Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecating user API key from docs #6358

Merged
merged 10 commits into from
Oct 24, 2024
2 changes: 1 addition & 1 deletion website/docs/docs/dbt-cloud-apis/apis-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,4 @@ If you want to learn more about webhooks, refer to [Webhooks for your jobs](/doc

## How to Access the APIs

dbt Cloud supports two types of API Tokens: [user tokens](/docs/dbt-cloud-apis/user-tokens) and [service account tokens](/docs/dbt-cloud-apis/service-tokens). Requests to the dbt Cloud APIs can be authorized using these tokens.
dbt Cloud supports two types of API Tokens: [personal access tokens](/docs/dbt-cloud-apis/user-tokens) and [service account tokens](/docs/dbt-cloud-apis/service-tokens). Requests to the dbt Cloud APIs can be authorized using these tokens.
8 changes: 3 additions & 5 deletions website/docs/docs/dbt-cloud-apis/authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ pagination_prev: null
<div className="grid--2-col">

<Card
title="User tokens"
title="Personal access tokens"
body="Learn about user tokens and how to use them to execute queries against the dbt Cloud API."
link="/docs/dbt-cloud-apis/user-tokens"
icon="dbt-bit"/>
Expand All @@ -23,17 +23,15 @@ pagination_prev: null

## Types of API access tokens

**User API keys (Legacy):** User API keys were historically the only method available to access dbt Cloud APIs on the user’s behalf. They are scoped to the user and not the account. User API Keys will eventually be deprecated for the more secure personal access tokens.

**Personal access tokens (New):** Personal access tokens (PATs) are the new, preferred, and secure way of accessing dbt Cloud APIs on behalf of a user. They are more secure than user API Keys. PATs are scoped to an account and can be enhanced with more granularity and control.
**Personal access tokens:** Personal access tokens (PATs) are the preferred and secure way of accessing dbt Cloud APIs on behalf of a user. PATs are scoped to an account and can be enhanced with more granularity and control.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

**Service tokens:** Service tokens are similar to service accounts and are the preferred method to enable access on behalf of the dbt Cloud account.

### Which token type should you use

You should use service tokens broadly for any production workflow where you need a service account. You should use PATs only for developmental workflows _or_ dbt Cloud client workflows that require user context. The following examples show you when to use a personal access token (PAT) or a service token:

* **Connecting a partner integration to dbt Cloud** &mdash; Some examples include the [dbt Semantic Layer Google Sheets integration](/docs/cloud-integrations/avail-sl-integrations), Hightouch, Datafold, a custom app you’ve created, etc. These types of integrations should use a service token instead of a PAT because service tokens give you visibility, and you can scope them to only what the integration needs and ensure the least privilege. We highly recommend switching to a service token if you’re using a user API key for these integrations today.
* **Connecting a partner integration to dbt Cloud** &mdash; Some examples include the [dbt Semantic Layer Google Sheets integration](/docs/cloud-integrations/avail-sl-integrations), Hightouch, Datafold, a custom app you’ve created, etc. These types of integrations should use a service token instead of a PAT because service tokens give you visibility, and you can scope them to only what the integration needs and ensure the least privilege. We highly recommend switching to a service token if you’re using a personal acess token for these integrations today.
* **Production Terraform** &mdash; Use a service token since this is a production workflow and is acting as a service account and not a user account.
* **Cloud CLI** &mdash; Use a PAT since the dbt Cloud CLI works within the context of a user (the user is making the requests and has to operate within the context of their user account).
* **Testing a custom script and staging Terraform or Postman** &mdash; We recommend using a PAT as this is a developmental workflow and is scoped to the user making the changes. When you push this script or Terraform into production, use a service token instead.
2 changes: 1 addition & 1 deletion website/docs/docs/dbt-cloud-apis/service-tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ If you have service tokens created on or before July 18, 2023, please read [this

:::

Service account tokens enable you to securely authenticate with the dbt Cloud API by assigning each token a narrow set of permissions that more precisely manages access to the API. While similar to [User API tokens](user-tokens), service account tokens belong to an account rather than a user.
Service account tokens enable you to securely authenticate with the dbt Cloud API by assigning each token a narrow set of permissions that more precisely manages access to the API. While similar to [personal access tokens](user-tokens), service account tokens belong to an account rather than a user.

