the service token
--expiration
The expiration date of the service token, the format is yyyy-MM-dd. The expiration is optional.
--roles
A comma separated list of roles to assign to the service token
For example, the command below will create a service token with the name my-service-token and the role stackstate-power-user:
When installing SUSE Observability, it's possible to bootstrap it with a (temporary) service token. This allows for using the CLI without first interacting with SUSE Observability and obtaining an API token from the UI. In order to set this up, you can add the following snippet to the SUSE Observability configuration file:
To configure SUSE Observability to create a bootstrap service token on Kubernetes, The following values need to be added to the file authentication.yaml. For example
Follow the steps below to configure SUSE Observability to create a bootstrap service token:
In authentication.yaml - add the bootstrap token:
token - The token that will be created on (initial) start of SUSE Observability.
roles - An array of roles that will be assigned to the bootstrap token.
ttl - Optional. The time-to-live for the service token, expressed as a duration string.
Store the file authentication.yaml together with the values.yaml from the SUSE Observability installation instructions.
Run a Helm upgrade to apply the changes.
This token can be added to the secret next to the data that is already there.
The ID, name, expiration date and roles of all created service tokens can be seen using the new sts CLI. For example:
A service token can be deleted using the new sts CLI. Pass the ID of the service token as an argument. For example:
Once created, a service token can be used to authenticate to SUSE Observability from a headless service. To do this you can either use the CLI or directly talk to the API.
sts CLITo use a service token to talk directly to the SUSE Observability Base API, add it to the header of the request in one of the following ways:
In the Authorization header:
In the X-API-Key header:
When the bootstrap token should come from an external secret, follow and add the following data:
A service token can be used for authentication with the sts CLI. For details, see .
➡️