LogoLogo
Log in|Playground
  • Welcome
    • Introduction
    • FAQ
  • Capabilities
    • Log Management
    • Infrastructure Monitoring
    • Application Performance Monitoring (APM)
      • Application Metrics
      • Traces
      • Supported Technologies
    • Real User Monitoring (RUM)
  • Getting Started
    • Requirements
      • Kubernetes requirements
      • Kernel requirements for eBPF sensor
      • CPU architectures
      • ClickHouse resources
    • Installation & updating
    • Connect Linux hosts
    • Connect RUM
    • 5 quick steps to get you started
    • groundcover MCP
      • Configure groundcover's MCP Server
      • Getting-started Prompts
      • Real-world Use Cases
  • Use groundcover
    • Monitors
      • Create a new Monitor
      • Issues page
      • Monitor List page
      • Silences page
      • Monitor Catalog page
      • Monitor YAML structure
      • Embedded Grafana Alerts
        • Create a Grafana alert
    • Dashboards
      • Create a dashboard
      • Embedded Grafana Dashboards
        • Create a Grafana dashboard
        • Build alerts & dashboards with Grafana Terraform provider
        • Using groundcover datasources in a Self-hosted Grafana
    • Insights
    • Explore & Monitors query builder
    • Workflows
      • Create a new Workflow
      • Workflow Examples
      • Alert Structure
    • Search & Filter
    • Saved Views
    • Issues
    • Role-Based Access Control (RBAC)
    • Remote Access & APIs
      • Service Accounts
      • API Keys
      • APIs
      • Ingestion Keys
      • Datasource API Keys
      • Grafana Service Account Token
    • Log Patterns
    • Drilldown
    • Scraping custom metrics
      • Operator based metrics
      • kube-state-metrics
      • cadvisor metrics
    • Backup & Restore Metrics
    • Metrics & Labels
    • Add custom environment labels
    • Configuring Pipelines
      • Writing Remap Transforms
      • Logs Pipeline Examples
      • Traces Pipeline Examples
      • Logs to Events Pipeline Examples
      • Logs/Traces Sensitive Data Obfuscation
      • Sensitive Data Obfuscation using OTTL
      • Log Filtering using OTTL
    • Querying your groundcover data
      • Query your logs
        • Example queries
        • Logs alerting
      • Query your metrics
      • Using KEDA autoscaler with groundcover
  • Log Parsing with OpenTelemetry Pipelines
  • Log and Trace Correlation
  • RUM
  • Customization
    • Customize deployment
      • Agents in host network mode
      • API Key Secret
      • Argo CD
      • On-premise deployment
      • Quay.io registry
      • Configuring sensor deployment coverage
      • Enabling SSL Tracing in Java Applications
    • Customize usage
      • Filtering Kubernetes entities
      • Custom data retention
      • Sensitive data obfuscation
      • Custom storage
      • Custom logs collection
      • Custom labels and annotations
        • Enrich logs and traces with pod labels & annotations
        • Enrich metrics with node labels
      • Disable tracing for specific protocols
      • Tuning resources
      • Controlling the eBPF sampling mechanism
  • Integrations
    • Overview
    • Workflow Integrations
      • Slack Webhook Integration
      • Opsgenie Integration
      • Webhook Integration
        • incident.io
      • PagerDuty Integration
      • Jira Webhook Integration
      • Send groundcover Alerts to Email via Zapier
    • Data sources
      • OpenTelemetry
        • Traces & Logs
        • Metrics
      • Istio
      • AWS
        • Ingest CloudWatch Metrics
        • Ingest CloudWatch Logs
        • Ingest Logs Stored on S3
        • Integrate CloudWatch Grafana Datasource
      • GCP
        • Ingest Google Cloud Monitoring Metrics
        • Stream Logs using Pub/Sub
        • Integrate Google Cloud Monitoring Grafana Datasource
      • Azure
        • Ingest Azure Monitor Metrics
      • DataDog
        • Traces
        • Metrics
      • FluentBit
      • Fluentd
      • JSON Logs
    • 3rd-party metrics
      • ActiveMQ
      • Aerospike
      • Cassandra
      • CloudFlare
      • Consul
      • CoreDNS
      • Etcd
      • HAProxy
      • Harbor
      • JMeter
      • K6
      • Loki
      • Nginx
      • Pi-hole
      • Postfix
      • RabbitMQ
      • Redpanda
      • SNMP
      • Solr
      • Tomcat
      • Traefik
      • Varnish
      • Vertica
      • Zabbix
    • Source control (Gitlab/Github)
  • Architecture
    • Overview
    • inCloud Managed
      • Setup inCloud Managed with AWS
        • AWS PrivateLink Setup
        • EKS add-on
      • Setup inCloud Managed with GCP
      • Setup inCloud Managed with Azure
      • High Availability
      • Disaster Recovery
      • Ingestion Endpoints
      • Deploying in Sensor-Only mode
    • Security considerations
      • Okta SSO - onboarding
    • Service endpoints inside the cluster
  • Product Updates
    • What's new?
    • Earlier updates
      • 2025
        • Mar 2025
        • Feb 2025
        • Jan 2025
      • 2024
        • Dec 2024
        • Nov 2024
        • Oct 2024
        • Sep 2024
        • Aug 2024
        • July 2024
        • May 2024
        • Apr 2024
        • Mar 2024
        • Feb 2024
        • Jan 2024
      • 2023
        • Dec 2023
        • Nov 2023
        • Oct 2023
Powered by GitBook
On this page
  • Key types
  • Creating an Ingestion Key
  • Using an Ingestion Key
  • Viewing keys
  • Revoking a key
  • Ingestion Keys vs. API Keys
  • Best Practices
Export as PDF
  1. Use groundcover
  2. Remote Access & APIs