You can use service account tokens for system-level integrations that do not run on behalf of any one user. Assign any permission sets available in dbt Cloud to your service account token, which can vary slightly depending on your plan:

Expand Down
54 changes: 20 additions & 34 deletions website/docs/docs/dbt-cloud-apis/user-tokens.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,36 +4,38 @@ id: "user-tokens"
pagination_next: "docs/dbt-cloud-apis/service-tokens"
---
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

# User tokens <Lifecycle status="team,enterprise"/>
# Account-scoped personal access tokens <Lifecycle status="team,enterprise"/>

:::note Announcement
:::Warning

_User tokens will be deprecated on October 22nd, 2024._
User API tokens have been deprecated and will no longer work. [Migrate](#migrate-from-user-api-keys-to-personal-access-tokens) to personal access tokens to resume services.

The [user API tokens](/docs/dbt-cloud-apis/user-tokens#user-api-tokens) are being replaced by [account-scoped personal access tokens(PATs)](#account-scoped-personal-access-tokens). If you do not rotate your existing user tokens with PATs by October 22nd, the services using the tokens will encounter errors.


Cloud CLI config files need to be re-downloaded before October 22nd, 2024.
:::

The current API key is located under **Personal Settings → API Key.**
Each dbt Cloud user with a [Developer license](https://docs.getdbt.com/docs/cloud/manage-access/seats-and-users) can create a new personal access token (PAT) to access the dbt Cloud API and dbt Cloud CLI. This token can execute queries against the dbt Cloud API on the user's behalf. To access dbt Cloud APIs and resources on behalf of the _account_, we recommend using service tokens instead. Learn more about [which token type you should use](/docs/dbt-cloud-apis/authentication#which-token-type-should-you-use) to understand the token differences.

Please [contact support](/docs/dbt-support#dbt-cloud-support) with any questions or concerns.
PATs inherit the permissions of the user that created them. For example, if a developer-licensed user with Project Admin role access to specific projects creates a PAT, the token will get the Project Admin role with access to the same projects as the user. These tokens are also account-specific, so if a user has access to more than one dbt Cloud account with the same email address, they need to create a unique PAT for each one of these accounts.

:::
## Create a personal access token
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

## Account-scoped personal access tokens
Creating an account scoped PAT requires only a few steps.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved
1. Navigate to your **Account Settings**, expand **API tokens** and click **Personal tokens**.
2. Click **Create personal access token**.
3. Give the token a descriptive name and click **Save**.

:::info New
4. Copy the token before closing the window. _It will not be available after, and you will have to create a new token if you lose it._

On Feb 7, 2024, we introduced a new type of token for individual users called personal access tokens. Note that these differ from [Service Tokens or API Keys](/docs/dbt-cloud-apis/authentication#types-of-api-access-tokens). Before this release, user API keys were the only way to access dbt Cloud API on behalf of the user. These API Keys were user-specific and were not scoped to an account. To enhance the security of dbt Cloud, we are moving away from this model to account-specific tokens.
### Rotate your tokens
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

:::
It's recommended that you rotate your PATs at regular intervals for security purposes. To rotate your PATs, create a new token and, once it's in place, delete the old token.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
It's recommended that you rotate your PATs at regular intervals for security purposes. To rotate your PATs, create a new token and, once it's in place, delete the old token.
It's recommended that you regularly rotate your PATs to maintain robust security. To rotate your PATs, create a new token and, once it's in place, delete the old token.

matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

Each dbt Cloud user with a [Developer license](https://docs.getdbt.com/docs/cloud/manage-access/seats-and-users) can create a new personal access token (PAT) to access the dbt Cloud API and dbt Cloud CLI. This token can execute queries against the dbt Cloud API on the user's behalf. To access dbt Cloud APIs and resources on behalf of the _account_, we recommend using service Tokens instead. Learn more about [which token type you should use](/docs/dbt-cloud-apis/authentication#which-token-type-should-you-use) to understand the token differences.
To delete a token:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be easier for folks to find if we elevate it to an L2. Whatever you decide for creating a PAT, you should do here identifying the acronym in the header or 1st paragraph.

Suggested change
To delete a token:
## Delete a personal access token (PAT)
If you're rotating your tokens, make sure to create a new token before deleting the old one.
To delete a PAT:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We define (PAT) in the headers above, it might be a little overkill here. Makes the link simpler to leave it off


PATs inherit the permissions of the user that created them. For example, if a developer-licensed user with Project Admin role access to specific projects creates a PAT, the token will get the Project Admin role with access to the same projects as the user. These tokens are also account-specific, so if a user has access to more than one dbt Cloud account with the same email address, they need to create a unique PAT for each one of these accounts.
1. Navigate to your **Account Settings**, expand **API tokens** and click **Personal tokens**.
2. Find the token you want to delete and click "X" to the right of the token description fields.
3. **Confirm delete** and the token will no longer be valid.

### Migrate from user API keys to personal access tokens
## Migrate deprecated user API keys to personal access tokens

The migration to PATs is critical if you are using user API keys today. The current API key is located under **Personal Settings → API Key**.

Expand All @@ -55,7 +57,7 @@ If you’re using any undocumented and unsupported API endpoints, please note th

:::

### Using the new personal access tokens
### Using the personal access tokens
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

Are you using a user API key today to access dbt Cloud APIs in any of your workflows? If not, you don’t have any action to take. If you are using a user API key, please follow the instructions below.

Expand All @@ -64,19 +66,3 @@ Are you using a user API key today to access dbt Cloud APIs in any of your workf
3. Create and copy the new PAT to replace the old user API key.
4. Ensure that you’re using a PAT only where it's needed. For any flows that requires a service account, please use a service token. Read the section below for more information.
matthewshaver marked this conversation as resolved.
Show resolved Hide resolved

## User API tokens

Each dbt Cloud user with a [Developer license](/docs/cloud/manage-access/seats-and-users) is
issued an API token. This token can be used to execute queries against
the dbt Cloud API on the user's behalf. User API tokens inherit the
permissions of the user that they were created for.

You can find your user API token in the **Profile page** under the **API Access**
label.

<Lightbox src="/img/api-access-profile.jpg" title="Finding your API token in your dbt Cloud Profile" />

## FAQs

<FAQ path="API/rotate-token" />
<FAQ path="Accounts/find-user-id" />
1 change: 1 addition & 0 deletions website/docs/docs/dbt-versions/release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ Release notes are grouped by month for both multi-tenant and virtual private clo

## October 2024

- **Behavior change:** User API tokens have been deprecated. Update to [personal access tokens](/docs/dbt-cloud-apis/user-tokens) if you have any still in use.
- **New**: The dbt Cloud IDE supports signed commits for Git, available for Enterprise plans. You can sign your Git commits when pushing them to the repository to prevent impersonation and enhance security. Supported Git providers are GitHub and GitLab. Refer to [Git commit signing](/docs/cloud/dbt-cloud-ide/git-commit-signing.md) for more information.
- **New:** With dbt Mesh, you can now enable bidirectional dependencies across your projects. Previously, dbt enforced dependencies to only go in one direction. dbt checks for cycles across projects and raises errors if any are detected. For details, refer to [Cycle detection](/docs/collaborate/govern/project-dependencies#cycle-detection). There's also the [Intro to dbt Mesh](/best-practices/how-we-mesh/mesh-1-intro) guide to help you learn more best practices.

