Team members cannot create read-only org tokens (but regular org tokens work)

I find it strange that team members can create organization tokens with full access (via flyctl or web interface), but having them create read-only tokens fails.

Run

flyctl tokens create readonly

Error: failed creating token: input:3:2: createLimitedAccessToken Not authorized to access this createlimitedaccesstoken

It think this is inconsistent and promotes insecure integrations using write API tokens where read tokens would suffice.

Is this on purpose, or am I missing something here?

In general, we don’t yet have a comprehensive access permissions system, so there’s no way to prevent team members from doing things like creating fully-permissioned org tokens. We only require the admin role for a specific subset of sensitive operations like destroying an org or purchasing credits.


You mentioned that non admins can create full-access org tokens from flyctl - would you mind writing out the exact flyctl invocation that was used to do this? I’m surprised that e.g. flyctl tokens create org would work but fly tokens create readonly wouldn’t.

The creation of a readonly token should involve an interactive org selection step, e.g. see below what I had to do:

% fly tokens create readonly
? Select Organization: Jacob Fenton (personal)

FlyV1 fm2_.....

If all else fails, anyone can “attenuate” (reduce permissions of) a token themselves, so you could do the following as a one-liner to get a readonly org token:

FLY_API_TOKEN=$(fly tokens create org -o MY_ORG_SLUG) fly tokens create readonly --from-existing

The --from-existing flag will cause attenuation of the token in $FLY_API_TOKEN, giving you a readonly org token. This obviously doesn’t mean members can’t create a fully-permissioned token, but it does mean they can daily drive a readonly token.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.