Skip to content

Commit

Permalink
Merge branch 'current' into update-ide-imgs
Browse files Browse the repository at this point in the history
  • Loading branch information
mirnawong1 authored Oct 25, 2024
2 parents 62ec3e4 + fe5fe97 commit 8759087
Show file tree
Hide file tree
Showing 16 changed files with 54 additions and 127 deletions.
26 changes: 14 additions & 12 deletions styles/custom/UIElements.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
# styles/custom/BoldUIElements.yml
extends: existence
message: "UI elements like '%s' should be bold."
level: warning
tokens:
# Match UI elements that are not bolded (i.e., not within **), but exclude those starting a sentence or following a list number
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bSave\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bSave as\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bCancel\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bSubmit\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bEdit\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bAccount settings\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bProject details\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bProfile settings\b'
- '(?<!^)(?<![.!?]\s)(?<!\d\.\s)\bPersonal profile\b'
# Match UI elements that are not bolded (i.e., not within **)
- '(?<!\*\*)\bSave\b(?!\*\*)'
- '(?<!\*\*)\bSave as\b(?!\*\*)'
- '(?<!\*\*)\bCancel\b(?!\*\*)'
- '(?<!\*\*)\bSubmit\b(?!\*\*)'
- '(?<!\*\*)\bEdit\b(?!\*\*)'
- '(?<!\*\*)\bAccount settings\b(?!\*\*)'
- '(?<!\*\*)\bProject details\b(?!\*\*)'
- '(?<!\*\*)\bProfile settings\b(?!\*\*)'
- '(?<!\*\*)\bPersonal profile\b(?!\*\*)'
- '(?<!\*\*)\bIntegrations\b(?!\*\*)'
- '(?<!\*\*)\bNotification settings\b(?!\*\*)'

scope: raw # Ensure the rule is applied before formatting
scope:
- raw
2 changes: 1 addition & 1 deletion website/docs/docs/dbt-cloud-apis/apis-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,4 @@ If you want to learn more about webhooks, refer to [Webhooks for your jobs](/doc

## How to Access the APIs

dbt Cloud supports two types of API Tokens: [user tokens](/docs/dbt-cloud-apis/user-tokens) and [service account tokens](/docs/dbt-cloud-apis/service-tokens). Requests to the dbt Cloud APIs can be authorized using these tokens.
dbt Cloud supports two types of API Tokens: [personal access tokens](/docs/dbt-cloud-apis/user-tokens) and [service account tokens](/docs/dbt-cloud-apis/service-tokens). Requests to the dbt Cloud APIs can be authorized using these tokens.
8 changes: 3 additions & 5 deletions website/docs/docs/dbt-cloud-apis/authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ pagination_prev: null
<div className="grid--2-col">

<Card
title="User tokens"
title="Personal access tokens"
body="Learn about user tokens and how to use them to execute queries against the dbt Cloud API."
link="/docs/dbt-cloud-apis/user-tokens"
icon="dbt-bit"/>
Expand All @@ -23,17 +23,15 @@ pagination_prev: null

## Types of API access tokens

**User API keys (Legacy):** User API keys were historically the only method available to access dbt Cloud APIs on the user’s behalf. They are scoped to the user and not the account. User API Keys will eventually be deprecated for the more secure personal access tokens.

**Personal access tokens (New):** Personal access tokens (PATs) are the new, preferred, and secure way of accessing dbt Cloud APIs on behalf of a user. They are more secure than user API Keys. PATs are scoped to an account and can be enhanced with more granularity and control.
**Personal access tokens:** Preferred and secure way of accessing dbt Cloud APIs on behalf of a user. PATs are scoped to an account and can be enhanced with more granularity and control.

**Service tokens:** Service tokens are similar to service accounts and are the preferred method to enable access on behalf of the dbt Cloud account.

### Which token type should you use

You should use service tokens broadly for any production workflow where you need a service account. You should use PATs only for developmental workflows _or_ dbt Cloud client workflows that require user context. The following examples show you when to use a personal access token (PAT) or a service token:

* **Connecting a partner integration to dbt Cloud** &mdash; Some examples include the [dbt Semantic Layer Google Sheets integration](/docs/cloud-integrations/avail-sl-integrations), Hightouch, Datafold, a custom app you’ve created, etc. These types of integrations should use a service token instead of a PAT because service tokens give you visibility, and you can scope them to only what the integration needs and ensure the least privilege. We highly recommend switching to a service token if you’re using a user API key for these integrations today.
* **Connecting a partner integration to dbt Cloud** &mdash; Some examples include the [dbt Semantic Layer Google Sheets integration](/docs/cloud-integrations/avail-sl-integrations), Hightouch, Datafold, a custom app you’ve created, etc. These types of integrations should use a service token instead of a PAT because service tokens give you visibility, and you can scope them to only what the integration needs and ensure the least privilege. We highly recommend switching to a service token if you’re using a personal acess token for these integrations today.
* **Production Terraform** &mdash; Use a service token since this is a production workflow and is acting as a service account and not a user account.
* **Cloud CLI** &mdash; Use a PAT since the dbt Cloud CLI works within the context of a user (the user is making the requests and has to operate within the context of their user account).
* **Testing a custom script and staging Terraform or Postman** &mdash; We recommend using a PAT as this is a developmental workflow and is scoped to the user making the changes. When you push this script or Terraform into production, use a service token instead.
2 changes: 1 addition & 1 deletion website/docs/docs/dbt-cloud-apis/service-tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ If you have service tokens created on or before July 18, 2023, please read [this

