API Keys (deprecated)
An API key was used to authenticate against SUSE® Observability for sending telemetry data to SUSE® Observability. In a Helm agent install, this was done by setting the stackstate.apiKey helm variable.
API Keys, and Ingestion API keys, are deprecated and will be removed in Q4 of 2026. Service tokens are now the preferred authentication mechanism, also for sending telemetry data.
The flow for adding new clusters to SUSE® Observability in StackPack install flow includes the creation of a cluster specific token that is compatible with the RBAC Agent for Rancher RBAC.
Migrating from API key to service token
There are 2 options to migrate from using the single API Key to using Service Tokens for telemetry data.
-
Migrate to a Service Token per cluster. This is a bit more work to set up but it supports Rancher RBAC.
-
Migrate to a single Service Token that you use from all Kubernetes clusters and OTel collectors. This does not support Rancher RBAC.
After migrating all agents and Open Telemetry collectors to service tokens you can now remove the global.receiverApiKey or stackstate.apiKey from the Helm values for installing SUSE® Observability and run a helm upgrade to apply the changes.
Migrate to a service token per cluster
-
Open the Kubernetes Stackpack in the UI
-
Expand the cluster you are migrating
-
Click the "Create new service token" button to get the cluster specific service token and copy the token
-
Follow the agent installation/upgrade instructions in the stackpack to re-deploy the agent to the cluster with the service token as the API key.
Instead of using the UI you can also generate the token with the CLI as documented here. Make sure to also assign the update-scoped-permissions scoped to the cluster you are migrating. The other steps remain the same as for the UI.
Migrate to a single service token
Generate a service token with the CLI as documented here.:
> sts rbac create-subject --subject my-agent
✅ Created subject 'my-agent'
> sts rbac grant --subject my-agent --permission update-metrics
✅ Granted permission 'update-metrics' on 'system' to subject 'my-agent'
PERMISSION | RESOURCE
update-metrics | systemDon’t add a update-scoped-permissions permission, that will not work for a token that is used from multiple clusters.
Now re-deploy your agents and Open Telemetry collectors by following the instructions available in the UI for the Kubernetes StackPack and the Open Telemetry collector documentation. Use the generated Service Token as the API key by following.
Migrate from Ingestion API Keys
Ingestion API Keys were used by external tools to ingest data (such as metrics, events and traces) to the SUSE Observability cluster. These tools include the STS Agent or/and OTel Collector. Service tokens have the same, and more, capabilities. Follow the same steps as for the API key (in the previous setion) to migrate to a service token per cluster or a single service token.