feat(account): add platform token management via Account Management API#342
feat(account): add platform token management via Account Management API#342christian-kreuzberger-dtx wants to merge 2 commits into
Conversation
Adds `dtctl account token` subcommands for listing, creating, and revoking Dynatrace platform tokens (dt0s16.*) via the Account Management API. Also introduces the account-plane authentication infrastructure needed to support this and future account-scoped operations. New commands: dtctl account login # PKCE browser OAuth for account plane dtctl account status # show stored token state and expiry dtctl account token list # list all platform tokens dtctl account token create # create a platform token dtctl account token revoke <id> # revoke a platform token by ID New files: sdk/api/platformtoken/ SDK handler (list/create/revoke) pkg/resources/platformtoken/ CLI wrapper pkg/auth/account_scopes.go account OAuth scopes per safety level pkg/client/account.go base URL helpers for account/IAM tiers pkg/client/account_discovery.go UUID auto-discovery via /iam/v1/access-info cmd/account.go parent command + subcommand registration cmd/account_login.go PKCE browser flow cmd/account_status.go token state display cmd/account_token.go create/list/revoke subcommands Account UUID is resolved from: --account-uuid flag > DTCTL_ACCOUNT_UUID > context account-uuid config field > auto-discovery via access-info API. Account token is stored in the system keyring (or file fallback) by `dtctl account login` and retrieved transparently by all account commands. Required OAuth scopes (must be present on the Heimdall client): account-idm-read, account-idm-write platform-token:tokens:manage, platform-token:tokens:write NOISSUE
Code reviewNice PR — the account-plane auth layer, SDK handler + CLI wrapper split, and the safety-check/dry-run plumbing all look solid, and it's well covered by unit, golden, and integration tests. A few issues worth addressing before merge. 1.
|
Summary
dtctl account login— browser-based PKCE OAuth for the account planedtctl account status— shows stored token state, expiry, and scopesdtctl account token list/create/revoke— full CRUD for platform tokens (dt0s16.*) via the Account Management APIThe account plane uses a different OAuth
resourceparameter (urn:dtaccount:{uuid}) and separate base URLs per tier, so a dedicated auth layer was added alongside the SDK handler and CLI wrapper.New commands
Required OAuth scopes on the Heimdall client
The following scopes must be present on
dt0s12.dtctl-*(tracked in AI-239):account-idm-readaccount-idm-writeplatform-token:tokens:manageplatform-token:tokens:writedt0s12.dtctl-devhas all four.dtctl-sprintanddtctl-prodpending AI-239.How to test (dev environment)
Prerequisites: a dtctl context pointing at a dev environment (e.g.
<environment-id>.dev.apps.dynatracelabs.com) and your account UUID.1. Build
2. Log in to the account plane
3. Verify token state
4. List existing platform tokens
5. Create a token
6. Verify it appears in the list
~/bin/dtctl account token list7. Revoke it
8. Dry-run (no API calls, no credentials needed)
9. Readonly safety check
🤖 Generated with Claude Code