What exactly is euphemeral token ?
It will still be considered as the script ran on my behalf, so what is the use , please explain
20 Replies
I want to know why I would use this instead of user specific token
as in Runs. I can see my name
It's a way to mitigate token leakage
Same reasons one rotate tokens
So it is like one-time tokens ?
And you can trace back token usage in logs
Well it's not one time
It's ephemeral
I understood the generated token ABC will remain same
So when script is ran with this, it generated another temporary token DEF and uses that
After this temporary token DEF is expired, another new temporary token PQR is generated
And by setting the scope, only that flow/script can be run with that token ABC instead of entire access as that of original user
correct ?
A new token is generated per execution
got it, so only this statement was wrong
After this temporary token DEF is expired
corrected one is
every execution new temporary token will be generated. First run DEF, Second run PQR and so onThe token has the same rights as the triggerer
even by setting scope ?
It says in post image
This token can only be used within its scopeThat's the original token
oh
The ephemeral token can have more rights
ABC can be run only for that particular flow
but DEF and PQR will have same rights as original user
but DEF and PQR will not be available to end-user who will trigger the script if he does not have access to windmill itself
That's correct
Now understood 👍
one last point - if a flow/script is using some secret, will this token called with variables windmill rest api reveal secret ?
I dont think so but just confirming
talking about ABC token, not DEF/PQR
i'm not sure to follow in what sense it would "reveal" them ?
Do you have an example of what you mean ?
i mean can this token be used with these apis https://app.windmill.dev/openapi.html#/
example : users who are given only read-execute access to scripts needs to have access on secrets which script uses. so we put script and its secrets in same folder and give that access
so they can see secrets too of that folder
similarly user who has this token ABC (not original user) can he have access to secrets used in that flow/script, also ?
Tokens act on behalf of the caller, not of the script
so if caller doesn't have access, neither the ephemeral token
(that is different when scripts are called from apps, which are called on behalf of the person that deployed the app)
talking about first token i.e. ABC
when i triggered another flow with ABC, though original user has access to it, it did not allowed because scoped was missing. This is EXPECTED AND CORRECT
so my doubt is for this ABC token, what are available permissions -
execute that script access only
or with ABC token, i can read that script code too using rest apis ?
I think , i understood, you cant read the script too with scoped token (ABC)
I tried for this api https://app.windmill.dev/openapi.html#/operations/getScriptByPath, it failed saying
Unauthorized scoped token: Some(["run:flow/f/path"])
I think run here means only execute is allowed, no read alsoYes that's correct