Feature Request: Limit access tokens to certain organizations

It would be great to have some kin of mechanism that limits the access tokens to only a certain organization. The use case for this is storing environment specific access secrets in CI tools.

For example, I want to deploy the staging version of my app to orgname-staging organization, while the prod version goes to orgname-prod organization. I use two different tokens for each, but as of today all tokens have full account access.

If it was possible to limit the organizational scope of access of the tokens to just a single organization, then it would be easier to maintain proper access controls to the prod environment. I.e. only devops have access to prod, while both dev+ devops have access to staging.

6 Likes

We’ve been working on that. Specifically being able to scope the permissions of tokens.

For instance, creating a metrics:read scoped token for Grafana or a logs:read for accessing and forwarding logs.

Not sure when it’ll happen exactly, but this is on the roadmap!

5 Likes

Great to hear that it’s on the radar. Any update by chance? Giving out unrestricted tokens to things like Grafana Cloud gives me the heebie jeebies.

1 Like

@jerome I’m also curious about more fine-grained permissions for API tokens.

We have a sensitive app we’d like to deploy with a GitHub action, but we’re concerned that anybody who can make a PR to that app could modify the workflow to exfiltrate the deployment token and gain further access to the app and its data.

2 Likes

Both separation of tokens by Org and action scope would be awesome.

1 Like

Any update on this? I am connected to many organisations. Having a personal token able to access all apps of all organisations is far from desirable.

1 Like

I’ve solved this now by creating a new user (<my-name>+<client-name>@<my-company-name>.nl) and adding it to the organisation.

Some more info on my use case:

I have a client that has their own Github organisation. I am setting up a Github action there to automatically deploy to Fly. For that I have to configure a Fly API token there. Using my own personal access token will allow them to access all my other apps and organisations that are attached to my personal account. That’s not okay, so the only solution

Hi @Yaeger

This feature we are actively working on but it touches many areas of our platform and handles sensible data so we want to bake it just right before shipping the first version :slight_smile:

4 Likes

v1!? Or, a preview? :wink:

Any timelines for this? This would be useful for a use case where we spin up a VM and hand over all control of just that VM to one entity (or, whichever entities hold that per-VM authz token).