https://prefect.io logo
Join Slack
Powered by
Hey all! I am having trouble understanding the ch...
# ask-community
c
Hey all! I am having trouble understanding the change from personal access tokens to api keys. What I understand is that they act in the same way. We have multiple projects that are using prefect. We are using it to run our ELT pipeline with docker, meltano, redshift, and dbt. The proper way to use them is to create a service account for each of the projects that will handle the authentication and store the keys in env variables we call 
PREFECT__CLOUD__AUTH_TOKEN
. Can we just replace references to the personal access tokens (
prefect_auth_token
) to the new name 
PREFECT__CLOUD__AUTH_TOKEN
? Any guidance would be appreciated. Thanks!
k
Hey @Chris Marchetti [Datateer], we’re looking into this for you and will get back to you.
👍 1
t
Hi, Chris! Yes you should be able to use API Keys this way. To be a little more specific, User API Keys have replaced Personal Access Tokens and Service Account API Keys have replaced API Tokens (which used to be scoped as either TENANT or RUNNER). I'll try to whip up some clarifications to the docs re: best practices. Thanks for your question and don't hesitate to follow up if something doesn't work the way you expect
c
Tyler, thank you for your response. I look forward to seeing the clarifications and I will definitely reach out if I have further questions.
s
I was just about to ask this same question; so @Tyler Wanner the API Keys still function in the same way to the API Tokens in the sense that all you need for, say, an agent to be able to authenticate to your cloud instance is the API Key itself, and there's nothing you need to make mention of as far as the account that the API Key is tied to goes?
e.g. instead of passing
Copy code
--token <api-token>
I can pass
Copy code
--token <service-account-api-key>
without needing to pass anything to the agent about the specific service account that the key is associated with?
🚀 1
t
@Sean Talia yes that's true! I'm in the process of transitioning the terminology in that tooling but you can supply a service account API Key as a token
👍 1
the API Key can be considered a complete identity--it has an associated user id (either your User or a Service Account) and tenant (if it's a Service Account API Key, the tenant is obvious. if it's a User API Key, which you should not use for agents generally, you associate it with a tenant on creation)
s
okay cool, thanks for that explanation!
👍 1
would you happen to know what version of prefect core we'd need to be running on to get this message to go away?
and by "go away" I mean for it to actually display which API key / account is being used
okay it looks like even launching the agent with 0.14.17 it doesn't display that information
t
let me look into this--you're using an API Key from a Service Account, and that API Key shows a name in the API Keys page, right?
and you're just supplying the API Key to --token in the agent
s
yep that's exactly right
for what it's worth, i've named the key 
stage-docker-agent-key
and it belongs to a service account i've called 
Stage Agent Service
t
I think the UI is not supporting API Key names here
s
alright so, i don't think that's a big deal I can just document our agent <> API key pairing internally
that does strike me as a loss of functionality, though; is there a plan to update the UI to restore that?
alright @Tyler Wanner sorry to bother you about this again, I'm just trying to fully make sure that this is just the UI doing something unexpected (to me) as opposed to my code not working – the way we have our agents running is they're been kept up by systemd services; I just reconfigured the service files and restarted the service, and I can see in the service logs that the agent is using the new API key that I generated, but in the UI that agent is still showing that the same original API token is "attached" to it
I am going to guess that the UI is just showing to me the original state of the agent when it was originally loaded, despite the fact that the agent is actually running with a newly configured key/token
t
yes I believe that's right. I'll be cooking up some better messaging/ a potential solution soon
s
okay cool, thanks for all your help i appreciate it
4 Views
Open in Slack
PreviousNext
Powered by