3427 Changes to token access in Cloud (#3661)

* chore: link API endpoint to docs. (#3427). * chore: update Delete a bucket to latest UI. * feat: update Deletea token to latest UI. Add API doc. (#3427) * feat: update Update Tokens for latest UI. Status toggle moved in Cloud. Add CLI and API docs. (#3427) * feat: add restrictions note to View Token. Update to latest Cloud UI. (#3427) * Apply suggestions from code review Co-authored-by: Scott Anderson <sanderson@users.noreply.github.com> Co-authored-by: Scott Anderson <sanderson@users.noreply.github.com>
2022-01-12 13:05:10 -06:00 · 2022-01-12 13:05:10 -06:00 · 68eedd710e
parent a862b9b6da
commit 68eedd710e
5 changed files with 201 additions and 12 deletions
--- a/content/influxdb/v2.1/organizations/buckets/delete-bucket.md
+++ b/content/influxdb/v2.1/organizations/buckets/delete-bucket.md
@ -14,12 +14,26 @@ to delete a bucket.

 ## Delete a bucket in the InfluxDB UI

+{{% oss-only %}}
+
 1. In the navigation menu on the left, select **Data (Load Data)** > **Buckets**.

    {{< nav-icon "data" >}}
-
 2. Hover over the bucket you would like to delete.
-3. Click **{{< icon "delete" >}} Delete Bucket** and **Confirm** to delete the bucket.
+3. Click the **{{< icon "delete" >}}** icon located far right of the bucket name.
+4. Click **Delete** to delete the bucket.
+{{% /oss-only %}}
+
+{{% cloud-only %}}
+
+1. In the navigation menu on the left, select **Load Data** > **Buckets**.
+
+    {{< nav-icon "data" >}}
+
+2. Find the bucket that you would like to delete.
+3. Click the **{{< icon "delete" >}}** icon located far right of the bucket name.
+4. Click **{{< caps >}}Confirm{{< /caps >}}** to delete the bucket.
+{{% /cloud-only %}}

 ## Delete a bucket using the influx CLI

--- a/content/influxdb/v2.1/security/tokens/create-token.md
+++ b/content/influxdb/v2.1/security/tokens/create-token.md
@ -165,7 +165,7 @@ See the [`influx auth create` documentation](/{{< latest "influxdb" >}}/referenc

 Use the `/authorizations` endpoint of the InfluxDB API to create a token.

-{{% api-endpoint method="POST" endpoint="http://localhost:8086/api/v2/authorizations" %}}
+[{{< api-endpoint method="POST" endpoint="http://localhost:8086/api/v2/authorizations" >}}]((/influxdb/v2.1/api/#operation/PostAuthorizations))

 Include the following in your request:

--- a/content/influxdb/v2.1/security/tokens/delete-token.md
+++ b/content/influxdb/v2.1/security/tokens/delete-token.md
@ -15,15 +15,37 @@ Delete API tokens from the InfluxDB user interface (UI) or the `influx` command
 Once deleted, all users and external integrations using the API token will no longer
 have access to your InfluxDB instance.

+- [Delete tokens in the InfluxDB UI](#delete-tokens-in-the-influxdb-ui)
+- [Delete a token using the influx CLI](#delete-a-token-using-the-influx-cli)
+- [Delete a token using the InfluxDB API](#delete-a-token-using-the-influxdb-api)
+
 ## Delete tokens in the InfluxDB UI

+{{% oss-only %}}
+
 1. In the navigation menu on the left, select **Data (Load Data)** > **Tokens**.

    {{< nav-icon "load-data" >}}

-2. Hover over the token you want to delete and click **Delete** and **Confirm**.
+2. Hover over the token you want to delete.
+3. Click the **{{< icon "delete" >}}** icon located far right of the token description.
+3. Click **Delete** to delete the token.

