It would be great to have some kin of mechanism that limits the access tokens to only a certain organization. The use case for this is storing environment specific access secrets in CI tools.

For example, I want to deploy the staging version of my app to orgname-staging organization, while the prod version goes to orgname-prod organization. I use two different tokens for each, but as of today all tokens have full account access.

If it was possible to limit the organizational scope of access of the tokens to just a single organization, then it would be easier to maintain proper access controls to the prod environment. I.e. only devops have access to prod, while both dev+ devops have access to staging.

We’ve been working on that. Specifically being able to scope the permissions of tokens.

For instance, creating a metrics:read scoped token for Grafana or a logs:read for accessing and forwarding logs.

Not sure when it’ll happen exactly, but this is on the roadmap!

Great to hear that it’s on the radar. Any update by chance? Giving out unrestricted tokens to things like Grafana Cloud gives me the heebie jeebies.

@jerome I’m also curious about more fine-grained permissions for API tokens.

We have a sensitive app we’d like to deploy with a GitHub action, but we’re concerned that anybody who can make a PR to that app could modify the workflow to exfiltrate the deployment token and gain further access to the app and its data.

Both separation of tokens by Org and action scope would be awesome.