astronomer
Give the user a clue that org tokens require individual workspace permissions
✍️ Is your feature request related to a problem? Please describe.
The first time I tried to use Oranization Level API tokens, I (naively) did this:
- create the token
- try to use it to list workspaces, like so:
$ export ASTRO_API_TOKEN={token material here}
$ astro workspace list
Using an Astro API Token
NAME ID
Seeing an empty list here confused me:
This organization has many workspaces, why can't I see any of them?
What I should have done was:
- create the token
- go to the workspace and add the token
- use it to list workspaces
🧩 Describe the solution you'd like
I'd like a hint, somewhere in the output, that the token I'm using is limited in its scope. Otherwise it's hard to know why I'm getting empty lists back. For instance, this would work:
$ export ASTRO_API_TOKEN={token material here}
$ astro workspace list
Using an Astro API Token with access to 0 workspaces
NAME ID
Another idea would be to hint about the type of access that is needed:
Using an Astro API Token with view access to 0 workspaces
A separate warning is only needed for aggregate operations where "failure because you're not allowed" and "you're allowed but there was nothing to find" are indistinguishable. In other cases (like astro deployment delete ...) the failure message indicates a permissions issue, which is enough of a hint that the user should go look at workspace-level permissions.
Is your feature request specific to a particular Astronomer Platform?
- [x] Astro
- [ ] Software
- [ ] None/Unknown
