Self-serve API Keys for authenticating services with Blameless
Looking to authenticate services and machines to Blameless while building out automation in your incident management response workflow? We’ve been listening.
Previously, this feature was available by contacting one of our friendly CSMs. We are now happy to offer self-serve on demand API key generation from the convenience of the Blameless UI.
Here's how to do it:
- In the sidebar of the Blameless UI, select Identity Management, and then select the Key Management tab.
- Select + Generate New Key.
- In the Enter a Name for the Key field, enter a memorable name for the new API key and then select Create.
- A new API key will be generated. Select Copy to copy the key to your clipboard, and then save the key in a secure location. When done, select Close.
- Note: This key will not be displayed again.
- Your new key appears in the key list table. You can have up to 10 active keys at a time.
After you have generated a Blameless API Key (long-lived), you can then exchange it for an API Token (short-lived) via a POST request to an API endpoint.
Background on Authentication
Blameless provides OAuth flows to authorize access to the Blameless API. The client credential’s OAuth flow is used for machine-to-machine application and allows authentication of the application without involving an end user. Authentication tokens are passed using an auth header and are used when interacting with the API. All requests to the Blameless APIs require authentication.
The PagerDuty webhook fails to start an incident in Blameless when the PagerDuty user does not match a Blameless user
In PagerDuty, configurable webhooks can be triggered upon the creation of an alert for a specific service, and then automatically create an incident in Blameless. If Blameless is unable to match the email address of either a) the creator of the PagerDuty alert or b) any on-call users defined in PagerDuty for the specific service, incidents are not started.
Now, an incident will start when a PagerDuty webhook request is received, even if Blameless is unable to match the email address of a PagerDuty user (creator or on-call users) to a Blameless user. In this case, Blameless does not automatically set a Blameless user as the creator of the incident, but incidents are still started, as specifying the name of the creator of a Blameless incident is optional.