IBM Cloud Docs
Managing access keys

Managing access keys

The Access Key is a token that you must use to configure monitoring agents to successfully forward data to your IBM Cloud Monitoring instance in IBM Cloud.

Getting the access key through the IBM Cloud UI

To get the access key for an IBM Cloud Monitoring instance through the IBM Cloud UI, complete the following steps:

  1. Log in to the IBM Cloud console.

  2. Go to the Menu icon Menu icon > Observability.

  3. Select Monitoring. The IBM Cloud Monitoring dashboard opens. You can see the list of monitoring instances that are available on IBM Cloud.

  4. Identify the instance for which you want to get the access key. Click the Actions icon Actions icon next to the instance and then click Manage key.

  5. A window opens where you can click Show key to view the access key.

Getting the access key through the CLI

To get the access key for a monitoring instance through the command line, complete the following steps:

  1. [Pre-requisite] Install the IBM Cloud CLI.

  2. Log in to the region in the IBM Cloud where the monitoring instance is running. Run the following command: ibmcloud login

  3. Set the resource group where the monitoring instance is running. Run the following command: ibmcloud target

    By default, the default resource group is set.

  4. Get the instance name. Run the following command: ibmcloud resource service-instances

    ibmcloud resource service-instances

  5. Get the name of the API key that is associated with the monitoring instance. Run the ibmcloud resource service-keys command:

    ibmcloud resource service-keys --instance-name INSTANCE_NAME

    where INSTANCE_NAME is the name of the instance that you obtained in the previous step.

  6. Get the access key. Run the ibmcloud resource service-key command:

    ibmcloud resource service-key APIKEY_NAME

    where APIKEY_NAME is the name of the API key.

    The output from this command includes the field Access Key that contains the access key for the instance.

Creating additional access keys

If the access key is compromised or you have a policy to renew it after a number of days, you can generate a new access key and disable the old one.

To create a new access key for an IBM Cloud Monitoring instance, complete the following steps:

  1. Obtain the API token from the IBM Cloud Monitoring UI. Learn more.

  2. Issue a curl POST request against the monitoring endpoint to generate a new access key.

    curl -X POST -H 'Authorization: Bearer API_TOKEN' https:ENDPOINT/api/customer/accessKeys

    Where

    • ENDPOINT is the URL for the region where the monitoring instance is available. For more information, see monitoring endpoints.
    • API_TOKEN is the API token that you get in step 1.

    The output will provide the newly generated access key in the response.

    {
    "customerAccessKey": {
        "enabled": true,
        "accessKey": "12345678-1234-1234-1234-123456789012",
        "dateCreated": 1573852152224,
        "dateDisabled": null
    }
}

  3. The access key can now be used in the monitoring agent configuration files.

Disabling an access key

To disable an existing access key for an IBM Cloud Monitoring instance, complete the following steps:

  1. Obtain the API Token from the IBM Cloud Monitoring UI ( see instructions ).

  2. Issue a curl POST request against the monitoring endpoint to disable the given access key.

    curl -X POST -H 'Authorization: Bearer API_TOKEN' https:ENDPOINT/api/customer/accessKeys/ACCESS_KEY/disable

    Where

    • ENDPOINT is the URL for the region where the monitoring instance is available. For more information, see monitoring endpoints.
    • API_TOKEN is the API Token retrieved in step 1.
    • ACCESS_KEY is the access key that you wish to disable.

Once you disable the access key, the agents connected with the access key will be immeditely blocked from sending metrics to this IBM Cloud Monitoring instance.

There is no option to delete access keys at this time.

Enabling an access key

To enable an existing access key for an IBM Cloud Monitoring instance, complete the following steps:

  1. Obtain the API Token from the IBM Cloud Monitoring UI. Learn more.

  2. Issue a curl POST request against the monitoring endpoint to enable the given access key.

    curl -X POST -H 'Authorization: Bearer API_TOKEN' https://ENDPOINT/api/customer/accessKeys/ACCESS_KEY/enable

    Where

    • ENDPOINT is the URL for the region where the monitoring instance is available. For more information, see monitoring endpoints.
    • API_TOKEN is the API Token retrieved in step 1.
    • ACCESS_KEY is the access key that you wish to enable.

After you enable the access key, the agents will need to be manually restarted since an agent that connects with a disabled access key will be terminated.

Viewing the available access keys

To view all of the access keys for an IBM Cloud Monitoring instance, complete the following steps:

  1. Obtain the API Token from the IBM Cloud Monitoring UI. Learn more.

  2. Issue a curl GET request against the regional monitoring endpoint to enable the given access key.

    curl -X GET -H 'Authorization: Bearer API_TOKEN' https://ENDPOINT/api/customer/accessKeys

    Where

    • ENDPOINT is the URL for the region where the monitoring instance is available. For more information, see monitoring endpoints.
    • API_TOKEN is the API Token retrieved in Step 1.

    The output will provide a list of the access keys in the response and whether they are enabled.

    {
    "customerAccessKeys": [
        {
            "enabled": true,
            "accessKey": "12345678-1234-1234-1234-123456789012",
            "dateCreated": 1541096409000,
            "dateDisabled": null
        },
        {
            "enabled": false,
            "accessKey": "87654321-1234-1234-1234-123456789012",
            "dateCreated": 1573849361000,
            "dateDisabled": 1573849367000
        }
    ]
}

Deleting access keys

To delete an access keys for an IBM Cloud Monitoring instance, complete the following steps:

  1. Obtain the API Token from the IBM Cloud Monitoring UI. Learn more.

  2. Issue a curl DELETE request against the regional monitoring endpoint to delete the access key.

    curl -X DELETE -H 'Authorization: Bearer API_TOKEN' -H "IBMInstanceID: GUID" https://ENDPOINT/api/customer/accessKeys/ACCESS_KEY

    Where

    • ENDPOINT is the URL for the region where the monitoring instance is available. For more information, see monitoring endpoints.
    • API_TOKEN is the API Token retrieved in Step 1.
    • GUID is the GUID of the monitoring instance associated with the access key. See headers for IAM tokens.
    • ACCESS_KEY is the access key to be deleted. You can view a list of all access keys to obtain the access key values.