DO Ideas 2

Fine grained API tokens

The new API is great and being able to create multiple access tokens is too, but it feels extremely dangerous to save an API token that can potentially destroy ALL my droplets for all my clients on just a single droplet that only needs the API for a specific use case.

My example: a weekly task that consumes a large amount of memory: my client has to contact me to resize 4GB -> 32GB before initiating the task (or pay for a 32GB instance all the time, which doesn't make sense). It feels strange that I have to do all this, just because I'm refusing to do something that's dangerous.

Hope you'll be able to do something about it :-)

  • Zowie
  • Sep 11 2018
  • Attach files
  • Maria Kirschbaum commented
    September 11, 2018 16:35

    The easiest way to achieve this is to define a regex (or many regexes) at the same time you create the key.

    If at least one regex is matched, the API proceeds with the requeset.

    Then, it will depend on your abilities with regex to let that token do or not do certain tasks.
    Easy and effective !!!!

  • Anonymous commented
    September 11, 2018 16:35

    I want manage my DNS records via API, but I definitely don't want to use token what can modify droplets or my backups/snapshots for that :(

  • Anonymous commented
    September 11, 2018 16:35

    limit API options for specific team members

  • Safeharbour commented
    September 11, 2018 16:35

    This is probably the most important enterprise feature, and while you wait, we (a third party) provide it to our clients via our Dashboard, mentioned here:
    https://safeharbour.io/help/pages/working_with_organizations.html#managing-your-users
    you can set what the person in the SafeHarbour org can do down to the resource (droplet only or images only, within these read only or read+write, quite detailed permissions, check it out)
    see the demo:
    https://safeharbour.io/help/pages/working_with_organizations.html#demo-on-our-fine-grained-permissions

  • Joshua Cooper commented
    September 11, 2018 16:35

    This is absolutely something I would like to see happen.

    I would also like to request possibly a temporary token after a single session the token expires.

  • Patrik Karisch commented
    September 11, 2018 16:35

    Fine grained control would be nice, with filtering on hostname prefixes/suffixes or other tags.

    For your use case, you could create a simple API endpoint for your customer and then utilize the DO API in your API to do the resize..

  • Anonymous commented
    September 11, 2018 16:35

    It'd be nice to have API keys only allowed to create / operate / delete a subset of droplets only.

    Currently providing the API keys to an app gives full control over all the existing droplets and is a risk.