Fine grained permissions for API tokens (API V2)
m
matt.chamberlain@bayshann.com
We'd like the ability to lock-down (whitelist) what API permissions an API token has.
For example, we want to have an API token solely for the purpose of creating environment variables in a project. We don't need it to do anything else and would like to be able to only grant this ability (to add environment variables) and nothing more. This way the security would be much improved instead of having a token that has full access. The API action in our case we'd like to have an explicit permission for is https://circleci.com/docs/api/v2/index.html#tag/Project/operation/createEnvVar
I'm sure there'll be many other use-cases where it makes sense to only allow limited operations for improved security.
Thanks!
Autopilot
Merged in a post:
Scoped API keys
N
Nick Oakes
Support for improved security posture and opportunities to more securely automate API interactions that require highly privileged creds (i.e. publish orbs, policy sets). Additionally, job-based API keys to improve security. Currently v2 automation requires long-lived service account credentials that need to be rotated.