Hello,
I am looking for guidance on the best way to execute an Alteryx workflow via the API with a service account. I am using Alteryx 2021.4 with the V3 API.
My first thought is to create a service account and grant it API access, however I will soon be implementing 2FA using our SAML provider so that would present complications in how to complete the second auth factor and who would be able and allowed to do so.
This could be done using an individual user's API credentials, however this would present a problem if/when that employee leaves the company and their Alteryx Gallery access is removed. If you have implemented anything similar I would greatly appreciate any suggestions. Thank you!
Solved! Go to Solution.
Have you reviewed this - https://help.alteryx.com/current/en/server/api-overview/alteryx-server-api-v3/server-api-configurati... as an admin you can grant api access to a user. The user can then create a PAT. the PAT would then auth the API. That's my memory. Yes - you would need to have a service account robot user to use a service account.
Yes I am familiar with the process of granting access and accessing the API. How have you handled access to the service account? In the case of SAML auth have you used an account through your IDP or is there a way to create a "local" account that may not be subject to the 2fa requirements of the IDP? For context I am planning a migration from Active Directory auth to SAML auth so I am not totally familiar with exactly how user accounts are handled in a SAML implementation.
The problem with a service account in our SAML implementation is that there are 2fa requirements for each account that logs in to the Alteryx Gallery which creates an issue of who "owns" the 2fa for the service account to allow it to log in to the Gallery.
I haven't set this up in a while so my information is mad out of date. I have seen with other systems (ie not Alteryx) that a user (usuaully an Admin) is tied into a service account for the duration of setting up the API (in this case it would be retrieving the PAT) and then disconnected. The service account user now exsists with the PAT and is used orphaned from the 2FA for API connections. Yes - the alternative is to create a service account which is not tied into the 2FA. I would prefer if you could restrict IPs for these accounts - vs restricting IPs at a serivce level. I'd also love mandating JWT auth with RSA keys (Snowflake is heading in this direction). Not sure if I'll ever see that.
I also expect that your IT team has active directory/Entra/whatever they are calling it this week/etc non 2FA accounts that they might be willing to share/create. Typically there are accounts with SAML providers which are expceptions to SAML rules.
Got it, do you know if Alteryx allows creating "local" Gallery users when using SAML auth? In other words, if you log in to the Gallery admin > Users is there an option to create a user that is not attached to the IDP? I do not see this option in our current instance using Active Directory but wasn't sure if maybe that's different when using SAML.
Sorry - I'm not 100% sure. Hopefully someone else knows. My expectation is you can.
Alteryx support did confirm the ability to create a local user in Alteryx Gallery via the admin page. This will likely be my approach when we implement SAML auth. Thanks for your assistance!
User | Count |
---|---|
6 | |
2 | |
1 | |
1 | |
1 |