Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add new credential only flow #6444

Merged
merged 12 commits into from
Nov 11, 2024
1 change: 1 addition & 0 deletions website/docs/docs/dbt-versions/release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Release notes are grouped by month for both multi-tenant and virtual private clo
- Improved handling of queries when multiple tables are selected in a data source.
- Fixed a bug when an IN filter contained a lot of values.
- Better error messaging for queries that can't be parsed correctly.
- **Enhancement**: The dbt Semantic Layer supports creating new credentials for users who don't have permissions to create service tokens. In the **Credentials & service tokens** side panel, the **+Add Service Token** option is unavailable for those users who don't have permission. Instead, the side panel displays a message indicating that the user doesn't have permission to create a service token and should contact their administration. Refer to [Set up dbt Semantic Layer](/docs/use-dbt-semantic-layer/setup-sl) for more details.

## October 2024
<Expandable alt_header="Coalesce 2024 announcements">
Expand Down
60 changes: 38 additions & 22 deletions website/snippets/_new-sl-setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,17 +35,22 @@

*If you're on a Team plan and need to add more credentials, consider upgrading to our [Enterprise plan](https://www.getdbt.com/contact). Enterprise users can refer to [Add more credentials](#4-add-more-credentials) for detailed steps on adding multiple credentials.*

1. After selecting the deployment environment, you should see the **Credentials & service tokens** page.
2. Click the **Add Semantic Layer credential** button.
3. In the **1. Add credentials** section, enter the credentials specific to your data platform that you want the Semantic Layer to use.
#### 1. Select deployment environment

Check warning on line 38 in website/snippets/_new-sl-setup.md

View workflow job for this annotation

GitHub Actions / vale

[vale] website/snippets/_new-sl-setup.md#L38

[custom.SentenceCaseHeaders] '1. Select deployment environment' should use sentence-style capitalization. Try '' instead.
Raw output
{"message": "[custom.SentenceCaseHeaders] '1. Select deployment environment' should use sentence-style capitalization. Try '' instead.", "location": {"path": "website/snippets/_new-sl-setup.md", "range": {"start": {"line": 38, "column": 6}}}, "severity": "WARNING"}
- After selecting the deployment environment, you should see the **Credentials & service tokens** page.
- Click the **Add Semantic Layer credential** button.

mirnawong1 marked this conversation as resolved.
Show resolved Hide resolved
#### 2. Configure credential

Check warning on line 42 in website/snippets/_new-sl-setup.md

View workflow job for this annotation

GitHub Actions / vale

[vale] website/snippets/_new-sl-setup.md#L42

[custom.SentenceCaseHeaders] '2. Configure credential' should use sentence-style capitalization. Try '' instead.
Raw output
{"message": "[custom.SentenceCaseHeaders] '2. Configure credential' should use sentence-style capitalization. Try '' instead.", "location": {"path": "website/snippets/_new-sl-setup.md", "range": {"start": {"line": 42, "column": 6}}}, "severity": "WARNING"}
- In the **1. Add credentials** section, enter the credentials specific to your data platform that you want the Semantic Layer to use.
- Use credentials with minimal privileges. The Semantic Layer requires read access to the schema(s) containing the dbt models used in your semantic models for downstream applications
- <SLEnvVars/>

<Lightbox src="/img/docs/dbt-cloud/semantic-layer/sl-add-credential.jpg" width="55%" title="Add credentials and map them to a service token. " />

4. After adding credentials, scroll to **2. Map new service token**.
5. Name the token and ensure the permission set includes 'Semantic Layer Only' and 'Metadata Only'.
6. Click **Save**. Once the token is generated, you won't be able to view this token again so make sure to record it somewhere safe.
#### 3. Create or link service tokens
- If you have permission to create service tokens, you’ll see the [**Map new service token** option](/docs/use-dbt-semantic-layer/setup-sl#map-service-tokens-to-credentials) after adding the credential. Name the token, set permissions to 'Semantic Layer Only' and 'Metadata Only', and click **Save**.
- Once the token is generated, you won't be able to view this token again, so make sure to record it somewhere safe.
- If you don’t have access to create service tokens, you’ll see a message prompting you to contact your admin to create one for you. Admins can create and link tokens as needed.
mirnawong1 marked this conversation as resolved.
Show resolved Hide resolved
<Lightbox src="/img/docs/dbt-cloud/semantic-layer/sl-credential-no-service-token.jpg" width="70%" title="If you don’t have access to create service tokens, you can create a credential and contact your admin to create one for you." />

:::info
- Team plans can create multiple service tokens that link to a single underlying credential, but each project can only have one credential.
Expand All @@ -67,26 +72,28 @@

We recommend configuring credentials and service tokens to reflect your teams and their roles. For example, create tokens or credentials that align with your team's needs, such as providing access to finance-related schemas to the Finance team.

Note that:
<Expandable alt_header="Considerations for linking credentials">

- Admins can link multiple service tokens to a single credential within a project, but each service token can only be linked to one credential per project.
- When you send a request through the APIs, the service token of the linked credential will follow access policies of the underlying view and tables used to build your semantic layer requests.
- <SLEnvVars/>

To add multiple credentials and map them to service tokens:

1. After configuring your environment, on the **Credentials & service tokens** page, click the **Add Semantic Layer credential** button to create multiple credentials and map them to a service token.
2. In the **1. Add credentials** section, fill in the data platform's credential fields. We recommend using “read-only” credentials.
<Lightbox src="/img/docs/dbt-cloud/semantic-layer/sl-add-credential.jpg" width="55%" title="Add credentials and map them to a service token. " />

3. In the **2. Map new service token** section, map a service token to the credential you configured in the previous step. dbt Cloud automatically selects the service token permission set you need (Semantic Layer Only and Metadata Only).

