Alteryx DCM usage within the Download Tool (for generic API authentication)

I'm working on updating an existing set of projects where I need to use the Download Tool in Alteryx to access various APIs, and wanted to securely store the credentials in DCM, rather than having them sit insecurely within the Download Tool itself. We can use access to the Okta API as an example, whereby the Okta API requires an API key which is typically passed in the HTTP headers as part of an API GET request. My goal is to securely store the API key and manage it through the Data Connection Manager (DCM).

I've set up DCM and understand how it can store and manage credentials like username/password pairs and specific methods for AWS and Azure services. However, I'm having trouble understanding how to use it for storing and managing generic API keys or credentials, which don't fit into these pre-existing categories.

In my Okta example, the Download Tool needs to be configured under the Headers tab to push a Name and Value for authentication purposes, which for Okta looks like this:

Name: Authorization

Value: SSWS {apiKey}

Raw: Authorization: SSWS {apiKey}

My issue is figuring out how to store this API key in the DCM and how then to reference that secret/variable in the Download Tool. Has anyone used DCM for storing generic API credentials specifically for use within the Download Tool for API access?

Download

Accepted answers

All comments

markspivey

Also looking for best practice guidance over storing PEM Files or RSA Tokens, at the moment it would require storing the key on Alteryx Server or having to send across the file to others in order to access them.

acarter881

Hey, @markspivey.

I know what you mean. I've never used the Download tool in the way you're describing, but I've done similar things in Python.

For example, to use my API key in a Python script without explicitly pasting the key in, I used an environment variable.

I know DCM is the secure credentialing within Designer, but I'm not too familiar with it.

I would setup your secrets in environment variables and try using the GetEnvironmentVariable function.

markspivey

thanks, however, the intent is to eventually move the workflows from Designer to Server, so unfortunately I don't believe the GetEnvironmentVariable method would be a feasible option as it only works on Desktop.

shawnmacnova21

Started looking into this myself today! I will post if I get anywhere

I have the same problem. We're looking to move to Server, and I don't want to store API credentials in text inputs

eddiestuder

Any luck on this topic? DCM is the key, I believe and I wonder if it's just a matter of adding another credential option for API key as a credential rather than the current basic option of no credentials, username, username and password.

The download tool is the current method for interaction with API's so seems logical that this could be integrated.

bkclaw113

I have not actually been able to get it to work, but if you select the "Resolve on Payload" checkbox you should be able to reference the value that are stored in the DCM Credentials using aliases. Here is an excerpt from the download tool page (https://help.alteryx.com/20231/designer/download-tool)

By selecting the Resolve on Payload checkbox, you can use DCM-specific aliases for Headers and Payload settings. The aliases can be used for both Name and Value while only Compose Query String/Body option is supported for Payload. Once you run the workflow, these aliases are automatically replaced by corresponding DCM values. Supported aliases:
- {dcm:userName}
- {dcm:password}
- {dcm:host}

So given this I tried to connect to the Alteryx V3 OAuth Token endpoint using DCM.

I created a DCM Data Source that stores my Base URL

Then I calculated the B64 encoded string using the logic from the Alteryx V3 Server API Authenticate Macro (including the word Basic)

I then created a username only credential and stored the full string in the username

Then I setup the DCM connection from the download tool

Then used the alias to create an "Authorization" header

However I am still getting a 401 Unauthorized response. It feels like everything should be right, anyone see something that I am missing?

bkclaw113

With some investigation using Fiddler I realized that I had a misspelling in my endpoint, and also that I was missing the grant_type = client_credentials payload. With those updates I am now able to use the store DCM value to pass as the authorization header and get back a token.

Hopefully this approach fixes the problem for others as well!

Thank you @bkclaw113 - I will try this!

Sakeen

Hi bkclaw113,

I hope you're doing well. I came across your answers to the problem in the "Alteryx DCM usage within the Download Tool (for generic API authentication)" article, and find it highly interesting.

Could you kindly send me a screenshot or let me know where to insert the grant_type = client_credentials parameter?

Your assistance would be greatly appreciated.

Regards

Sakeen

ayx104997

@bkclaw113
If possible can you please help us with the screenshot of the configuration of the download tool, basic header and payload tabs Also, please let us know how you encrypted the key.

bkclaw113

Odd, I could swear that I posted those pictures yesterday in response to @Sakeen but I do not see them anywhere. Hopefully it works this time.

Also here is a good post on doing Basic Authorization that is used in many API's - https://community.alteryx.com/t5/Alteryx-Designer-Desktop-Discussions/API-Basic-Authorization/td-p/749357

Header TabPayload Tab

noel_navarrete

Was wondering if you are getting a DCM Tag error when using "{dcm:password}" as Value in the Payload tab in the download tool...

I am trying to use DCM, but I am seeing that the {dcm:password} alias when used in the Payload tab causes the error. I followed the documentation for the Download tool (screenshot attached) but had no luck, maybe I missed something.

Removing the client_secret from the “From the following constant values” and ticking client_secret in “And values from these fields” the workflow runs fine.

Any help is much appreciated.

DCM Tag error.png

TonyAdam

I found the solution in the Alteryx_Server_Usage_Report, which uses a dcm for the Gallery API and adjusted it for my use case. I can confirm it works in 2024.1.

In our case we need to connect to https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token. The actual tenant_id must be included in base URL of the DCM "URL for Downloading" connection. URL from the Input anchor must be a blank otherwise it will concatenate with the URL from the DCM.

Header:

Content-Type

application/x-www-form-urlencoded

For the POST select "Use Following for Query String/Body" (adjust scope= for your use case):

scope=&grant_type=client_credentials&client_id={dcm:userName}&client_secret={dcm:password}

Download Tool config 1.png

Download Tool config 2.png

noel_navarrete

Thanks TonyAdam.

Our company upgraded our Alteryx to 2023 and the download tool worked as designed.

Cheers!

montynasser

do you have sample workflow for this, trying to follow your instructions but i am getting the error

Download (1) URL using bad/illegal format for https://login.microsoftonline.com/{{my tenant id}}/oauth2/v2.0/token

TonyAdam

I don't think there is a useful way to share an example WF without a DCM or sharing credentials.

According to the error, you probably have to replace the tenant id, with your actual Id.

DCM Connection.png

DCM Credential.png

montynasser

yes, followed your instructions as per your original post and fixed my error (i created an empty string for the Download tool input anchor but it converted to a bool which caused the error) however, it seems that the download tool is not performing the post, the results from the download are just null for the DownloadData and DownloadHeaders but no error message is thrown. using Alteryx Designer 2024.1.1.209. Tried packet sniffer and doesn't look like it is connecting. In the payload i also set the username and password manually to validate whether it was a DCM configuration issue but still the same.

I have a simple test wf but seems it's not working correctly. I created another WF which performs the connecting without using DCM and it works as expected.

datasource.png

credential.png

Download-Basic tab.png

download-headers tab.png

download-payload tab.png

montynasser

Solved my issue. In the Download input anchor I had an empty field (URLIn), I put '/' in that field and it worked. I then went back to my DCM and put a '/' at the end of the URL and then removed the input anchor value (URLIn) and it didn't work. so it seems that the input anchor needed a value for it to trigger. I tried '&' at the end but that failed as well as a comma which also failed.

Quick Links

This months top contributors

LanisC 335

hhaigh1 280

erich_shiino 280

FláviaB 262

JORGE4900 235