Authentication overview
Last updated on
STACKIT Observability separates authentication into two paths: instance management (via the STACKIT Portal or CLI), and technical credentials that can be used in multiple Observability components — including data ingest, data querying, and accessing additional frontends.
Authentication Cases
Section titled “Authentication Cases”The table below explains each case, its purpose, and the recommended authentication method.
| Use Case | Purpose | Tool / Authentication Method |
|---|---|---|
| Service Management | Administering your Observability instance (e.g., creating or deleting technical credentials, modifying instance configurations). | STACKIT Portal or STACKIT CLI (authenticates natively via your user or service account session). |
| Data & Component Access | Pushing telemetry data, querying metrics/logs/traces, and accessing additional frontends. | Technical User Credentials generated within the instance dashboard (API > Credentials section) or via the API. |
Prerequisites
Section titled “Prerequisites”Before you can configure technical access or manage your service, ensure the following foundational conditions are met:
- You have a user account assigned with the necessary permissions.
- Your organization has an active customer account.
- You have created a project within your customer account.
- You are logged into the STACKIT Portal.
- You have provisioned an Observability service instance, and its status displays as Ready.
Use Case 1: Service Management
Section titled “Use Case 1: Service Management”To perform administrative tasks such as configuring your instance or managing API users, you can use the STACKIT Portal or the STACKIT CLI. While the Portal covers all standard tasks, the CLI provides more advanced configuration options. The CLI leverages your active session for seamless authentication against the Observability API.
We officially support and recommend using the STACKIT CLI for automated Observability API operations. This replaces legacy methods using manual token generation and raw HTTP client requests, significantly streamlining your authentication lifecycle.
For complete installation guidelines, configuration steps, and a comprehensive command reference, review the official STACKIT-CLI GitHub Repository.
Note: If you are using the CLI and need help finding your required instance identifiers, refer to our guide on Interacting with the Observability API
Use Case 2: Data & Component Access
Section titled “Use Case 2: Data & Component Access”For scenarios where external applications, users, or collectors need to interact with your specific Observability instance components, you must generate technical user credentials.
One Credential, Multiple Purposes
Section titled “One Credential, Multiple Purposes”The technical credentials generated in the portal are universal and serve as the authentication basis for three distinct scenarios:
- Data Ingest: Authenticating data agents (e.g., Prometheus, OpenTelemetry Collector) to push metrics, logs, and traces into your instance.
- Data Querying: Authenticating requests when querying metrics, logs, or traces (for example, when connecting Observability instances as cross-instance data sources).
- Additional Frontends: Logging into component-specific web user interfaces (e.g., Thanos UI, Prometheus UI, Alertmanager UI).
Obtaining Technical Credentials
Section titled “Obtaining Technical Credentials”You can retrieve or generate the required technical username and password using either the STACKIT Portal or the Observability API:
- Log in to the STACKIT Portal.
- Navigate to your Observability instance.
- Open the API tab on the left-hand navigation panel.
- Select Credentials from the sub-menu.
- Create a new technical user account or view the credentials of an existing one.
- Securely store the generated Username and Password, as you will need them for agent configuration.
For automated environments or direct integration, you can interact with the Observability API. The easiest way to do this is via the STACKIT-CLI.
If you prefer to perform raw HTTP client requests or need to inspect the API schemas, refer to the official STACKIT Observability API Specification.
Before executing CLI commands, ensure you are authenticated (for example, by running stackit auth login). If you need help locating your Project ID and Instance ID, refer to our guide on Interacting with the Observability API.
Create credentials
stackit observability credentials create --project-id <YOUR_PROJECT_ID> --instance-id <YOUR_INSTANCE_ID>List existing credentials
stackit observability credentials list --project-id <YOUR_PROJECT_ID> --instance-id <YOUR_INSTANCE_ID>Delete credentials
stackit observability credentials delete <USERNAME> --project-id <YOUR_PROJECT_ID> --instance-id <YOUR_INSTANCE_ID>Next Steps
Section titled “Next Steps”Once you have secured your technical credentials, return to your specific component guide (e.g., Log Pushing, Trace Pushing, or Frontend Access) to learn how to apply or format these credentials.