Current Behavior
Hi,
I think I am missing something, I am very confused with those API key. I'll try tor explain (from what I understand):
API keys are per teams
When creating a project, it needs to be associated to a team, one team only (actually even if there is red star next to the field it doesn't seem mandatory)
API key from one team can't give access to project from another team
So, I am setting up a CICD pipeline to upload of the SBOM for several different services, to work I have 2 options:
I assign the same team to all projects, so I have one API key that can be used the pipeline
I assign different teams to projects, so I have to set pipeline to use each different keys accordingly
give ACCESS_MANAGEMENT permission to the API key used by the CI.
With option 1, teams in that case is useless if all projects have the same
With option 2, that could be a lot of keys to manage/maintain
With option 3, i guess would be the way to go, but security wise there is no reason to give that permission ("Allows the management of users, teams, and API keys") to upload SBOMs.
Another confusing but, the team field is only present when creating a new project but it is displayed nowhere in project details and can't be updated (on the UI, I haven't tried via API yet).
Thank you !
Proposed Behavior
Apikey key
Checklist
Current Behavior
Hi,
I think I am missing something, I am very confused with those API key. I'll try tor explain (from what I understand):
API keys are per teams
When creating a project, it needs to be associated to a team, one team only (actually even if there is red star next to the field it doesn't seem mandatory)
API key from one team can't give access to project from another team
So, I am setting up a CICD pipeline to upload of the SBOM for several different services, to work I have 2 options:
I assign the same team to all projects, so I have one API key that can be used the pipeline
I assign different teams to projects, so I have to set pipeline to use each different keys accordingly
give ACCESS_MANAGEMENT permission to the API key used by the CI.
With option 1, teams in that case is useless if all projects have the same
With option 2, that could be a lot of keys to manage/maintain
With option 3, i guess would be the way to go, but security wise there is no reason to give that permission ("Allows the management of users, teams, and API keys") to upload SBOMs.
Another confusing but, the team field is only present when creating a new project but it is displayed nowhere in project details and can't be updated (on the UI, I haven't tried via API yet).
Thank you !
Proposed Behavior
Apikey key
Checklist