Deploy Tokens

btoews · March 31, 2023, 5:38pm

TL;DR This post introduces a new type of authentication token with more refined permissions. Deploy tokens are limited to managing a single Fly App and it’s associated resources

Authentication tokens are scary, messy, and a fact of life (at least if your life is anything like mine). When you run fly auth login, you get an API authentication token that gives flyctl, our API tool, access to do everything it needs to do–which is to create, configure, deploy and manage all of your org’s apps and all their resources. The downside of all this power is that a leaked, stolen, or misplaced token can cause you to have a really bad day.

Once you’ve got your app’s infrastructure configured just so, you’re probably just using flyctl to deploy your code. You might have even automated this process to run via a fancy CD pipeline when you merge a pull request. You shouldn’t have to give third-party services this scary-as-hell, all-powerful authentication token just to get one app deployed. And, now you don’t.

You can generate deploy tokens via fly tokens create deploy or via the Tokens tab on your app dashboard. These tokens are limited to managing a single Fly App and its associated resources¹. You can use these tokens with flyctl by specifying them in the FLY_API_TOKEN environment variable.

Go ahead and try it out:

FLY_API_TOKEN=$(fly tokens deploy) fly deploy

¹ Deploy tokens can manage the app and its volumes, machines, secrets, databases, logs, etc… Because you also need to connect to the app’s Wireguard network to monitor deploys, SSH into the app, or tail logs, these tokens also have the ability to create and manage Wireguard peers. This specific permission will become more fine-grained in the future.

Caveats

The caveat, or rather disclaimer, is that this is a new feature and there might be sharp edges. Take deploy tokens for a spin, but don’t rely on them for anything mission-critical just yet.

The Nitty Gritty

Under the hood, deploy tokens are our first use case for macaroons. We’ve written about macaroons before. Deploy tokens start off being all-powerful within a Fly.io organization and their permissions are attenuated by a sequence of caveats. The trick is that anyone with a macaroon can add more caveats to further attenuate the token’s permissions. This is all very exciting and cool. We’ll talk more about macaroons in another post and publish some code so you can mess with attenuating your own macaroons.

In the meantime, for those who are excited to geek out about macaroons, the caveats in a deploy token look something like this

[
  org(myOrg: *),
  validityWindow(from: now, to: nextTuesday),
  ifPresent(
    apps(myCoolApp: *),
    orgFeatures(wireguard: *),
    else: r
  )
]

If this is confusing, don’t worry. The syntax is entirely made up and so are the semantics of our caveats.

charsleysa · April 12, 2023, 11:17pm

Awesome!

Are these tokens tied to a user? Or are they separate from the user access tokens?

Will there be an organization level token available soon? The use case is that we have multiple orgs for different environments and uses, mainly for isolation, and we’d like to have a token to allows pretty much full access to create/deploy/delete apps, volumes, machines, etc for only 1 specific org.

btoews · April 13, 2023, 2:19pm

Tokens are tied to organizations. We track which user created a token, but that’s mostly informational. We could issue org-wide tokens today, but don’t have any UI for listing/revoking them, which feels kind of important.

btoews · April 13, 2023, 4:33pm

FWIW, the workaround for now is to create a fake account for each org and use those accounts’ access tokens.

charsleysa · April 14, 2023, 5:06am

Is this something that can be done with the CLI?

btoews · April 14, 2023, 1:20pm

Not today. Sorry.

pmbanugo · May 9, 2023, 5:18pm

I hope this can be added someday/soon. I have a usecase I’m exploring and I don’t want to use the all powerful API token.

mootari · May 15, 2023, 7:12pm

Is there a rough timeline for when we might be able to grant additional permissions so that the token could be used in a dev/CI pipeline to create and destroy apps on the fly (no pun intended)? The use case is to create an arbitrary number of temporary deployments for PR reviews.

btoews · May 22, 2023, 2:20pm

No timeline, but it’s on my TODO list.

tnzk · May 25, 2023, 8:07am

Is this a thread for the feature explained in this page? It is a nice addition to the fly toolbox

I tried using deploy tokens since this doc suggested to do so, and it turned out with a deploy token deployments with [release_command] section will fail with 401 Unauthorized in the log. What is interesting is actually, the release had succeeded. I guess it was not unauthorized to make a release but to spin up a temporary VM for release_commands which would have kind of super power.

It might be less confusing if the doc for Deploy Token mentions it cannot work with [release_commands] unless this is unintended.

tvdfly · May 29, 2023, 8:11pm

Deploy tokens work with release_commands. That error likely means the release_command had a non-zero exit code or the release_command machine failed in another way.

We have a confusing error message/bug in flyctl where the deploy token is not authorized to read the application logs. The bug is we show that unauthorized to access the logs error instead of the error about the non-zero exit code. We’re fixing that error message. pr is here, which will be released shortly.

btoews · May 30, 2023, 3:53pm

Deploy tokens were supposed to allow log access, but there was a bug. That’s been fixed now and you should no longer see errors from the release-command stage of your deployments.

btoews · May 30, 2023, 3:56pm

@charsleysa @pmbanugo @mootari Organization-scoped tokens are now available: Org Scoped Tokens

pmbanugo · May 31, 2023, 7:10am

Can we use deploy tokens to set secrets?

pmbanugo · May 31, 2023, 7:11am

Awesome! Checking it out …

btoews · May 31, 2023, 2:17pm

Yes. That should be possible.

sdriffill-tm · July 11, 2024, 9:38am

Our team is finding that an application’s deploy token is only visible to the person who created it. We were expecting it to be visible to every member of the organisation. Is this behaviour expected? The discussion above “Tokens are tied to organizations. We track which user created a token, but that’s mostly informational.” seemed to suggest otherwise. Deploy tokens seemed to us to have the main benefits of 1) being scoped to a single app 2) not being tied to a single user account. Any clarification would be greatly appreciated!

btoews · July 11, 2024, 6:52pm

This is probably a bug. I’ll look into it

btoews · July 17, 2024, 5:12pm

I updated the behavior to allow organization members to see/revoke all tokens for the org.

sdriffill-tm · July 18, 2024, 3:24pm

Working for us now - amazingly quick turn around thanks @btoews

Topic		Replies	Views
Org Scoped Tokens Fresh Produce	5	871	June 20, 2023
Generate a one time deploy token wishlist	2	475	March 31, 2023
How on earth do you generate a Fly.io auth token with current flyctl??? Questions / Help docs , flyctl	5	77	October 11, 2024
SSH-only token Fresh Produce flyctl , security	3	289	April 22, 2024
Org Api Token cannot create deploy tokens Questions / Help	1	152	March 14, 2024

Deploy Tokens

Caveats

The Nitty Gritty

Related topics