Documentation and Best Practices

Learn how to use Cloudability and get the most out of our cloud cost management tool.

Follow

Frontdoor API: Overview of API keys and FAQ

Application Programming Interface (API) keys are a way to authenticate with Apptio service APIs. Using API keys for authentication is more secure than using a user name and password. API keys allow Frontdoor to generate a temporary token (apptio-opentoken). This apptio-opentoken, when passed as a header in API calls, authenticates and authorizes requests executed against an Apptio application.

An API key contains a key pair that includes a public key and a secret key. This combination of public and secret keys is used as credentials to authenticate. Each API key can have a maximum of two key pairs. When a new API key is created, it creates a key pair. You can add or delete key pairs up to a maximum of two key pairs. API keys provide the following benefits:

  • Security - API keys are randomly generated and have longer character strings (Apptio’s API keys are 60 characters long). The higher entropy makes it difficult for attackers to compromise.
  • Independence - In programmatic calls, using an API key keeps the master account (that is, the parent user account) credentials from being exposed to other users in the system (such as co-workers).
  • Limited exposure - The secret key is exposed to the user only during the creation of an API key. The user is instructed to securely store the secret key. If the secret key is lost or compromised, a new key can be created.
  • Granular access control - API keys can be assigned a subset of the parent user account roles. This helps to limit the impact in case an API key is compromised.
  • Key rotation - The ability to have two active key pairs allows users to rotate the key pairs without breaking any automation or programmatic access.
  • Traceability - API keys are always linked to a parent user account and provide the same level of traceability that a normal interactive session provides.
  • Management - Parent account owners and TBMAs can manage API keys.

Create and manage Frontdoor API keys

Frontdoor API keys are programmed with robust identity control and access management features. For example, an administrator or user can create a custom role with very limited permissions and assign it, then an API key can be created for the user only granting access to this custom role. This confines the API key to only those permissions assigned to the custom role.

Create an API key

  1. In the Settings (gear.png) menu, click Access Administration. The Frontdoor Access Administration console appears.
  2. On the Access Administration page, click Users.
  3. In the Actions column for the user, click Edit.
  4. Under API Keys, click Create API Key.
  5. Type a Key Name (for example, Key1) and Description.
  6. Select an expiration policy and click Add. See the following: What is the expiration policy for an API key?
    TIP: Refer to the following questions for an explanation of the expiration policy.
  7. Note the Public Key. Click Show to display the Secret key. You can only view the secret key while creating the API key. You will need this key during programmatic authentication. Save the Secret key in a safe location.
  8. Select an option:
    • Skip Grant Access - Return to the Users page and grant API key access to environments at a later time. 
    • Grant Access - Select environments for which the user has already been assigned roles, then click Continue. Select roles for the API key, click Next, then click Grant Access.

Manage API keys

  1. On the Access Administration menu bar, click Users.
  2. In the Actions column for the user, click Edit.
  3. In the API Keys section, select from one of the following options:
    • Show Key Pairs - Display or hide the public keys and expiration dates.
    • View - Display and manage the API key details (create a new key pair, delete key pairs, delete or disable a key).
    • Grant Access - Select environments for which the user has already been assigned roles, then click Continue. Select roles for the API key, click Next, then click Grant Access.
    • Revoke Access - Revoke or change roles assigned to the API key.
    • Disable - Disable a key.

Edit roles assigned to API keys

  1. On the Access Administration menu bar, click Users.
  2. In the Actions column for the user, click Edit.
  3. In the Manage User Environments section, select from one of the following options:
    • Change Roles - Change the roles assigned to an API key. See Manage user permissions and roles for additional information. (For security reasons, this link requires TBM credentials).
    • Revoke Access - Revoke or change roles assigned to the API key.

Use API keys

To use the API keys in your scripts and programs, see:

API key FAQ

When using a service account to programmatically call Apptio APIs, am I required to change my scripts and programs to use API keys?

For better security, traceability, and manageability of your programs and scripts, it is recommended that you use API keys in place of a service account.

 

Who can create an API key?

Any Frontdoor user can create a key pair for their account that can be used for identification and authentication. Additionally, TBMAs can create and manage API keys for users in their authentication domain.

 

What is the expiration policy for an API key?

API keys can be set to expire with one of the following two options:

  • No Expiration - Valid while the user account is active in the system or until the API key is explicitly removed or disabled.
  • 90 Days - Auto expires 90 days from the date of creation unless the user is disabled prior to that, or the API key is explicitly removed or disabled.

 

Can I rotate my API keys?

Multiple API keys can be generated under a single user account. The parent user or an administrator can enable, disable, or remove API keys attached to an account.

Each API key can have two key pairs. This allows users to update scripts and other periodic tasks with a new key pair for the same API key without any interruptions. After updating the scripts, unused or expired key pairs can be deleted.

 

What environments are available to API keys?

API keys can be granted access to environments belonging to the same user account authentication domain.

 

Why can’t I grant API keys access to certain environments even when my user account has roles in that environment?

This can occur in the following scenarios:

  • User roles in the environment are granted by the Identity Provider (single sign-on (SSO)-granted roles).
  • Roles cannot be revoked for a user if they are associated with an API key. SSO-granted roles are not managed in Frontdoor and can change at any time. Therefore, API keys can’t be granted to the environments where roles are granted by the Identity Provider (IdP) for the user. In this case:
    • The environment doesn’t belong to the same authentication domain as the user.
    • A user can be granted access (assigned roles) to an environment in any authentication domain. For security reasons, programmatic access to environments that don’t belong to the user’s authentication domain is prohibited.

 

What roles are assigned to my API keys?

API keys can be assigned to one or more of its parent user's roles. If a role is granted to an API key, that role can’t be revoked from the parent user account until it is revoked from the API key.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.