IBM Cloud Docs
Working with Monitor API tokens

Working with Monitor API tokens

You can use Monitor API tokens to authenticate with the IBM Cloud Monitoring service when you use Python scripts or the IBM Cloud Monitoring REST API to automate routine tasks and monitor notifications.

Consider the following information for each instance of the IBM Cloud Monitoring service:

  • There is a Monitor API token per team.
  • If the token is compromised or your organization's security policies require resetting the token after certain conditions, a user with administration permissions can reset the API token.

Getting the Monitor API token through the monitoring UI

Complete the following steps to get the Monitor API token :

  1. From the Selector button in the navigation bar, choose Settings
  2. From the Monitor API section, copy the Monitor API Token.

After you get the token, you can run API calls and use this token in the Authorization header.

When you copy the token include the Bearer keyword: Authorization: Bearer MONITOR_API_TOKEN

Resetting the Monitor API token through the monitoring UI

Complete the following steps to reset the Monitor API token :

  1. From the Selector button in the navigation bar, choose Settings.
  2. In the Monitor API section, click Reset Token to reset the API token.

Getting the Monitor API token by using the API

You can use the Token API to get the Monitor API token .

For example, you can use the following cURL command to get the Monitor API token :

curl -X GET <MONITORING_REST_API_ENDPOINT>/api/token -H "Authorization: $AUTH_TOKEN" -H "IBMInstanceID: $GUID" -H "TeamID: $TEAM_ID" -H "content-type: application/json"

GET <MONITORING_REST_API_ENDPOINT>/api/token -H "Authorization: $AUTH_TOKEN" -H "IBMInstanceID: $GUID" -H "TeamID: $TEAM_ID" -H "content-type: application/json"

Where

  • <MONITORING_REST_API_ENDPOINT> indicates the endpoint targetted by the REST API call. For more information, see REST API endpoints. For example, the public endpoint for an instance that is available in us-south is the following: https://us-south.monitoring.cloud.ibm.com/api

  • You can pass multiple headers by using -H.

    Authorization and IBMInstanceID are headers that are required for authentication.

    TeamID defines the team for which you want to get the Monitor API token .

    To get an AUTH_TOKEN and the GUID see, Headers for IAM Tokens.

When the authorization that is allowed in a monitoring instance is set to IAM_ONLY, you get the following response {"errors":[{"reason":"Not enough privileges to complete the action","message":"Access is denied"}]} when you try to get the Monitor API token .

Sample JSON code

You can use the following sample JSON code to get the Monitor API token :

def get_sysdig_api_token(self, instance_guid):
   """ Get the Monitor API token  by calling the /api/token endpoint """
   if self.access_token == None:
       self.get_iam_token()
   if self.access_token == None:
       # If the token is still None we have problems ....
       return None
   headers = { "Authorization": self.access_token,
               "Accept": "application/json",
               "IBMInstanceID": instance_guid }
   url = self.sysdig_endpoint + "/api/token"
   response = requests.get(url, headers=headers)
   if response.status_code == 200:
       data = response.json()
       return data["token"]["key"]
   else:
       print_error("Error getting Monitor API token  - {}".format(response.text))
       return None