Account-scoped personal access tokens #4805
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
github-actions
bot
added
size: medium
BrJan
reviewed
Jan 25, 2024
nm0s
reviewed
Jan 26, 2024
| * For example, [email protected] belongs to two dbt Cloud accounts: Spice Harvesting Account and Guild Navigator Account. Before this release, the same API key was used to access both accounts. | ||
| * After this release, Paul has to individually go into these accounts and create a unique PAT for each account he wants to access the API. These API tokens are account-specific and not user-specific. | ||
| * **Cross-Account API endpoints will stop working after April X, 2024:** | ||
| * These are /v2/accounts and /v3/accounts. Since all tokens are now account-specific, tying all accounts to a username will not work. So /v3/accounts will be deprecated. |
There was a problem hiding this comment.
Currently we can't deprecate /v3/accounts because it's used on the front end for the account switcher. Once we fully migrate to MC then we might be able to
nm0s
reviewed
Jan 26, 2024
| description: "Personal access tokens help you define permissions for securing access to your dbt Cloud account and its projects." | ||
| --- | ||
|
|
||
| Each dbt Cloud user with a [developer license](https://docs.getdbt.com/docs/cloud/manage-access/seats-and-users) can create a personal access token (PAT) to access the dbt Cloud API. This token is used to execute queries against the dbt Cloud API on the user's behalf. User API tokens inherit the permissions of the user that they were created for. These tokens are account-specific; If a user has access to more than one dbt Cloud account with the same email address, you need to create a unique PAT for each one of these accounts. |
There was a problem hiding this comment.
I might explicitly mention somewhere that account-scoped PATs can only query "accounts-level" endpoints (as in endpoints that have an account id within their either request path). With the exception of /whoami, /v3/accounts, and /v2/accounts
nm0s
reviewed
Feb 7, 2024
matthewshaver
changed the title
saimaddali
approved these changes
Feb 7, 2024
runleonarun
approved these changes
Feb 7, 2024
| @@ -4,19 +4,72 @@ id: "user-tokens" | |||
| pagination_next: "docs/dbt-cloud-apis/service-tokens" | |||
| --- | |||
|
|
|||
| :::note Action required | |||
|
|
|||
| The [user API tokens](#user-tokens) will eventually be deprecated. The deprecation date is yet to be determined, but we recommend you update to account-scoped personal access tokens to avoid service disruptions in the future. We will communicate, with ample notice, the deprecation date when it has been determined. | |||
There was a problem hiding this comment.
This note is kind of wordy and could use some fine-tuning. I worry people will miss the important bits.
|
|
||
| :::info New | ||
|
|
||
| On Feb 7, 2024, we introduced a new type of token for individual users called personal access tokens. Note that these differ from [Service Tokens or API Keys](/docs/dbt-cloud-apis/authentication#types-of-api-access-tokens). Before this release, user API keys were the only way to access dbt Cloud API on behalf of the user. These API Keys were user-specific and were not scoped to an account. To enhance the security of dbt Cloud, we are moving away from this model to account-specific tokens. |
There was a problem hiding this comment.
Does this need to be a note? Feels like a 1st paragraph?
There was a problem hiding this comment.
I've worked under the assumption that anything with dates should be temporary text, but I'm happy to change it.
Co-authored-by: Leona B. Campbell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What are you changing in this pull request and why?
Updating the docs to reflect the change to account-scoped personal access tokens for APIs.
Renames the
Authenticationsection toAPI Accessand updates theAuthenticationpage toAuthentication tokensNo redirects required as URLs remain the same.
Checklist
Adding or removing pages (delete if not applicable):
website/sidebars.jsnpm run buildto update the links that point to deleted pages