Service accounts

A service account provides an identity that a service can use to access Chronosphere APIs, Chronoctl, Terraform, and the Collector. Chronosphere attributes all actions that a service takes to its service account. Accounts can belong to teams.

When you create a service account, Chronosphere also creates a non-expiring API token that the service account uses for authentication.

Service accounts are distinct from user accounts, which provide identities for users who can also authenticate interactively and use the Chronosphere app.

To use tools that require non-interactive authentication, such as Chronoctl, Terraform, or the Chronosphere API, create a temporary personal access token with the same permissions as your user account. You can also assign service accounts to teams with the SysAdmin role, which also grants those service accounts administrative permissions.

For details about accounts and teams, see Accounts and Teams. For details about interactive user account authentication, see Authenticating with Chronosphere.

View service accounts

To view your service accounts, in the navigation menu select Settings > Service Accounts.

Create a service account

New service accounts can be one of the following types, each configured differently:

  • An unrestricted service account, which grants full access to all Chronosphere APIs and entities, including administration and monitoring features.
  • A restricted service account, which grants certain permissions to access only metric data, and optionally to only metrics with one or a pair of specific label names and values.

To use a service account with Chronoctl or Terraform, you must create an unrestricted service account.

To use a service account with the Collector, create a restricted write-only service account.

Create an unrestricted service account

You must be a member of a team with the SysAdmin role to create a new service account.

To create an unrestricted service account, select from these methods:

  1. In the navigation menu select Settings > Service Accounts.
  2. Click + Service Account. This opens the Add Service Account dialog.
  3. In the Service Account Name field, enter a descriptive name for the service account.
  4. In the Service Account Type section, select Unrestricted.
  5. Click Save.

After creating the service account, Chronosphere displays its secret token.

⚠️

This is the only time Chronosphere displays the service account's token. Store it securely. If you lose the token, you must delete and recreate the service account to generate a new token.

Create a restricted service account

To create a restricted service account, select from these methods:

  1. In the navigation menu select Settings > Service Accounts.

  2. Click + Service Account. This opens the Add Service Account dialog.

  3. In the Service Account Name field, enter a descriptive name for the service account.

  4. In the Service Account Type section, select Restricted. Chronosphere displays additional fields for you to complete.

  5. Complete the creation process based on your needs. Use the Label Restrictions section to limit this account's access to only labels with one, or a pair of specific key/value pairs. Click +Add Label to add a second key/value pair.

    Label restrictions support a maximum of two key/value pairs.

    Key/value pairs on individual service accounts must be unique. Multiple values can't be set for the same label key.

    Due to Chronosphere stripping this label from query responses, users with a restricted service account aren't aware that they're only viewing metrics that match this label.

  6. Click Save.

After creating the service account, Chronosphere displays its secret token.

⚠️

This is the only time Chronosphere displays the service account's token. Store it securely. If you lose the token, you must delete and recreate the service account to generate a new token.

Delete a service account

Chronosphere prevents users from modifying Terraform-managed resources in the user interface, with Chronoctl, or by using the API. For details, see the Terraform provider documentation.

  1. In the navigation menu select Settings > Service Accounts.
  2. Select the checkboxes for one or more service accounts you want to delete.
  3. Click Delete at the top of the list of service accounts.