POST (gallery/api/admin/v1/workflows/) to publish Encrypted Workflows

Question

Hi All....Need some guidance here. We are developing some automation around publishing the workflows to the Gallery. Our requirement is to publish only the "Encrypted" versions of the Workflows, as a security measure to limit the users to view the code (including the Author). This is because our deployment pipeline adds credentials that can't be exposed after publishing to the Gallery. The API gallery/api/admin/v1/workflows/ works perfectly fine for non-encrypted workflow packages (.yxzp) but not for packages that have encrypted workflows. FYI....Encryption is being done with AlteryxEngineCmd.exe /ENCRYPT Is there a way to achieve it? The Designer option to save workflows on the gallery does have the option to encrypt the workflows. Is there anything equivalent while using the API? The error returned from the API { "data": null, "exceptionName": "UnknownException", "innerExceptionMessage": "", "message": "Unknown error. BadReadException RequestID: f203890eca6b4218ab07d72793bf86b9" }

pankajsharmaswa · Answer

Thanks @KevinP  for your reply to my post. In trying few suggestions that you mentioned, one thing that came out was:

'AlteryxEngineCmd.exe /encrypt' only encrypts workflows, apps and macros. And not the indbc connection files. This keeps the credentials vulnerable to exposure. (The package can be downloaded and unzipped to get to the indbc file, even though the yxmd file in that package can't be opened; because it is encrypted).

This is only a partial solution to our problem. We wanted to encrypt every aspect of our workflows - Code, Credentials etc.

I tried encrypting a sample .txt and .indbc files but the executable returns an errors complaining about the incorrect file type or missing nodes tag etc.

So all in all:

We know that API can publish the encrypted workflows but only encrypted workflows, apps and macros [CODE] and NOT some of the important files that need to be included in the package - e.g. indbc file.

Please review our assessment here and correct us if wrong.

Thanks

KevinP · Answer

@pankajsharmaswa I just did some testing around this and publishing encrpyted/locked workflows works as expected via the API as long as you are providing a valid yxzp file. Please note that the 'AlteryxEngineCmd.exe /encrypt' command you are referencing has been deprecated in current versions and you should use 'AlteryxEngineCmd.exe /lock' instead. Versions with this change will provide a warning/error on the command line to indicate the change.

Also please keep in mind that the /encrypt or /lock flag only encodes the referenced file. This command doesn't package the workflow, or any of it's associated assets as a yxzp. Since the API requires a yxzp I would highly recommend publishing this from Designer with the lock option, or using Designer's export functionality (Options>Export Workflow) with the lock option in order to ensure the workflow is properly packaged. Publishing or exporting the workflow from Designer will ensure that any additional workflow file (workflows, macros, & apps) dependencies are also encrypted. Doing this from the command line in the method you reference will require you to encrpyt/lock each file individually, and then manually package them as a yxzp before publishing via the API.