I'm working on updating an existing set of projects where I need to use the Download Tool in Alteryx to access various APIs, and wanted to securely store the credentials in DCM, rather than having them sit insecurely within the Download Tool itself. We can use access to the Okta API as an example, whereby the Okta API requires an API key which is typically passed in the HTTP headers as part of an API GET request. My goal is to securely store the API key and manage it through the Data Connection Manager (DCM).
I've set up DCM and understand how it can store and manage credentials like username/password pairs and specific methods for AWS and Azure services. However, I'm having trouble understanding how to use it for storing and managing generic API keys or credentials, which don't fit into these pre-existing categories.
In my Okta example, the Download Tool needs to be configured under the Headers tab to push a Name and Value for authentication purposes, which for Okta looks like this:
Name: Authorization
Value: SSWS {apiKey}
Raw: Authorization: SSWS {apiKey}
My issue is figuring out how to store this API key in the DCM and how then to reference that secret/variable in the Download Tool. Has anyone used DCM for storing generic API credentials specifically for use within the Download Tool for API access?
Also looking for best practice guidance over storing PEM Files or RSA Tokens, at the moment it would require storing the key on Alteryx Server or having to send across the file to others in order to access them.
Hey, @markspivey.
I know what you mean. I've never used the Download tool in the way you're describing, but I've done similar things in Python.
For example, to use my API key in a Python script without explicitly pasting the key in, I used an environment variable.
I know DCM is the secure credentialing within Designer, but I'm not too familiar with it.
I would setup your secrets in environment variables and try using the GetEnvironmentVariable function.
thanks, however, the intent is to eventually move the workflows from Designer to Server, so unfortunately I don't believe the GetEnvironmentVariable method would be a feasible option as it only works on Desktop.
Started looking into this myself today! I will post if I get anywhere
I have the same problem. We're looking to move to Server, and I don't want to store API credentials in text inputs
Any luck on this topic? DCM is the key, I believe and I wonder if it's just a matter of adding another credential option for API key as a credential rather than the current basic option of no credentials, username, username and password.
The download tool is the current method for interaction with API's so seems logical that this could be integrated.
I have not actually been able to get it to work, but if you select the "Resolve on Payload" checkbox you should be able to reference the value that are stored in the DCM Credentials using aliases. Here is an excerpt from the download tool page (https://help.alteryx.com/20231/designer/download-tool)
By selecting the Resolve on Payload checkbox, you can use DCM-specific aliases for Headers and Payload settings. The aliases can be used for both Name and Value while only Compose Query String/Body option is supported for Payload. Once you run the workflow, these aliases are automatically replaced by corresponding DCM values. Supported aliases:
{dcm:userName}
{dcm:password}
{dcm:host}
So given this I tried to connect to the Alteryx V3 OAuth Token endpoint using DCM.
I created a DCM Data Source that stores my Base URL
Then I calculated the B64 encoded string using the logic from the Alteryx V3 Server API Authenticate Macro (including the word Basic)
I then created a username only credential and stored the full string in the username
Then I setup the DCM connection from the download tool
Then used the alias to create an "Authorization" header
However I am still getting a 401 Unauthorized response. It feels like everything should be right, anyone see something that I am missing?
With some investigation using Fiddler I realized that I had a misspelling in my endpoint, and also that I was missing the grant_type = client_credentials payload. With those updates I am now able to use the store DCM value to pass as the authorization header and get back a token.
Hopefully this approach fixes the problem for others as well!
Thank you @bkclaw113 - I will try this!