Today, Vantage is launching the ability to create API service tokens for authenticating with the Vantage API. Users with owner-level permissions can now create API service tokens associated with an account, versus being associated with a specific user. These tokens ensure that any changes to specific users within your Vantage account will not disrupt automated workflows.
Previously, Vantage users were limited to only personal API tokens, which were associated with the user who created the token. When a token is attached to an individual, an organization has no way to control the permissions of the token without also modifying the permissions of the user it’s associated with. In addition, certain Vantage features, such as the Vantage Kubernetes agent, require a valid API access token, which was associated with only one user. This setup posed challenges related to personnel changes and SSO integrations.
Now, customers can create API service tokens for authenticating to the Vantage API. Similar to personal access tokens, these tokens can be scoped to read and write, but will not be tied to a specific user account. For Enterprise customers who use teams and role-based access control, tokens can also be attached to specific teams and will inherit the permissions from their associated team.
Vantage service tokens details page. For non-enterprise/non-RBAC users, the "Select a team" dropdown will not be displayed.
This feature is now available for Vantage users with Organization or Team Owner permissions. To get started, navigate to the API Access Tokens UI. In the Service Tokens section, enter a token name, select whether it should have Read and/or Write permissions, and click Create. For Enterprise users who want to create a service token that’s attached to a specific team, you can also navigate to the Teams UI and select the API Access Tokens tab. For more information about how to create API tokens, see the API documentation. For more information on teams and role-based access control, see the product documentation.
Frequently Asked Questions
1. What is being launched today?
Today, Vantage is launching the ability to create API service tokens. Users with owner-level permissions can now create tokens that are not associated with an individual user. In addition, Enterprise accounts can create API service tokens that are associated with individual teams.
2. Who is the customer?
The customer is a Vantage user with owner-level permissions who wants to create an API token for a process, like an automation, and not have that token tied to a specific user.
3. How much does this cost?
This feature is free to all users.
4. How do I create an API service token?
- Navigate to the API Access Tokens UI.
- In the Service Tokens section, enter a token name, select whether it should have read and/or write permissions, and click Create.
For Enterprise accounts that want to create an API service token for a team:
- Navigate to the API Access Tokens UI.
- In the Service Tokens section, enter a token name, select which team the token should inherit permissions from, select whether it should have read and/or write permissions, and click Create.
OR
- Navigate to the Teams UI.
- On the team’s details page, select the API Access Tokens tab.
- Enter a token name, select whether it should have read and/or write permissions, and click Create.
5. What permissions do I need to create an API service token?
Users with Organization or Team Owner permissions can create API service tokens. See the Role-Based Access Control documentation for details.
6. How many API service tokens can I create?
There is no limit to the number of tokens you can create.
7. How should I create a token for the Vantage Kubernetes agent specifically?
We recommend generating an API service token for use with the Vantage Kubernetes agent. For Enterprise accounts, we recommend generating an API service token for the Everyone team. The ability to limit specific API service token access to the Kubernetes agent endpoints is on our roadmap.
8. Do resources that are created using an API service token have a “Created By” value?
Yes. Resources such as Cost Reports or dashboards, that are created with an API service token will have the team that is attached to the API service token listed as their creator. For API service tokens without a particular team, the Everyone team will be displayed as the creator.
9. How can I verify which API service tokens are in active use?
Any API service token that’s active will have a value displayed in the Last Seen At column.
10. Which permissions do API service tokens attached to teams have?
API service tokens attached to a particular team will have the same RBAC permissions as a Team Owner on that team. These tokens can still be scoped to have read and/or write permissions for the resources they interact with.
11. Are service tokens compatible with the Vantage Terraform provider?
Yes, you can use a service token to power your Terraform integration with Vantage.