Ingestion Keys

Secure, write‑focused credentials for streaming data into groundcover

Ingestion Keys let sensors, integrations and browsers send observability data to your groundcover backend. They are the counterpart of API Keys, which are optimized for reading data or automating dashboards and monitors.


Key types

Sensor*

Install the eBPF sensor on Kubernetes or Hosts/VMs

RUM

Send Real‑User‑Monitoring events using JS snippet embedded in web pages

Third Party

Integrate 3rd-party data sources that push data (e.g. OpenTelemtry, AWS Firehose, FluentBit, etc.)

*Only the Sensor has limited read capability in order to support pulling remote configuration such as OTTL parsing rules applied from the UI. RUM and Third Party have write-only configurations.


Creating an Ingestion Key

It is recommended to create a dedicated Ingestion Key for every data source, so that they can be managed and rotated appropriately, minimize exposure or risk, and allow groundcover to identify the datasource of all the ingested data.

  1. Open Settings → Access → Ingestion Keys and click Create key.

  2. Give the key a clear, descriptive Name (for example k8s-prod‑eu‑central‑1).

  3. Select the Type that matches your integration.

  4. Click Click & Copy Key.

    1. Unlike API Keys, Ingestion Keys stay visible on the page. Treat every reveal as sensitive and follow the same secret‑handling practices.

  5. Store they Key securely, and continue to integrate your data source.


Using an Ingestion Key

Kubernetes sensor example

helm upgrade --install groundcover groundcover/groundcover \
  --set global.groundcover_token=<INGESTION_KEY>,clusterId={cluster-name}

OpenTelemetry integration (OTel/HTTP) example

exporters:
  otlphttp/groundcover:
    endpoint: http://{GROUNDCOVER_MANAGED_OPENTELEMETRY_ENDPOINT}:443
    headers: 
      apikey: {INGESTION_KEY}

pipelines:
  traces:
    exporters:
    - otlphttp/groundcover

Viewing keys

The Ingestion Keys table lets you:

  • Reveal the key at any time.

  • See who created the key and when.

  • Sort by Type or Creator to locate specific credentials quickly.


Revoking a key

Click ⋮ → Revoke next to the key. Revocation permanently deletes the key, unlike API Keys which only disables it:

  • The key will disappear from the list.

  • Any service using it will receive 403 / PERMISSION_DENIED and will not be able to continue to send data or pull latest configurations.

This operation cannot be undone — create a new key and update your deployments if you need access again.


Ingestion Keys vs. API Keys

Ingestion Key

API Key

Primary purpose

Write data (ingest)

Read data / manage resources via REST

Permissions capabilities

Write‑only + optional remote‑config read

Mirrors service‑account RBAC

Visibility after creation

Always revealable

Shown once only

Typical lifetime

Tied to integration lifecycle

Rotated for CI/CD automations

Revocation effect

Data stops flowing immediately

API calls fail


Best Practices

  • One key per integration – simplifies rotation and blast radius.

  • Store securely – AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, Kubernetes Secrets.

  • Rotate regularly – create a new key, roll it out, then revoke the old one.

  • Monitor for 403 errors – a spike usually means a revoked or expired key.


Last updated 1 day ago