:::

Service account tokens enable you to securely authenticate with the dbt Cloud API by assigning each token a narrow set of permissions that more precisely manages access to the API. While similar to [User API tokens](user-tokens), service account tokens belong to an account rather than a user.
Service account tokens enable you to securely authenticate with the dbt Cloud API by assigning each token a narrow set of permissions that more precisely manages access to the API. While similar to [personal access tokens](user-tokens), service account tokens belong to an account rather than a user.

You can use service account tokens for system-level integrations that do not run on behalf of any one user. Assign any permission sets available in dbt Cloud to your service account token, which can vary slightly depending on your plan:

Expand Down
55 changes: 21 additions & 34 deletions website/docs/docs/dbt-cloud-apis/user-tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,36 +4,39 @@ id: "user-tokens"
pagination_next: "docs/dbt-cloud-apis/service-tokens"
---

# User tokens <Lifecycle status="team,enterprise"/>
# Account-scoped personal access tokens <Lifecycle status="team,enterprise"/>

:::note Announcement
:::Warning

_User tokens will be deprecated on October 22nd, 2024._

The [user API tokens](/docs/dbt-cloud-apis/user-tokens#user-api-tokens) are being replaced by [account-scoped personal access tokens(PATs)](#account-scoped-personal-access-tokens). If you do not rotate your existing user tokens with PATs by October 22nd, the services using the tokens will encounter errors.
User API tokens have been deprecated and will no longer work. [Migrate](#migrate-from-user-api-keys-to-personal-access-tokens) to personal access tokens to resume services.

:::

Cloud CLI config files need to be re-downloaded before October 22nd, 2024.
Each dbt Cloud user with a [Developer license](https://docs.getdbt.com/docs/cloud/manage-access/seats-and-users) can create a new personal access token (PAT) to access the dbt Cloud API and dbt Cloud CLI. This token can execute queries against the dbt Cloud API on the user's behalf. To access dbt Cloud APIs and resources on behalf of the _account_, we recommend using service tokens instead. Learn more about [which token type you should use](/docs/dbt-cloud-apis/authentication#which-token-type-should-you-use) to understand the token differences.

The current API key is located under **Personal Settings → API Key.**
PATs inherit the permissions of the user that created them. For example, if a developer-licensed user with Project Admin role access to specific projects creates a PAT, the token will get the Project Admin role with access to the same projects as the user. These tokens are also account-specific, so if a user has access to more than one dbt Cloud account with the same email address, they need to create a unique PAT for each one of these accounts.

Please [contact support](/docs/dbt-support#dbt-cloud-support) with any questions or concerns.
## Create a personal access token

:::
Creating an account-scoped personal access token (PAT) requires only a few steps.
1. Navigate to your **Account Settings**, expand **API tokens** and click **Personal tokens**.
2. Click **Create personal access token**.
3. Give the token a descriptive name and click **Save**.

## Account-scoped personal access tokens
4. Copy the token before closing the window. _It will not be available after, and you will have to create a new token if you lose it._

:::info New

On Feb 7, 2024, we introduced a new type of token for individual users called personal access tokens. Note that these differ from [Service Tokens or API Keys](/docs/dbt-cloud-apis/authentication#types-of-api-access-tokens). Before this release, user API keys were the only way to access dbt Cloud API on behalf of the user. These API Keys were user-specific and were not scoped to an account. To enhance the security of dbt Cloud, we are moving away from this model to account-specific tokens.
To maintain best security practices, it's recommended that you regularly rotate your PATs. To do so, create a new token and delete the old one once it's in place.

:::
## Delete a personal access token

Each dbt Cloud user with a [Developer license](https://docs.getdbt.com/docs/cloud/manage-access/seats-and-users) can create a new personal access token (PAT) to access the dbt Cloud API and dbt Cloud CLI. This token can execute queries against the dbt Cloud API on the user's behalf. To access dbt Cloud APIs and resources on behalf of the _account_, we recommend using service Tokens instead. Learn more about [which token type you should use](/docs/dbt-cloud-apis/authentication#which-token-type-should-you-use) to understand the token differences.
To permanently delete a PAT:

PATs inherit the permissions of the user that created them. For example, if a developer-licensed user with Project Admin role access to specific projects creates a PAT, the token will get the Project Admin role with access to the same projects as the user. These tokens are also account-specific, so if a user has access to more than one dbt Cloud account with the same email address, they need to create a unique PAT for each one of these accounts.
1. Navigate to your **Account Settings**, expand **API tokens** and click **Personal tokens**.
2. Find the token you want to delete and click "X" to the right of the token description fields.
3. **Confirm delete** and the token will no longer be valid.

