I find it strange that team members can create organization tokens with full access (via flyctl or web interface), but having them create read-only tokens fails.
Run
flyctl tokens create readonly
Error: failed creating token: input:3:2: createLimitedAccessToken Not authorized to access this createlimitedaccesstoken
It think this is inconsistent and promotes insecure integrations using write API tokens where read tokens would suffice.
Is this on purpose, or am I missing something here?
In general, we don’t yet have a comprehensive access permissions system, so there’s no way to prevent team members from doing things like creating fully-permissioned org tokens. We only require the admin role for a specific subset of sensitive operations like destroying an org or purchasing credits.
You mentioned that non admins can create full-access org tokens from flyctl - would you mind writing out the exact flyctl invocation that was used to do this? I’m surprised that e.g. flyctl tokens create org would work but fly tokens create readonly wouldn’t.
The creation of a readonly token should involve an interactive org selection step, e.g. see below what I had to do:
If all else fails, anyone can “attenuate” (reduce permissions of) a token themselves, so you could do the following as a one-liner to get a readonly org token:
The --from-existing flag will cause attenuation of the token in $FLY_API_TOKEN, giving you a readonly org token. This obviously doesn’t mean members can’t create a fully-permissioned token, but it does mean they can daily drive a readonly token.