Service Token naming
The issue I’m currently facing is that they is no consistent human-readable form of name used across the Doppler environment for a Token. This is rather key for issue resolution and auditing.
At the moment there are
At the time of creation, I know
context - The known config path - workplace/project/environment/config
name - The text name given to a token
Token - dp.st.dev.b0kg0ZVodCQDF0kL3U0hFI4vhSJdHC6XN3p34ZukXIg
When reading a Token I know
Token - dp.st.dev.b0kg0ZVodCQDF0kL3U0hFI4vhSJdHC6XN3p34ZukXIg
config - dev
When a Token is passed to Doppler CLI
context - The known config path - workplace/project/environment/config
Short form - dp.st…ZukXIg
When I look at the list of Tokens defined against a config via the web GUI
context - The known config path - workplace/project/environment/config
name - The text name given to a token
When I look at the list of Tokens defined via the Tokens page in the web GUI
context - The known config path - workplace/project/environment/config
name - The text name given to a token
Short form - dp.st…ZukXIg
When I look at the Logs of a config
context - The known config path - workplace/project/environment/config
name - The text name given to a token
When I access tokens via the API
context - The known config path - workplace/project/environment/config
name - The text name given to a token
UUID - The Doppler database unique ID of the token
So there is no common way to work with a token from an OPS or security point of view.
The full token name does not provide the detail needed to find the config it is defined in, while the short form shown by the CLI and the Token web GUI page can not be used/accessed via the API. The fact that the short form uses the last few digits from the token’s random portion, rather than the first few digits also makes things harder as I have to regex-based searches rather than simple text searches for keys.
The rather simple tasks I need to deal with include
- Is this token still referenced in the code/config base? - this needs a retrievable short form of the token that can be used in a simple search.
- When was this token last used?
- Which config does this token relate to? (This needs to be done without using the token)
- What access rights have been granted to this token?
The current API does not help with any of the above, instead, I would need to screen scrape the Token page in the web GUI as my starting point. The reason for this is that it only provides an internal UUID as a reference and I am hoping that the UUID is not related to the token’s value in any computable way.
All of the above simple tasks lead to a longer-term task - that of rotating tokens over time.