-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start replacing fly auth token
with more limited tokens
#1741
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few comments. If you remove the flyctl docs changes (new PR here: superfly/flyctl#3824) then I think we could just merge this and continue to iterate on docs improvements.
(In the next day or so I'm also going to add a general Tokens page under Security that we can link to from various spots.)
``` | ||
<section class="callout"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can create org tokens in the dashboard now too if we want to keep this: https://fly.io/dashboard/<org>/tokens
or https://fly.io/dashboard/personal/tokens
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added it back. I removed the link, since just linking to the personal org dashboard might confuse some users.
flyctl/cmd/fly_auth_token.md
Outdated
Shows the authentication token that is currently in use. | ||
This can be used as an authentication token with API services, | ||
independent of flyctl. | ||
Shows the authentication token that is currently in use by flyctl. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This content is extracted from the source code.
Started a new PR for this: superfly/flyctl#3824
good to merge when you are! |
Summary of changes
This is mostly a conversation starter. We need to move away from telling users to configure things with the output from
fly auth token
. For most users, this output is flyctl's own token, which is invalidated if the user logs out of flyctl and almost certainly has access to more things than necessary. For members of organizations that require SSO, the output fromfly auth token
is a bundle of short-lived tokens (one for each org) that can only be used by flyctl, who knows how to refresh the tokens so they keep working. Eventually,fly auth token
will return this kind of token bundle for all users, making it inappropriate for use other than by flyctl itself.We need to move towards recommending
fly tokens create <token-type>
:fly tokens create deploy [-a app-name]
- Token for accessing a single Fly App.fly tokens create org <org-slug>
- Token for accessing all apps within a single Fly.io organization.fly tokens create readonly <org-slug>
- Token with readonly access to a single Fly.io organization.I updated a few commands in guides and updated a bit of language. This almost certainly needs some tweaking by someone who's better at writing docs 😄
Preview
Related Fly.io community and GitHub links
Notes