I would like to create a token that is strictly scoped only to accessing a single resource (a dataset, with viewer permissions) in Foundry. Such token would be used to automate certain testing which relies on information from that dataset.
Is there a straightforward solution allowing me to do that?
Unfortunately not.
You could use a TPA with client credentials grant and assign only viewer permissions on the dataset (if you have resource level permissions activated in your compass project).
However, at any time Foundry users could add your TPA to additional groups, thus expanding the permissions without you knowing about it.
Here is the FR that would fix it
https://community.palantir.com/t/allow-project-restriction-for-tpa-client-credentials-service-user/1144/4
Thanks @nicornk ! How would I go about obtaining a TPA and do they need to be refreshed every 24h?
You can create a Third Party Application in the developer console and retrieve a short-lived token with the client-id and client-secret.
Yup as @nicornk mentioned you could make a third party app in dev console (docs) and then use the client_id and secret to call the token endpoint.
You can grant that third party app only read access to the dataset, however, it is not currently possible to restrict what resources the TPA can be given access to upon creation of the client_id and secret
We are building the same usecase for e2e testing and will follow that approach. if it works by now correctly, you can scope the TPA to a certain project where only you/admins have permissions. this way you can restrict the actual usage even if people could assign the TPA client to other ressources. there are some caveats though. the ontology API endpoints dont follow that restriction(yet?).
I raised that issue quite some time ago but dont know what the current state is.