Create and manage service accounts.

A service account can be used to automate management of objects like dashboard, alerts, etc.

  • A service account uses a token to authenticate.
  • A service account must have permissions to perform tasks. For dashboards and alerts, the service account must also have access.
  • By default, service accounts do not get any individual permission by default
    • Each account is automatically added to the Everyone group and inherits the Everyone group permissions (if any)
    • Service account can be added to any group to get that groups permissions.
  • A service account can’t perform the UI operations that user accounts can perform by default. Service Accounts can be used to automate management of objects like Dashboard, Alerts, etc. If a user wants to automate the process of managing certain objects then they can assign Dashboard management permission or Alert management permission to a Service Account and add it to the ACL for the objects that the user wants to manage automatically through a Service Account

Service Accounts Basics

If you build a service or tool that manages proxies or ingests data, then that tool must authenticate to the Wavefront API. Service accounts support this type of authentication.

  1. Create a service account from the Wavefront UI.

    Note: The service account name must be unique.

  2. Give the account the permissions it needs.
  3. Configure your tool to pass the service account credentials (API token) to the Wavefront API.

    The tool authenticates seamlessly to the API without embedding any secret keys or user credentials in your instance, image, or application code.

Service accounts can perform get, modify, and delete tasks only if they have the necessary permissions. You can disable a service account if you temporarily don’t need it, or delete it permanently.

Create a Service Account

Creating a service account is different from creating a user account.

  1. From the gear icon, select Account Management.
  2. Click the Service Accounts tab, and click Create New Account
  3. On the New Service Account page, specify the account details and click Create.
FieldDescription
Account ID ID of the account. We prefix this ID with sa::.

A service account name must be unique. Wavefront converts service account ID to lower case. Users can type upper case or lower case -- this helps avoid duplicates.

Tokens List of API tokens that the service account can use to authenticate to Wavefront.
  • Click the Edit icon to change the token name.
  • Click Revoke to revoke the token. Any service accounts that use the token can no longer authenticate to Wavefront.
  • Click Generate to generate additional tokens. Having multiple active tokens makes it possible to revoke some tokens. For example, if the service connects to several proxies, you can generate a token to connect to each proxy. You can revoke the token for one proxy but leave the others.
  • Click the Copy to Clipboard icon to copy the token for pasting.
Groups By default, service accounts are added to the Everyone group and you cannot remove them. If you give permissions to the Everyone group, all the service account get those permissions. You can also add a service accounts to other groups.
Permissions Individual permissions assigned to this service account. For example, give the account Proxies permission to interact with proxies or Alerts permissions to retrieve data from alerts.

You can now grant or revoke permissions, which is the same for user accounts and service accounts, and you can deactivate or activate a service account.

Deactivate or Activate a Service Account

You can temporarily (or permanently) deactivate a service account. When an account is deactivated, none of the corresponding tokens work.

You can activate or deactivate a service account from the Service Accounts page or from the Edit Service Account page.

To activate or deactivate an account from the Service Accounts page:
  • Select the ellipsis to bring up the menu.
  • Select Activate or Deactivate.
deactivate or activate a service account
To activate or deactivate an account from the Edit Service Account page:
  • Click the service account name to open the Edit Service Account page.
  • Use the toggle to activate or deactivate the account.
deactivate or activate a service account