Managing access keys
An access key is a token that you must use to configure agents to successfully forward data to your Workload Protection instance in IBM Cloud.
Managing access keys by using the console
You can view, create, disable, enable, and delete access keys for a Workload Protection instance by using the IBM Cloud console.
To manage access keys by using the console, complete the following steps:
- In the IBM Cloud console, click the Navigation Menu icon
> Security > Compliance.
- Click the name of your Workload Protection instance.
- From the Actions menu, select Manage key.
- Click your dashboard to view, create, disable, enable, or delete access keys.
You can also hide the access key from non-administrators. For more information, go to Non-admin users.
Getting the access key by using the CLI
To get the access key for a Workload Protection instance by using the CLI, complete the following steps:
-
Log in to the region that contains your Workload Protection instance by running the
ibmcloud logincommand:ibmcloud login -
Set the resource group where the instance is running by running the
ibmcloud targetcommand:ibmcloud target -g <resource_group>Where
<resource_group>is the name of the resource group. By default, thedefaultresource group is set. -
Get the instance name by running the
ibmcloud resource service-instancescommand:ibmcloud resource service-instances -
Get the name of the API key that is associated with the instance by running the
ibmcloud resource service-keyscommand:ibmcloud resource service-keys --instance-name <instance_name> --output JSONWhere
<instance_name>is the name of the instance that you obtained in the previous step.The output from this command includes the
Sysdig Access Keyfield that contains the access key for the instance.
You can also create, delete, enable, or disable access keys by using the API or the console. To see the steps, switch to the API instructions, or go to Managing access keys by using the console.
Getting the access key by using the API
You can get the access key by using the CLI or the console. To see the steps, switch to the CLI or UI instructions. You can also use the API to retrieve all available access keys. For more information, see Viewing the available access keys by using the API.
Creating an access key by using the API
If the access key is compromised or you have a policy to renew it after a number of days, you can generate a new access key and disable the old one.
To create a new access key for an Workload Protection instance, complete the following steps:
-
Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.
-
Issue a curl POST request against the endpoint to generate a new access key:
curl -X POST -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeysWhere:
ENDPOINTis the URL for the region where the instance is available. For more information, see Endpoints.SYSDIG_API_TOKENis the API token that you obtained in step 1.GUIDis the GUID of the instance that is associated with the access key.
For example:
curl -X POST -H 'Authorization: Bearer xxxxxxx' -H 'IBMInstanceID: 12345678-1234-1234-1234-123456789012' https://us-east.security-compliance-secure.cloud.ibm.com/api/customer/accessKeysThe output provides the generated access key in the response:
{ "customerAccessKey": { "enabled": true, "accessKey": "12345678-1234-1234-1234-123456789012", "dateCreated": 1573852152224, "dateDisabled": null, "limit": null, "reservation": null, "teamId": null } }You can now use the access key to configure agents.
Disabling an access key by using the API
To disable an existing access key for an Workload Protection instance, complete the following steps:
-
Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.
-
Issue a curl POST request against the endpoint to disable the access key:
curl -X POST -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys/ACCESS_KEY/disableWhere:
ENDPOINTis the URL for the region where the instance is available.SYSDIG_API_TOKENis the API token that you obtained in step 1.ACCESS_KEYis the access key that you want to disable.GUIDis the GUID of the instance that is associated with the access key.
After you disable the access key, agents that are connected with the access key are immediately blocked from sending metrics to this Workload Protection instance.
For example:
curl -X POST -H 'Authorization: Bearer xxxxxxx' -H 'IBMInstanceID: 12345678-1234-1234-1234-123456789012' https://us-east.security-compliance-secure.cloud.ibm.com/api/customer/accessKeys/b302311f-aa1c-4930-8726-59fb4ba0fe84/disableThe output provides the disabled access key in the response:
{ "customerAccessKey": { "enabled": false, "accessKey": "12345678-1234-1234-1234-123456789012", "dateCreated": 1573852152224, "dateDisabled": 1683550789329, "limit": null, "reservation": null, "teamId": null } }
Enabling an access key by using the API
To enable an existing access key for an Workload Protection instance, complete the following steps:
-
Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.
-
Issue a curl POST request against the endpoint to enable the access key:
curl -X POST -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys/ACCESS_KEY/enableWhere:
ENDPOINTis the URL for the region where the instance is available.SYSDIG_API_TOKENis the API token that you obtained in step 1.ACCESS_KEYis the access key that you want to enable.GUIDis the GUID of the instance that is associated with the access key.
After you enable the access key, you must manually restart the agents because an agent that connects with a disabled access key is terminated.
Viewing the available access keys by using the API
To view all of the access keys for an Workload Protection instance, complete the following steps:
-
Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.
-
Issue a curl GET request against the regional endpoint to view the access keys:
curl -X GET -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeysWhere:
ENDPOINTis the URL for the region where the instance is available. For more information, see Endpoints.SYSDIG_API_TOKENis the API token that you obtained in step 1.GUIDis the GUID of the instance that is associated with the access key.
The output provides a list of the access keys and whether they are enabled:
{ "customerAccessKeys": [ { "enabled": true, "accessKey": "12345678-1234-1234-1234-123456789012", "dateCreated": 1541096409000, "dateDisabled": null, "limit": null, "reservation": null, "teamId": null }, { "enabled": false, "accessKey": "87654321-1234-1234-1234-123456789012", "dateCreated": 1573849361000, "dateDisabled": 1573849367000, "limit": null, "reservation": null, "teamId": null } ] }
Deleting access keys by using the API
To delete an access key for an Workload Protection instance, complete the following steps:
-
Copy the API token from the Workload Protection UI. For more information, see Retrieve the Sysdig API token.
-
Issue a curl
DELETErequest against the regional endpoint to delete the access key:curl -X DELETE -H 'Authorization: Bearer SYSDIG_API_TOKEN' -H 'IBMInstanceID: GUID' https://ENDPOINT/api/customer/accessKeys/ACCESS_KEYWhere:
ENDPOINTis the URL for the region where the instance is available.SYSDIG_API_TOKENis the API token that you obtained in step 1.GUIDis the GUID of the instance that is associated with the access key.ACCESS_KEYis the access key to be deleted. You can view a list of all access keys to obtain the access key values.