feat: Document how to authenticate STACKIT Service Accounts using RFC7523 (#17645)

2026-05-05 20:36:13 +02:00 · 2025-12-16 22:50:51 +01:00 · 2025-12-16 22:50:51 +01:00 · cdc31d96f9
commit cdc31d96f9
parent 9ab52f9211
2 changed files with 44 additions and 7 deletions
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@ -2554,12 +2554,35 @@ project: <string>
 [ <http_config> ]
 ```

-A Service Account Token can be set through `http_config`.
+A [Service Account Key](https://docs.stackit.cloud/platform/access-and-identity/service-accounts/how-tos/manage-service-account-keys/) can be set through `http_config`. This can be done mapping values from STACKIT Service Account json into oauth2 configuration.
+
+From a given Service Account json
+```json
+{
+  //....
+  "credentials": {
+    "kid": "6a7c3b36-xxxxxxxx",
+    "iss": "xxxx@sa.stackit.cloud",
+    "sub": "af2c2336-xxxxxxxx",
+    "aud": "https://stackit-service-account-prod.apps.01.cf.eu01.stackit.cloud",
+    "privateKey": "-----BEGIN PRIVATE KEY-----xxxx"
+  }
+}
+```
+
+properties can be mapped as:

 ```yaml
 stackit_sd_config:
- authorization:
-    credentials: <token>
+- oauth2:
+    client_id: <credentials.sub>
+    client_certificate_key: <credentials.privateKey>
+    client_certificate_key_id: <credentials.kid>
+    iss: <credentials.iss>
+    audience: <credentials.aud>
+    grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer"
+    token_url: "https://service-account.api.stackit.cloud/token"
+    signature_algorithm: RS512
 ```

 ### `<triton_sd_config>`
--- a/documentation/examples/prometheus-stackit.yml
+++ b/documentation/examples/prometheus-stackit.yml
@ -12,8 +12,15 @@ scrape_configs:

    stackit_sd_configs:
      - project: 11111111-1111-1111-1111-111111111111
-        authorization:
-          credentials: "<replace with a STACKIT ServiceAccount Token>"
+        oauth2:
+          client_id: <credentials.sub>
+          client_certificate_key: <credentials.privateKey>
+          client_certificate_key_id: <credentials.kid>
+          iss: <credentials.iss>
+          audience: <credentials.aud>
+          grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer"
+          token_url: "https://service-account.api.stackit.cloud/token"
+          signature_algorithm: RS512
    relabel_configs:
      # Use the public IPv4 and port 9100 to scrape the target.
      - source_labels: [__meta_stackit_public_ipv4]
@ -25,8 +32,15 @@ scrape_configs:

    stackit_sd_configs:
      - project: 11111111-1111-1111-1111-111111111111
-        authorization:
-          credentials: "<replace with a STACKIT ServiceAccount Token>"
+        oauth2:
+          client_id: <credentials.sub>
+          client_certificate_key: <credentials.privateKey>
+          client_certificate_key_id: <credentials.kid>
+          iss: <credentials.iss>
+          audience: <credentials.aud>
+          grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer"
+          token_url: "https://service-account.api.stackit.cloud/token"
+          signature_algorithm: RS512
    relabel_configs:
      # Use the private IPv4 within the STACKIT Subnet and port 9100 to scrape the target.
      - source_labels: [__meta_stackit_private_ipv4_mynet]