flyctl FLY_ACCESS_TOKEN persisted to config.yml

flyctl has a pretty powerful set of capabilities and so as a check against accidental whoopsies, I like to stay unauthenticated by default, and “grant myself access” as needed by exporting FLY_ACCESS_TOKEN to my shell (I do this with pretty much any cli that grants me access to authenticated services - github cli, vercel cli, heroku cli, etc)

This works fine, except that if you run certain (any?) commands with flyctl after providing it an auth token via FLY_ACCESS_TOKEN (e.g. export FLY_ACCESS_TOKEN=abc123; fly logs) the token is saved to ~/.fly/config.yml which is effectively what happens when you do fly auth login; this leaves me logged in persistently for subsequent shells, rendering my safeguard kinda useless.

This is pretty unintuitive to me as the whole point of authenticating with either the FLY_ACCESS_TOKEN or --token options is to allow your authentication to be transient/ephemeral.

Is there a way I can configure flyctl not to save my token anytime it successfully uses it for an operation?



Maybe you can save your fly access token in the env var FLY_TOKEN instead of FLY_ACCESS_TOKEN (something that flyctl does not check by default) and then to actually authenticate a command you could do flyctl -t $FLY_TOKEN ...