Dedicated API tokens for critical flows
K
Konstantin Solo
Port's API is critical for us and is used in the CI pipelines. We would want to have a dedicated API token for these flows that does not interact with the general rate limits from Port and has it's own rate limits even if they are reduced.
More details about the question: would be great to isolate the critical system features (e.g. CI) using the API from influence of other components, which are not under our control - like other users and integrations.
That probably would mean having separate limit buckets.
E.g.:
We could use a dedicated service account for the CI calls - maybe it could have a separate bucket and not sharing with the integrations?
Probably the biggest question - non-admin users. I'd really like to limit how non-admin users can influence the rest of the system (in general too ofc, but in terms of API consumption for this context). So it'd be totally OK if personal tokens had much tighter limits, but not influence the common bucket.
Itamar Smirra
Hey Konstantin, sorry for the confusion. You are right and service accounts share the same rate limits buckets as we rate the whole organization.
I understand your issue and we will think about it internally on how/when it can be achieved.
We will open this FR again.
Dudi - Port team
open
K
Konstantin Solo
Hey guys, thanks for the replies.
I went through the page https://docs.port.io/sso-rbac/rbac/#service-accounts - but it doesn't say anything about service accounts relation to the API request limits.
Moreover, the API documentation (https://docs.port.io/api-reference/rate-limits) explicitly says that "Rate limits are enforced at the Organization level."
So could you clarify how service accounts can solve this?
More details about the question: would be great to isolate the critical system features (e.g. CI) using the API from influence of other components, which are not under our control - like other users and integrations.
That probably would mean having separate limit buckets.
E.g.:
We could use a dedicated service account for the CI calls - maybe it could have a separate bucket and not sharing with the integrations?
Probably the biggest question - non-admin users. I'd really like to limit how non-admin users can influence the rest of the system (in general too ofc, but in terms of API consumption for this context). So it'd be totally OK if personal tokens had much tighter limits, but not influence the common bucket.
Itamar Smirra
Hey and thank you for your feedback!
We have the ability to create service accounts which I think can help you solve your issue.
You can see more details here - https://docs.port.io/sso-rbac/rbac/#service-accounts