-## Delete tokens using the influx CLI
+{{% /oss-only %}}
+
+{{% cloud-only %}}
+
+1. In the navigation menu on the left, select **Load Data** > **API Tokens**.
+
+    {{< nav-icon "data" >}}
+
+2. Find the token that you would like to delete.
+3. Click the **{{< icon "delete" >}}** icon located far right of the token description.
+4. Click **{{< caps >}}Confirm{{< /caps >}}** to delete the token.
+
+{{% /cloud-only %}}
+
+## Delete a token using the influx CLI

 Use the [`influx auth delete` command](/influxdb/v2.1/reference/cli/influx/auth/delete)
 to delete a token.
@ -37,3 +59,29 @@ influx auth delete -i <auth-id>
 # Example
 influx auth delete -i 03a2bee5a9c9a000
 ```
+
+## Delete a token using the InfluxDB API
+
+Use the `/authorizations` endpoint of the InfluxDB API to delete a token.
+
+[{{< api-endpoint method="DELETE" endpoint="http://localhost:8086/api/v2/authorizations/AUTH_ID" >}}](/influxdb/v2.1/api/#operation/DeleteAuthorizationsID)
+
+Include the following in your request:
+
+| Requirement          | Include by                                               |
+|:-----------          |:----------                                               |
+| API token with the [`write: authorizations`](/influxdb/v2.1/api/#operation/PostAuthorizations) permission  | Use the `Authorization: Token YOUR_API_TOKEN` header. |
+| Authorization ID     | URL path parameter. |
+
+```sh
+# Delete the first authorization listed for the user.
+curl --request GET \
+  "http://localhost:8086/api/v2/authorizations?user=user2" \
+  --header "Authorization: Token ${INFLUX_OP_TOKEN}" \
+  --header 'Content-type: application/json' \
+| jq .authorizations[0].id \
+| xargs -I authid curl --request DELETE \
+  http://localhost:8086/api/v2/authorizations/authid \
+  --header "Authorization: Token ${INFLUX_OP_TOKEN}" \
+  --header 'Content-type: application/json'
+```
--- a/content/influxdb/v2.1/security/tokens/update-tokens.md
+++ b/content/influxdb/v2.1/security/tokens/update-tokens.md
@ -11,7 +11,14 @@ menu:
 weight: 203
 ---

-Update an API token's description using the InfluxDB user interface (UI).
+Update an API token's description and status.
+using the InfluxDB user interface (UI).
+
+- [Update a token in the InfluxDB UI](#update-a-token-in-the-influxdb-ui)
+- [Enable or disable a token in the InfluxDB UI](#enable-or-disable-a-token-in-the-influxdb-ui)
+- [Enable a token using the influx CLI](#enable-a-token-using-the-influx-cli)
+- [Disable a token using the influx CLI](#disable-a-token-using-the-influx-cli)
+- [Update a token using the InfluxDB API](#update-a-token-using-the-influxdb-api)

 ## Update a token in the InfluxDB UI

@ -22,10 +29,101 @@ Update an API token's description using the InfluxDB user interface (UI).
 2. Click the pencil icon {{< icon "pencil" >}} next to the token's name in the **Description** column.
 3. Update the token description, then click anywhere else to save.

-## Enable or disable a token
+## Enable or disable a token in the InfluxDB UI
+
+{{% oss-only %}}

 1. In the navigation menu on the left, select **Data (Load Data)** > **Tokens**.

    {{< nav-icon "load-data" >}}

 2. Click the **{{< icon "toggle-green" >}} Status** toggle.
+
+{{% /oss-only %}}
+
+{{% cloud-only %}}
+
+1. In the navigation menu on the left, select **Load Data** > **API Tokens**.
+
+    {{< nav-icon "data" >}}
+
+2. Find the token that you would like to enable or disable.
+3. Click the token description.
+4. Click the **{{< icon "toggle-blue" >}} Status** toggle.
+
+{{% /cloud-only %}}
+
+## Enable a token using the influx CLI
+
+Use the [`influx auth active` command](/influxdb/v2.1/reference/cli/influx/auth/active)
+to activate a token.
+
+_This command requires an authorization ID, which is available in the output of `influx auth find`._
+
+```sh
+# Syntax
+influx auth active -i <auth-id>
+
+# Example
+influx auth active -i 0804f74142bbf000
+```
+To get the current status of a token, use the JSON output of the [`influx auth list` command](/influxdb/v2.1/reference/cli/influx/auth/list).
+
+```sh
+influx auth find --json
+```
+
+### Disable a token using the influx CLI
+
+Use the [`influx auth inactive` command](/influxdb/v2.1/reference/cli/influx/auth/active)
+to deactivate a token.
+
+_This command requires an authorization ID, which is available in the output of `influx auth find`._
+
+```sh
+# Syntax
