ym1198
ym119816mo ago

What exactly is euphemeral token ?

It will still be considered as the script ran on my behalf, so what is the use , please explain
No description
20 Replies
ym1198
ym119816mo ago
I want to know why I would use this instead of user specific token as in Runs. I can see my name
rubenf
rubenf16mo ago
It's a way to mitigate token leakage Same reasons one rotate tokens
ym1198
ym119816mo ago
So it is like one-time tokens ?
rubenf
rubenf16mo ago
And you can trace back token usage in logs Well it's not one time It's ephemeral
ym1198
ym119816mo ago
I understood the generated token ABC will remain same So when script is ran with this, it generated another temporary token DEF and uses that After this temporary token DEF is expired, another new temporary token PQR is generated And by setting the scope, only that flow/script can be run with that token ABC instead of entire access as that of original user correct ?
rubenf
rubenf16mo ago
A new token is generated per execution
ym1198
ym119816mo ago
got it, so only this statement was wrong After this temporary token DEF is expired corrected one is every execution new temporary token will be generated. First run DEF, Second run PQR and so on
rubenf
rubenf16mo ago
The token has the same rights as the triggerer
ym1198
ym119816mo ago
even by setting scope ? It says in post image This token can only be used within its scope
rubenf
rubenf16mo ago
That's the original token
ym1198
ym119816mo ago
oh
rubenf
rubenf16mo ago
The ephemeral token can have more rights
ym1198
ym119816mo ago
ABC can be run only for that particular flow but DEF and PQR will have same rights as original user but DEF and PQR will not be available to end-user who will trigger the script if he does not have access to windmill itself
rubenf
rubenf16mo ago
That's correct
ym1198
ym119816mo ago
Now understood 👍 one last point - if a flow/script is using some secret, will this token called with variables windmill rest api reveal secret ? I dont think so but just confirming talking about ABC token, not DEF/PQR
rubenf
rubenf16mo ago
i'm not sure to follow in what sense it would "reveal" them ? Do you have an example of what you mean ?
ym1198
ym119816mo ago
i mean can this token be used with these apis https://app.windmill.dev/openapi.html#/ example : users who are given only read-execute access to scripts needs to have access on secrets which script uses. so we put script and its secrets in same folder and give that access so they can see secrets too of that folder similarly user who has this token ABC (not original user) can he have access to secrets used in that flow/script, also ?
rubenf
rubenf16mo ago
Tokens act on behalf of the caller, not of the script so if caller doesn't have access, neither the ephemeral token (that is different when scripts are called from apps, which are called on behalf of the person that deployed the app)
ym1198
ym119816mo ago
talking about first token i.e. ABC when i triggered another flow with ABC, though original user has access to it, it did not allowed because scoped was missing. This is EXPECTED AND CORRECT so my doubt is for this ABC token, what are available permissions - execute that script access only or with ABC token, i can read that script code too using rest apis ? I think , i understood, you cant read the script too with scoped token (ABC) I tried for this api https://app.windmill.dev/openapi.html#/operations/getScriptByPath, it failed saying Unauthorized scoped token: Some(["run:flow/f/path"]) I think run here means only execute is allowed, no read also
rubenf
rubenf16mo ago
Yes that's correct