Expand Down
60 changes: 0 additions & 60 deletions website/docs/faqs/API/rotate-token.md

This file was deleted.

2 changes: 1 addition & 1 deletion website/docs/faqs/Accounts/find-user-id.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ sidebar_label: 'Where can I find my user ID'
id: find-user-id
---

Knowing your dbt Cloud user ID can help with actions related to [rotating your API token](/faqs/API/rotate-token), interacting with support, and more.
Knowing your dbt Cloud user ID can help with interacting with support.

To find your user ID in dbt Cloud, read the following steps:

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Using Databricks workflows to call the dbt Cloud job API can be useful for sever

## Set up a Databricks secret scope

1. Retrieve **[User API Token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens#user-api-tokens) **or **[Service Account Token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens#generating-service-account-tokens) **from dbt Cloud
1. Retrieve **[personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) **or **[Service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens#generating-service-account-tokens) **from dbt Cloud
2. Set up a **Databricks secret scope**, which is used to securely store your dbt Cloud API key.

3. Enter the **following commands** in your terminal:
Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/serverless-datadog.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ Wrote config file fly.toml<br/>
## Store secrets

The application requires four secrets to be set, using these names:
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [user token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_AUTH_TOKEN`: the Secret Key for the dbt Cloud webhook you created earlier.
- `DD_API_KEY`: the API key you created earlier.
- `DD_SITE`: The Datadog site for your organisation, e.g. `datadoghq.com`.
Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/serverless-pagerduty.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ Make note of the Webhook Secret Key for later.

## Store secrets
The application requires three secrets to be set, using these names:
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [user token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_SERVICE_TOKEN`: a dbt Cloud [personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens) with at least the `Metdata Only` permission.
- `DBT_CLOUD_AUTH_TOKEN`: the Secret Key for the dbt Cloud webhook you created earlier.
- `PD_ROUTING_KEY`: the integration key for the PagerDuty integration you created earlier.

Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/zapier-ms-teams.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ The sample body's values are hard-coded and not reflective of your project, but

## Store secrets

In the next step, you will need the Webhook Secret Key from the prior step, and a dbt Cloud [user token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens).
In the next step, you will need the Webhook Secret Key from the prior step, and a dbt Cloud [personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens).

Zapier allows you to [store secrets](https://help.zapier.com/hc/en-us/articles/8496293271053-Save-and-retrieve-data-from-Zaps), which prevents your keys from being displayed in plaintext in the Zap code. You will be able to access them via the [StoreClient utility](https://help.zapier.com/hc/en-us/articles/8496293969549-Store-data-from-code-steps-with-StoreClient).

Expand Down
2 changes: 1 addition & 1 deletion website/docs/guides/zapier-refresh-mode-report.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Once you've tested the endpoint in dbt Cloud, go back to Zapier and click **Test
The sample body's values are hard-coded and not reflective of your project, but they give Zapier a correctly-shaped object during development.

## Store secrets
In the next step, you will need the Webhook Secret Key from the prior step, and a dbt Cloud [user token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens), as well as a [Mode API token and secret](https://mode.com/developer/api-reference/authentication/).
In the next step, you will need the Webhook Secret Key from the prior step, and a dbt Cloud [personal access token](https://docs.getdbt.com/docs/dbt-cloud-apis/user-tokens) or [service account token](https://docs.getdbt.com/docs/dbt-cloud-apis/service-tokens), as well as a [Mode API token and secret](https://mode.com/developer/api-reference/authentication/).

Zapier allows you to [store secrets](https://help.zapier.com/hc/en-us/articles/8496293271053-Save-and-retrieve-data-from-Zaps), which prevents your keys from being displayed in plaintext in the Zap code. You will be able to access them via the [StoreClient utility](https://help.zapier.com/hc/en-us/articles/8496293969549-Store-data-from-code-steps-with-StoreClient).

Expand Down
Loading
Loading