### Migrate from user API keys to personal access tokens
## Migrate deprecated user API keys to personal access tokens

The migration to PATs is critical if you are using user API keys today. The current API key is located under **Personal Settings → API Key**.

Expand All @@ -55,28 +58,12 @@ If you’re using any undocumented and unsupported API endpoints, please note th

:::

### Using the new personal access tokens
### Using the personal access tokens

Are you using a user API key today to access dbt Cloud APIs in any of your workflows? If not, you don’t have any action to take. If you are using a user API key, please follow the instructions below.

1. Make a list of all the places where you’re making a call to the dbt Cloud API using the dbt Cloud user API key.
2. Create a new personal access token under **Account Settings → API Tokens → Personal Tokens.**
3. Create and copy the new PAT to replace the old user API key.
4. Ensure that you’re using a PAT only where it's needed. For any flows that requires a service account, please use a service token. Read the section below for more information.

## User API tokens

Each dbt Cloud user with a [Developer license](/docs/cloud/manage-access/seats-and-users) is
issued an API token. This token can be used to execute queries against
the dbt Cloud API on the user's behalf. User API tokens inherit the
permissions of the user that they were created for.

You can find your user API token in the **Profile page** under the **API Access**
label.

<Lightbox src="/img/api-access-profile.jpg" title="Finding your API token in your dbt Cloud Profile" />

## FAQs
4. Ensure that you’re using a PAT only where it's needed. For flows that require a service account, please use a service token.

<FAQ path="API/rotate-token" />
<FAQ path="Accounts/find-user-id" />
1 change: 1 addition & 0 deletions website/docs/docs/dbt-versions/release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ Release notes are grouped by month for both multi-tenant and virtual private clo

## October 2024

- **Behavior change:** User API tokens have been deprecated. Update to [personal access tokens](/docs/dbt-cloud-apis/user-tokens) if you have any still in use.
- **New**: The dbt Cloud IDE supports signed commits for Git, available for Enterprise plans. You can sign your Git commits when pushing them to the repository to prevent impersonation and enhance security. Supported Git providers are GitHub and GitLab. Refer to [Git commit signing](/docs/cloud/dbt-cloud-ide/git-commit-signing.md) for more information.
- **New:** With dbt Mesh, you can now enable bidirectional dependencies across your projects. Previously, dbt enforced dependencies to only go in one direction. dbt checks for cycles across projects and raises errors if any are detected. For details, refer to [Cycle detection](/docs/collaborate/govern/project-dependencies#cycle-detection). There's also the [Intro to dbt Mesh](/best-practices/how-we-mesh/mesh-1-intro) guide to help you learn more best practices.

Expand Down
60 changes: 0 additions & 60 deletions website/docs/faqs/API/rotate-token.md

This file was deleted.

2 changes: 1 addition & 1 deletion website/docs/faqs/Accounts/find-user-id.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ sidebar_label: 'Where can I find my user ID'
id: find-user-id
---

Knowing your dbt Cloud user ID can help with actions related to [rotating your API token](/faqs/API/rotate-token), interacting with support, and more.
Knowing your dbt Cloud user ID can help with interacting with support.

To find your user ID in dbt Cloud, read the following steps:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Using Databricks workflows to call the dbt Cloud job API can be useful for sever

## Set up a Databricks secret scope

1. Retrieve **[User API Token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens#user-api-tokens) **or **[Service Account Token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens#generating-service-account-tokens) **from dbt Cloud
1. Retrieve **[personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) **or **[Service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens#generating-service-account-tokens) **from dbt Cloud
2. Set up a **Databricks secret scope**, which is used to securely store your dbt Cloud API key.

3. Enter the **following commands** in your terminal:
Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/serverless-datadog.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ Wrote config file fly.toml<br/>
## Store secrets

The application requires four secrets to be set, using these names:
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [user token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_AUTH_TOKEN`: the Secret Key for the dbt Cloud webhook you created earlier.
- `DD_API_KEY`: the API key you created earlier.
- `DD_SITE`: The Datadog site for your organisation, e.g. `datadoghq.com`.
Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/serverless-pagerduty.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ Make note of the Webhook Secret Key for later.

## Store secrets
The application requires three secrets to be set, using these names:
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [user token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_AUTH_TOKEN`: the Secret Key for the dbt Cloud webhook you created earlier.
- `PD_ROUTING_KEY`: the integration key for the PagerDuty integration you created earlier.

Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/zapier-ms-teams.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ The sample body's values are hard-coded and not reflective of your project, but

## Store secrets

In the next step, you will need the Webhook Secret Key from the prior step, and a dbt Cloud [user token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens).
In the next step, you will need the Webhook Secret Key from the prior step, and a dbt Cloud [personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens).

Zapier allows you to [store secrets](https://help.zapier.com/hc/en-us/articles/8496293271053-Save-and-retrieve-data-from-Zaps), which prevents your keys from being displayed in plaintext in the Zap code. You will be able to access them via the [StoreClient utility](https://help.zapier.com/hc/en-us/articles/8496293969549-Store-data-from-code-steps-with-StoreClient).

Expand Down
Loading

0 comments on commit 8759087

Please sign in to comment.