+influx auth inactive -i <auth-id>
+
+# Example
+influx auth inactive -i 0804f74142bbf000
+```
+
+To get the current status of a token, use the JSON output of the [`influx auth list` command](/influxdb/v2.1/reference/cli/influx/auth/list).
+
+```sh
+influx auth find --json
+```
+
+## Update a token using the InfluxDB API
+
+Use the `/authorizations` endpoint of the InfluxDB API to update the description and status of a token.
+
+[{{< api-endpoint method="PATCH" endpoint="http://localhost:8086/api/v2/authorizations/AUTH_ID" >}}](/influxdb/v2.1/api/#operation/PatchAuthorizationsID)
+
+Include the following in your request:
+
+| Requirement          | Include by                                               |
+|:-----------          |:----------                                               |
+| API token with the [`write: authorizations`](/influxdb/v2.1/api/#operation/PostAuthorizations) permission  | Use the `Authorization: Token YOUR_API_TOKEN` header. |
+| Authorization ID     | URL path parameter.                                      |
+| Description and/or Status | Pass as `description`, `status` in the request body.    |
+
+### Disable a token
+
+```sh
+# Update the description and status of the first authorization listed for the user.
+
+curl --request GET \
+  "http://localhost:8086/api/v2/authorizations?user=user2" \
+  --header "Authorization: Token ${INFLUX_TOKEN}" \
+  --header 'Content-type: application/json' \
+| jq .authorizations[0].id \
+| xargs -I authid curl --request PATCH \
+  http://localhost:8086/api/v2/authorizations/authid \
+  --header "Authorization: Token ${INFLUX_TOKEN}" \
+  --header 'Content-type: application/json' \
+  --data '{
+            "description": "deactivated_auth",
+            "status": "inactive"
+          }' | jq .
+```
--- a/content/influxdb/v2.1/security/tokens/view-tokens.md
+++ b/content/influxdb/v2.1/security/tokens/view-tokens.md
@ -15,17 +15,46 @@ View API tokens and permissions using the InfluxDB user interface (UI),
 the `influx` command line interface (CLI), or the InfluxDB API.

 {{% note %}}
-Tokens are visible only to the user who created them and stop working when the user is deactivated.
-We recommend creating a generic IT user to create and manage tokens for writing data.
+
+{{% oss-only %}}Tokens are visible to the user who created the token. Users who own a token with Operator permissions also have access to all tokens.
+Tokens stop working when the user who created the token is deleted.
+
+**We recommend creating a generic user to create and manage tokens for writing data.**
+{{% /oss-only %}}
+
+{{% cloud-only %}}
+To follow best practices for secure API token generation and retrieval, InfluxDB Cloud enforces access restrictions on API tokens.
+  - InfluxDB Cloud UI only allows access to the API token value immediately after the token is created.
+  - You can't change access (**read/write**) permissions for an API token after it's created.
+  - Tokens stop working when the user who created the token is deleted.
+
+We recommend the following for managing your tokens:
+- Create a generic user to create and manage tokens for writing data.
+- Store your tokens in a secure password vault for future access.
+{{% /cloud-only %}}
 {{% /note %}}

 ## View tokens in the InfluxDB UI

-1. In the navigation menu on the left, select **Data (Load Data)** > **Tokens**.
+{{% oss-only %}}
+
+1. In the navigation menu on the left, select **Data (Load Data)** > **API Tokens**.

    {{< nav-icon "load-data" >}}

-2. Click a token name from the list to view the token and a summary of access permissions.
+2. Click a token name in the list to view the token and a summary of access permissions.
+
+{{% /oss-only %}}
+
+{{% cloud-only %}}
+
+1. In the navigation menu on the left, select **Load Data** > **API Tokens**.
+
+    {{< nav-icon "load-data" >}}
+
+2. Click a token description in the list to view the token status and a list of access permissions.
+
+{{% /cloud-only %}}

 ## View tokens using the influx CLI

@ -44,7 +73,7 @@ for information about other available flags.

 Use the `/authorizations` endpoint of the InfluxDB API to view tokens and permissions.

-{{% api-endpoint method="GET" endpoint="/api/v2/authorizations" %}}
+[{{< api-endpoint method="GET" endpoint="/api/v2/authorizations" >}}](/influxdb/cloud/api/#operation/GetAuthorizations)

 Include the following in your request: