Manage Service Accounts in Tanzu Observability on VMware Cloud Services

Learn how you can create and manage service accounts.

Note: Starting July 3, 2023, VMware Tanzu Observability (formerly known as VMware Aria Operations for Applications) is a service on the VMware Cloud services platform. The content in this chapter is valid for VMware Cloud services subscriptions. For original subscriptions, see Manage Service Accounts.

Warning: The usage of service accounts in Tanzu Observability on VMware Cloud services is restricted to support only a limited list of integrations that still authenticate with Tanzu Observability API tokens. We are in the process of updating all of our integrations to authenticate with VMware Cloud services access tokens. Service accounts and Tanzu Observability API tokens will be deprecated in the future.

If your service was recently onboarded to VMware Cloud services, you might have some legacy service accounts for backward compatibility. It’s strongly recommended that you incrementally switch to using server to server OAuth apps which authenticate with more secure VMware Cloud services access tokens. See How to Replace a Service Account with a Server to Server App?.

What Are Service Accounts?

A service account uses an Tanzu Observability API token to authenticate.
By default, service accounts don’t have any permissions, even view permissions. Users with the Admin service role must explicitly grant each service account only the permission required for the task that’s being automated (least required privilege). There’s no limit on the number of service accounts that you can create in your service instance.

As a user with the Admin service role, you generate (and revoke, if needed) the API tokens for the service account. It’s also possible to deactivate a service account completely.

Note: Tanzu Observability includes the Service Accounts internal system group, where all service accounts together with the server to server apps that have access to the service are added automatically. This group doesn’t have any roles and permissions. This group can be used when managing access to dashboards and alerts, metrics security policy rules, and ingestion policies.

How Service Accounts Work

If you plan to set up an integration that uses a proxy authentication with a Tanzu Observability API token, you must create a service account with the Proxies permission and generate an API token for it.

Create a service account from the UI. The service account name must be unique.
Assign the service account with the Proxies permission.
Set up the proxy in your integration to pass the API token of the service account.

The proxy authenticates seamlessly to the API without embedding secret keys or user credentials in your instance, image, or application code.

You can disable a service account if you temporarily don’t need it, or you can delete the service account permanently.

Create a Service Account

Service accounts are created in Tanzu Observability.

Log in to your service instance as a user with the Admin service role.
From the gear icon on the toolbar, select Accounts.
Click the Service Accounts tab and click Create New Account.
On the New Service Account page, specify the account details and click Create.

Field	Description
Account ID	ID of the account. We prefix this ID with sa::. A service account name must be unique. Tanzu Observability converts a service account ID to lower case to avoid confusion that can result from almost identical account names (e.g. Service-1 and service-1). Users can type upper case or lower case.
Tokens	List of API tokens that the service account can use to authenticate to the Tanzu Observability service instance. Click the Edit icon to change the token name. Click Revoke to revoke a token. Any service account that uses the token can no longer authenticate to the service instance. Click Generate to generate additional tokens. Having multiple active tokens makes it possible to revoke some tokens. For example, if the service connects to several proxies, you can generate a token to connect to each proxy. You can revoke the token for one proxy but leave the others. You can have up to 20 API tokens per service account at any given time. Click the Copy to Clipboard icon to copy the token for pasting.
Permissions	Individual permissions assigned to this service account. Assign the service account with the Proxies permission, so that you can use it for the proxy setup of an integration that authenticates with a Tanzu Observability API token.

Deactivate or Activate a Service Account

You can temporarily (or permanently) deactivate a service account. When an account is deactivated, none of the corresponding tokens work.

You can activate or deactivate a service account from the Service Accounts page or from the Edit Service Account page.

To activate or deactivate an account from the Service Accounts page: Click the ellipsis icon in front of the service account. Select Activate or Deactivate.
To activate or deactivate an account from the Edit Service Account page: Click the service account name to open the Edit Service Account page. Use the toggle to activate or deactivate the account.

Grant or Revoke Permissions

You can grant permissions to a service account when you create the account or add permissions later from the Service Accounts page or from the Edit Service Account page.

The following example shows two ways of explicitly granting or revoking permissions for service accounts.

To grant or revoke permissions from the Service Accounts page: Select one or more service accounts. Click +Permissions or -Permissions and select the permission to add or remove.
To grant or revoke permissions from the Edit Service Account page: Click the service account name to open the Edit Service Account page. Select the permissions that you want to grant or revoke.