algolia
API key not working if key is set as local
Hi,
I am not sure if this is expected behavior.
If I create API key (set index, set ACL) it works from Algolia CLI. If I create another key with the same configuration and making key local (bound key to index), it does not work (I get 403).
Is this expected behavior?
Best regards, Nole
Hi @No1e.
To clarify: you're creating an index with the --indices restriction, correct?
Which commands are you running that don't work? For example, you can't even search the index with your API key?
Hi @kai687 I am not creating index, index was already created. I was creating API key from Algolia Web Portal (not CLI).
A little background. As part of Azure DevOPS CICD, one task is executing PowerShell script that:
- Clears destination index
- Clones (imports) all search records from source to destination index
- Clones (imports) configuration from source to destination index
To avoid any unattended access, I decided to create two API keys:
- One key with the following ACL: "browse, settings" on source index (production)
- One key with the following ACL: "addObject, deleteIndex, editSettings, settings, ...", on destination index.
All this to prevent unintended operations and data loss on production index.
So, when this option is turned off, all good
But, that option is turned on, nothing works. Here are commands used in the script
` algolia indices clear $algoliaDestinationIndexName --application-id $algoliaAppName --api-key $algoliaDestinationApiKey -y
algolia objects browse $algoliaSourceIndexName --application-id $algoliaAppName --api-key $algoliaSourceIndexApiKey | algolia objects import $algoliaDestinationIndexName --application-id $algoliaAppName --api-key $algoliaDestinationApiKey -F -
algolia settings get $algoliaSourceIndexName --application-id $algoliaAppName --api-key $algoliaSourceIndexApiKey | algolia settings import $algoliaDestinationIndexName --application-id $algoliaAppName --api-key $algoliaDestinationApiKey -F -
So without that option it works, but very bad because someone can add additional index for that second API key.
Best regards, Novak
Yes, that's what I meant. Thanks for the details.
Local API keys are an old concept. Newly created Algolia applications don't see this option anymore, although you can still use the HTTP endpoints if you know them. Local API keys don't work with the Algolia CLI.
Why don't local API keys work with the CLI?
Before running a command, the CLI checks if the provided API key has the necessary permissions to run the command. This check makes a `GET` request to the `/1/keys/{key}` endpoint where `{key}` is the API key you provide. However, a) the local API keys don't show up under this endpoint and b) the local API key can't be used to make that request in the first place because it lacks permissions. That's why no command works with local API keysInstead of relying on "local" API keys, Algolia added the indexes restriction to regular API keys, that fulfill the same purpose of limiting, which indices are accessible by an API key.
Create an API key with index restrictions in the dashboard
When I click New API Key in the dashboard, I don't see this "Local API key" toggle. But in the Indices field, I can add the index name of the source index and the API key can only be used to perform actions on this index.
Do you have this option when you create new API keys in the dashboard?
Create an API key with index restrictions with the CLI
The following commands require using your Admin API key on the command line
# Create API key restricted to {SOURCE_INDEX}
algolia apikeys create --description "API key for source index" --acl "search,browse" --indices "{SOURCE_INDEX}" --application-id "{APP_ID}" --api-key "{ADMIN_API_KEY}"
# Create API key restricted to {DESTINATION_INDEX}
algolia apikeys create --description "API key for destination index" --acl "addObject,settings,editSettings,deleteObject,deleteIndex,..." --indices "{DESTINATION_INDEX}" --application-id "{APP_ID}" --api-key "{ADMIN_API_KEY}"