OBSERVABILITY PLATFORM
Service accounts

Service accounts

A service account provides an identity that a service can use to access Chronosphere APIs, Chronoctl, Terraform, and the Chronosphere Collector. Use service accounts for automated, programmatic interactions, such as CI/CD, ingesting telemetry, or automated queries. Chronosphere Observability Platform attributes all actions that a service takes to its service account. A service account can't access the user interface, only the APIs. Accounts can belong to teams.

When you create a service account, Chronosphere also creates a non-expiring API token that the service account uses for authentication.

Service accounts are distinct from user accounts, which provide identities for users who can also authenticate interactively and use Chronosphere Observability Platform.

To use tools that require non-interactive authentication, such as Chronoctl, Terraform, or the Chronosphere API, create a temporary personal access token with the same permissions as your user account. You can also assign service accounts to teams with the SysAdmin role, which also grants those service accounts administrative permissions.

For details about accounts and teams, see Accounts and Teams. For details about interactive user account authentication, see Authenticating with Observability Platform.

View service accounts

In the navigation menu, click Go to Admin and then select Platform > Service Accounts.

The service account list contains the following information:

  • Name: The service account name.
  • Service Account ID: The unique ID for this service account.
  • Created By: The service account creator.
  • Restriction: The type of restrictions on this account. Unrestricted accounts don't have a value here.
  • Last used: When this service token was last accessed. This field can be inaccurate if more than 1000 service accounts are active.
  • Metric Label: For restricted accounts, the key/value label pair restriction.

Create a service account

New service accounts can be one of the following types, each configured differently:

  • An unrestricted service account, which grants full access to all Chronosphere APIs and entities, including administration and monitoring features.
  • A restricted service account, which grants certain permissions to access only telemetry data, and optionally limiting displayed metrics to those with one or a pair of specific, case-sensitive label names and values.

To use a service account with Chronoctl or Terraform, you must create an unrestricted service account.

To use a service account with the Chronosphere Collector, create a restricted write-only service account.

Create an unrestricted service account

A service account can access the entire Chronosphere API. You can assign service accounts the SysAdmin role, but it's not required. An exception is a service account that's configured to create, modify, and delete Observability Platform resources. For example, a service account for a Terraform provider that can update shaping rules, drop rules, trace metrics, and other control-related resources. For these service accounts, Chronosphere recommends assigning the SysAdmin role.

You must be a member of a team with the SysAdmin role to create a new service account.

Select from the following methods to create an unrestricted service account.

To create an unrestricted service account:

  1. In the navigation menu, click Go to Admin and then select Platform > Service Accounts.
  2. Click + Service Account. This opens the Add Service Account dialog.
  3. In the Service Account Name field, enter a descriptive name for the service account.
  4. In the Service Account Type section, select Unrestricted.
  5. Click Save.

After creating the service account, Chronosphere displays its secret token.

⚠️

This is the only time Observability Platform displays the service account's token. Store it securely. If you lose the token, you must delete and recreate the service account to generate a new token.

Create a restricted service account

A restricted service account can access only the telemetry ingest and query APIs. The account can't access any of the other APIs. It can't make configuration changes, such as adding rules, creating monitors, or adding accounts.

The following types of restricted service accounts are available:

  • Read-only accounts have permission to query.
  • Write-only accounts can ingest.
  • Read & write accounts can query and ingest.

Write-only accounts are based on the principle of least privilege. A robot whose only job is to send ingest data to the server doesn't need query access.

Restricted, read-only service accounts are restricted to reading even if the service account is added to a team with Editor or SysAdmin permissions.

Restricted accounts using label restrictions force a label with a specific value to be present on write, and only allows queries that include that label/value pair. Label restrictions support a maximum of two key/value pairs.

Key/value pairs on individual service accounts must be unique. You can't set multiple values for the same label key.

Observability Platform strips this label from query responses. Users with a restricted service account aren't aware that they're viewing metrics that match only the specified label.

Users see all other telemetry.

Select from the following methods to create a restricted service account.

To create a restricted service account, you must have administrative privileges.

  1. In the navigation menu, click Go to Admin and then select Platform > Service Accounts.
  2. Click + Service Account. This opens the Add Service Account dialog.
  3. In the Service Account Name field, enter a descriptive name for the service account.
  4. In the Service Account Type section, select Restricted. Observability Platform displays additional fields for you to complete.
  5. Complete the creation process based on your needs. Use the Label Restrictions section to limit this account's metrics access to only labels with one, or a pair of specific key/value pairs. Click +Add Label to add a second key/value pair. Label restrictions are case sensitive.
  6. Click Save.

After creating the service account, Observability Platform displays its secret token.

⚠️

This is the only time Observability Platform displays the service account's token. Store it securely. If you lose the token, you must delete and recreate the service account to generate a new token.

Label restriction example

Label restrictions support a third-party use case, where Chronosphere is the first party, and a Chronosphere customer (CompanyX) is the second party. A Chronosphere customer's customer (CompanyA, CompanyB, or CompanyC) is the third party.

In this scenario, CompanyX uses one tenant with Chronosphere to store data about CompanyA, CompanyB, and CompanyC, discriminated by some key (such as third-party) with a value of A, B, or C.

Employees of CompanyX can see all of the data.

Employees of CompanyA get a restricted service account with a label restriction of third-party=A. CompanyA doesn't know this key or this value. Whenever they send data to Chronosphere, Chronosphere augments the writes with third-party=A. Whenever CompanyA does queries, Chronosphere allows them only to see time series that include third-party=A, but Chronosphere strips this label before showing the time series to employees of CompanyA.

Delete a service account

Select from the following methods to delete a service account.

Users cannot modify Terraform-managed resources in the user interface, with Chronoctl, or by using the API. Learn more.

To delete a service account, you must have administrative privileges.

  1. In the navigation menu, click Go to Admin and then select Platform > Service Accounts.
  2. Select the checkboxes for one or more service accounts you want to delete.
  3. Click Delete at the top of the list of service accounts.