Service accounts

A service account provides an identity that a service can use to access Chronosphere APIs, Chronoctl, Terraform, and the Chronosphere Collector. Service accounts are meant to be used for automated, non-interactive uses, such as CI/CD, ingesting telemetry, or automated queries. Chronosphere attributes all actions that a service takes to its service account. A service account can't access the user interface, only the APIs. Accounts can belong to teams.

When you create a service account, Chronosphere also creates a non-expiring API token that the service account uses for authentication.

View service accounts

Create a service account

New service accounts can be one of the following types, each configured differently:

• An unrestricted service account, which grants full access to all Chronosphere APIs and entities, including administration and monitoring features.
• A restricted service account, which grants certain permissions to access only telemetry data, and optionally limiting displayed metrics to those with one or a pair of specific label names and values.

To use a service account with Chronoctl or Terraform, you must create an unrestricted service account.

To use a service account with the Chronosphere Collector, create a restricted write-only service account.

Create an unrestricted service account

A service account can access the entire Chronosphere API. Service accounts can be given the SysAdmin role but don't require it.

To create an unrestricted service account, select from these methods:

Create a restricted service account

A restricted service account can access only the telemetry ingest and query APIs. The account is prevented from accessing any of the other APIs. It can't make configuration changes, such as adding rules, creating monitors, or adding accounts.

The following types of restricted service accounts are available:

• Read-only accounts have permission to query.
• Write-only accounts can ingest.
• Read & write accounts can query and ingest.

Write-only accounts are based on the principle of least privilege. A robot whose only job is to send ingest data to the server doesn't need query access.

Restricted accounts using label restrictions force a label with a specific value to be present on write, and only allows queries that include that label/value pair. Label restrictions support a maximum of two key/value pairs.

Key/value pairs on individual service accounts must be unique. You can't set multiple values for the same label key.

To create a restricted service account, select from these methods:

Label restriction example

Label restrictions are meant to support a third-party use case, where Chronosphere is the first party, and a Chronosphere customer (CompanyX) is the second party. A Chronosphere customer's customer (CompanyA, CompanyB, or CompanyC) is the third party.

In this scenario, CompanyX uses one tenant with Chronosphere to store data about CompanyA, CompanyB, and CompanyC, discriminated by some key (such as third-party) with a value of A, B, or C.

Employees of CompanyX can see all of the data.

Employees of CompanyA get a restricted service account with a label restriction of third-party=A. CompanyA doesn't know this key or this value. Whenever they send data to Chronosphere, Chronosphere augments the writes with third-party=A. Whenever CompanyA does queries, Chronosphere allows them only to see time series that include third-party=A, but Chronosphere strips this label before showing the time series to employees of CompanyA.

Delete a service account