I have a build and publish script to publish my CONDA package to an Artifact Repo. I’d like to automate the process in my GitHub actions but I can’t figure out how to generate the access token. I know how to create access tokens with service accounts using the OSDK. However it’s not clear the OSDK can include Artifact Repos as resource. I did include the project under the OSDK resources which contains the Artifact Repo. I also enabled connectivity, filesystem, and orchestration capabilities. Will this approach allow me to generate access tokens I can use to publish my CONDA package?
I tried publishing with an auth token I retrieved from my OSDK:
auth = ConfidentialClientAuth(
client_id=os.getenv("OSDK_CLIENT_ID"),
client_secret=os.getenv("OSDK_CLIENT_SECRET_ID"),
hostname="https://MY_URL.palantirfoundry.com",
should_refresh=True,
scopes=[
"api:use-ontologies-read",
"api:use-ontologies-write",
"api:use-filesystem-read",
"api:use-filesystem-write",
"api:use-connectivity-read",
"api:use-connectivity-write",
"api:use-connectivity-execute",
"api:use-orchestration-read",
"api:use-orchestration-write",
"api:use-mediasets-read",
"api:use-mediasets-write",
"api:use-sql-queries-read",
"api:use-sql-queries-execute"
],
)
client = FoundryClient(auth=auth, hostname="https://MY_URL.palantirfoundry.com")
token = auth.get_token()
print(token.access_token)
# set the env variable for the token
os.environ['TOKEN'] = token.access_token
But I get permission denied when attempting tp publish. Really could use an answer here to understand if auto publishing is going to be possible or not.
You‘ll need to NOT pass any scopes parameter in the oauth2 call. Translated to your code I would setup auth like this:
auth = ConfidentialClientAuth(
client_id=os.getenv("OSDK_CLIENT_ID"),
client_secret=os.getenv("OSDK_CLIENT_SECRET_ID"),
hostname="https://MY_URL.palantirfoundry.com",
should_refresh=True,
)
That way the token will receive all scopes the service user (=client_id) has. If you have granted -editor permissions on the project space where your artifacts repository is residing this should be sufficient.
This is still not a nice solution for Github Connectivity as you need to generate and maintain a client_id and client_secret. It’s a longer standing ask that Foundry supports Workflow Identity Federation with OIDC, which is a standard supported by almost every cloud provider and data platform nowadays. I hope this is implemented soon so that trust relationships can replace secrets.
1 Like
I tried what you suggested but I am still getting
{“errorCode”:“UNAUTHORIZED”,“errorName”:“Default:Unauthorized”,“errorInstanceId”:“c7017df8-c896-48f3-a062-229f23fed44d”,“parameters”:{}}
The scopes were auto generated by the OSDK console after configuring the application. They should be correct. I’ll keep trying things.
Oh yeah, I think the OSDK apps are restricted to the „new“ Public API scopes and there is no public API to push docker images.
A non-OSDK TPA should work though, what a mess…
1 Like