flyctl token create deploy -a myapp --access-token $MY_ORG_TOKEN
Error: failed creating deploy token: input:3: createLimitedAccessToken Not authorized to access this createlimitedaccesstoken
This problem is happening for me, and I see many other topics where this question goes unanswered. Please can you let us know how we are supposed to create new app scoped deploy tokens from the cli ?
basically I’m trying to follow the recommended advice as one app per customer, but I can’t seem to figure out how to give their app the ability to handle some provisioning tasks internally, like creating and destroying machines.
This is by design, tokens can’t be used to create other tokens. So when using an org token to authenticate it does not grant permission to create sub-tokens (e.g. deploy or read-only tokens).
Additional Tokens can only be created when authed as a user. If you do fly auth login and then try to create the token that way, without passing the --access-token flag it’ll succeed.
Tangentially, depending on what you’re building you might find these blueprints handy as a reference: Per-User Dev Environments with Fly Machines · Fly Docs Connecting to User Machines · Fly Docs
They cover some suggestions for handling routing to per-user enviroments, including with a private management service and public user facing service
you’re actually looking for fly tokens attenuate - you don’t need to hit our API server to add caveats (such as app) for an already existing org macaroon token.
Thank you kindly attenuation is actually a beautiful way to do api tokens, with zero latency for me and zero load for you. I feel like this should be called out somewhere around tokens ? Because here’s me, scratching around all the tokens docs, not seeing any of these things.
Even maybe a link or a message in the error message the cli throws when you try to make a token with a token ?
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.