Managing access keys

An access key is a token that you must use to configure agents to successfully forward data to your Workload Protection instance in IBM Cloud.

Managing access keys by using the console

You can view, create, disable, enable, and delete access keys for a Workload Protection instance by using the IBM Cloud console.

To manage access keys by using the console, complete the following steps:

  1. In the IBM Cloud console, click the Navigation Menu icon Navigation Menu icon > Security > Compliance.
  2. Click the name of your Workload Protection instance.
  3. From the Actions menu, select Manage key.
  4. Click your dashboard to view, create, disable, enable, or delete access keys.

You can also hide the access key from non-administrators. For more information, go to Non-admin users.

Getting the access key by using the CLI

To get the access key for a Workload Protection instance by using the CLI, complete the following steps:

  1. Install the IBM Cloud CLI.

  2. Log in to the region that contains your Workload Protection instance by running the ibmcloud login command:

    ibmcloud login
    
  3. Set the resource group where the instance is running by running the ibmcloud target command:

    ibmcloud target -g <resource_group>
    

    Where <resource_group> is the name of the resource group. By default, the default resource group is set.

  4. Get the instance name by running the ibmcloud resource service-instances command:

    ibmcloud resource service-instances
    
  5. Get the name of the API key that is associated with the instance by running the ibmcloud resource service-keys command:

    ibmcloud resource service-keys --instance-name <instance_name> --output JSON
    

    Where <instance_name> is the name of the instance that you obtained in the previous step.

    The output from this command includes the Sysdig Access Key field that contains the access key for the instance.

You can also create, delete, enable, or disable access keys by using the API or the console. To see the steps, switch to the API instructions, or go to Managing access keys by using the console.

Getting the access key by using the API

You can get the access key by using the CLI or the console. To see the steps, switch to the CLI or UI instructions. You can also use the API to retrieve all available access keys. For more information, see Viewing the available access keys by using the API.

Creating an access key by using the API

If the access key is compromised or you have a policy to renew it after a number of days, you can generate a new access key and disable the old one.

To create a new access key for an Workload Protection instance, complete the following steps:

  1. Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.

  2. Issue a curl POST request against the endpoint to generate a new access key:

    curl -X POST -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys
    

    Where:

    • ENDPOINT is the URL for the region where the instance is available. For more information, see Endpoints.
    • SYSDIG_API_TOKEN is the API token that you obtained in step 1.
    • GUID is the GUID of the instance that is associated with the access key.

    For example:

    curl -X POST -H 'Authorization: Bearer xxxxxxx' -H 'IBMInstanceID: 12345678-1234-1234-1234-123456789012' https://us-east.security-compliance-secure.cloud.ibm.com/api/customer/accessKeys
    

    The output provides the generated access key in the response:

    {
        "customerAccessKey": {
            "enabled": true,
            "accessKey": "12345678-1234-1234-1234-123456789012",
            "dateCreated": 1573852152224,
            "dateDisabled": null,
            "limit": null,
            "reservation": null,
            "teamId": null
        }
    }
    

    You can now use the access key to configure agents.

Disabling an access key by using the API

To disable an existing access key for an Workload Protection instance, complete the following steps:

  1. Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.

  2. Issue a curl POST request against the endpoint to disable the access key:

    curl -X POST -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys/ACCESS_KEY/disable
    

    Where:

    • ENDPOINT is the URL for the region where the instance is available.
    • SYSDIG_API_TOKEN is the API token that you obtained in step 1.
    • ACCESS_KEY is the access key that you want to disable.
    • GUID is the GUID of the instance that is associated with the access key.

    After you disable the access key, agents that are connected with the access key are immediately blocked from sending metrics to this Workload Protection instance.

    For example:

    curl -X POST -H 'Authorization: Bearer xxxxxxx' -H 'IBMInstanceID: 12345678-1234-1234-1234-123456789012' https://us-east.security-compliance-secure.cloud.ibm.com/api/customer/accessKeys/b302311f-aa1c-4930-8726-59fb4ba0fe84/disable
    

    The output provides the disabled access key in the response:

    {
        "customerAccessKey": {
            "enabled": false,
            "accessKey": "12345678-1234-1234-1234-123456789012",
            "dateCreated": 1573852152224,
            "dateDisabled": 1683550789329,
            "limit": null,
            "reservation": null,
            "teamId": null
        }
    }
    

Enabling an access key by using the API

To enable an existing access key for an Workload Protection instance, complete the following steps:

  1. Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.

  2. Issue a curl POST request against the endpoint to enable the access key:

    curl -X POST -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys/ACCESS_KEY/enable
    

    Where:

    • ENDPOINT is the URL for the region where the instance is available.
    • SYSDIG_API_TOKEN is the API token that you obtained in step 1.
    • ACCESS_KEY is the access key that you want to enable.
    • GUID is the GUID of the instance that is associated with the access key.

After you enable the access key, you must manually restart the agents because an agent that connects with a disabled access key is terminated.

Viewing the available access keys by using the API

To view all of the access keys for an Workload Protection instance, complete the following steps:

  1. Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.

  2. Issue a curl GET request against the regional endpoint to view the access keys:

    curl -X GET -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys
    

    Where:

    • ENDPOINT is the URL for the region where the instance is available. For more information, see Endpoints.
    • SYSDIG_API_TOKEN is the API token that you obtained in step 1.
    • GUID is the GUID of the instance that is associated with the access key.

    The output provides a list of the access keys and whether they are enabled:

    {
        "customerAccessKeys": [
            {
                "enabled": true,
                "accessKey": "12345678-1234-1234-1234-123456789012",
                "dateCreated": 1541096409000,
                "dateDisabled": null,
                "limit": null,
                "reservation": null,
                "teamId": null
            },
            {
                "enabled": false,
                "accessKey": "87654321-1234-1234-1234-123456789012",
                "dateCreated": 1573849361000,
                "dateDisabled": 1573849367000,
                "limit": null,
                "reservation": null,
                "teamId": null
            }
        ]
    }
    

Deleting access keys by using the API

To delete an access key for an Workload Protection instance, complete the following steps:

  1. Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.

  2. Issue a curl DELETE request against the regional endpoint to delete the access key:

    curl -X DELETE -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys/ACCESS_KEY
    

    Where:

    • ENDPOINT is the URL for the region where the instance is available.
    • SYSDIG_API_TOKEN is the API token that you obtained in step 1.
    • GUID is the GUID of the instance that is associated with the access key.
    • ACCESS_KEY is the access key to be deleted. You can view a list of all access keys to obtain the access key values.