4. To add another service token during configuration, click **Add Service Token**.
5. You can link more service tokens to the same credential later on in the **Semantic Layer Configuration Details** page. To add another service token to an existing Semantic Layer configuration, click **Add service token** under the **Linked service tokens** section.
6. Click **Save** to link the service token to the credential. Remember to copy and save the service token securely, as it won't be viewable again after generation.
</Expandable>

#### 1. Add more credentials

Check warning on line 82 in website/snippets/_new-sl-setup.md

View workflow job for this annotation

GitHub Actions / vale

[vale] website/snippets/_new-sl-setup.md#L82

[custom.SentenceCaseHeaders] '1. Add more credentials' should use sentence-style capitalization. Try '' instead.
Raw output
{"message": "[custom.SentenceCaseHeaders] '1. Add more credentials' should use sentence-style capitalization. Try '' instead.", "location": {"path": "website/snippets/_new-sl-setup.md", "range": {"start": {"line": 82, "column": 6}}}, "severity": "WARNING"}
- After configuring your environment, on the **Credentials & service tokens** page, click the **Add Semantic Layer credential** button to create multiple credentials and map them to a service token. <br />
- In the **1. Add credentials** section, fill in the data platform's credential fields. We recommend using “read-only” credentials.
<Lightbox src="/img/docs/dbt-cloud/semantic-layer/sl-add-credential.jpg" width="55%" title="Add credentials and map them to a service token. " />

#### 2. Map service tokens to credentials
- In the **2. Map new service token** section, [map a service token to the credential](/docs/use-dbt-semantic-layer/setup-sl#map-service-tokens-to-credentials) you configured in the previous step. dbt Cloud automatically selects the service token permission set you need (Semantic Layer Only and Metadata Only).
mirnawong1 marked this conversation as resolved.
Show resolved Hide resolved
- To add another service token during configuration, click **Add Service Token**.
- You can link more service tokens to the same credential later on in the **Semantic Layer Configuration Details** page. To add another service token to an existing Semantic Layer configuration, click **Add service token** under the **Linked service tokens** section.
- Click **Save** to link the service token to the credential. Remember to copy and save the service token securely, as it won't be viewable again after generation.
<Lightbox src="/img/docs/dbt-cloud/semantic-layer/sl-credentials-service-token.jpg" width="90%" title="Use the configuration page to manage multiple credentials or link or unlink service tokens for more granular control."/>

7. To delete a credential, go back to the **Credentials & service tokens** page.
8. Under **Linked Service Tokens**, click **Edit** and, select **Delete Credential** to remove a credential.
#### 3. Delete credentials

Check warning on line 94 in website/snippets/_new-sl-setup.md

View workflow job for this annotation

GitHub Actions / vale

[vale] website/snippets/_new-sl-setup.md#L94

[custom.SentenceCaseHeaders] '3. Delete credentials' should use sentence-style capitalization. Try '' instead.
Raw output
{"message": "[custom.SentenceCaseHeaders] '3. Delete credentials' should use sentence-style capitalization. Try '' instead.", "location": {"path": "website/snippets/_new-sl-setup.md", "range": {"start": {"line": 94, "column": 6}}}, "severity": "WARNING"}
- To delete a credential, go back to the **Credentials & service tokens** page.
- Under **Linked Service Tokens**, click **Edit** and, select **Delete Credential** to remove a credential.

When you delete a credential, any service tokens mapped to that credential in the project will no longer work and will break for any end users.

Expand All @@ -107,6 +114,15 @@

The following are the additional flexible configurations for Semantic Layer credentials.

### Map service tokens to credentials
- After configuring your environment, you can map additional service tokens to the same credential if you have the required [permissions](/docs/cloud/manage-access/about-user-access#permission-sets).
- Go to the **Credentials & service tokens** page and click the **+Add Service Token** button in the **Linked Service Tokens** section.
- Type the service token name and select the permission set you need (Semantic Layer Only and Metadata Only).
- Click **Save** to link the service token to the credential.
- Remember to copy and save the service token securely, as it won't be viewable again after generation.

<Lightbox src="/img/docs/dbt-cloud/semantic-layer/sl-add-service-token.gif" title="Map additional servicetokens to a credential." />

### Unlink service tokens
- Unlink a service token from the credential by clicking **Unlink** under the **Linked service tokens** section. If you try to query the Semantic Layer with an unlinked credential, you'll experience an error in your BI tool because no valid token is mapped.

Expand All @@ -115,7 +131,7 @@
- View your Semantic Layer credential directly by navigating to the **API tokens** and then **Service tokens** page.
- Select the service token to view the credential it's linked to. This is useful if you want to know which service tokens are mapped to credentials in your project.

**Create a new service token**
#### Create a new service token
- From the **Service tokens** page, create a new service token and map it to the credential(s) (assuming the semantic layer permission exists). This is useful if you want to create a new service token and directly map it to a credential in your project.
- Make sure to select the correct permission set for the service token (Semantic Layer Only and Metadata Only).

Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading