Start replacing fly auth token with more limited tokens
#1741
Conversation
There was a problem hiding this comment.
Left a few comments. If you remove the flyctl docs changes (new PR here: superfly/flyctl#3824) then I think we could just merge this and continue to iterate on docs improvements.
(In the next day or so I'm also going to add a general Tokens page under Security that we can link to from various spots.)
| ``` | ||
| <section class="callout"> |
There was a problem hiding this comment.
You can create org tokens in the dashboard now too if we want to keep this: https://fly.io/dashboard/<org>/tokens or https://fly.io/dashboard/personal/tokens
There was a problem hiding this comment.
Added it back. I removed the link, since just linking to the personal org dashboard might confuse some users.
flyctl/cmd/fly_auth_token.md
Outdated
| Shows the authentication token that is currently in use. | ||
| This can be used as an authentication token with API services, | ||
| independent of flyctl. | ||
| Shows the authentication token that is currently in use by flyctl. |
There was a problem hiding this comment.
This content is extracted from the source code.
Started a new PR for this: superfly/flyctl#3824
|
good to merge when you are! |
Summary of changes
This is mostly a conversation starter. We need to move away from telling users to configure things with the output from
fly auth token. For most users, this output is flyctl's own token, which is invalidated if the user logs out of flyctl and almost certainly has access to more things than necessary. For members of organizations that require SSO, the output fromfly auth tokenis a bundle of short-lived tokens (one for each org) that can only be used by flyctl, who knows how to refresh the tokens so they keep working. Eventually,fly auth tokenwill return this kind of token bundle for all users, making it inappropriate for use other than by flyctl itself.We need to move towards recommending
fly tokens create <token-type>:fly tokens create deploy [-a app-name]- Token for accessing a single Fly App.fly tokens create org <org-slug>- Token for accessing all apps within a single Fly.io organization.fly tokens create readonly <org-slug>- Token with readonly access to a single Fly.io organization.I updated a few commands in guides and updated a bit of language. This almost certainly needs some tweaking by someone who's better at writing docs 😄
Preview
Related Fly.io community and GitHub links
Notes