Organizations and Access
An ArrayLake Org
represents an organization of Users that maintains multiple Repos. A company or institution will typically
have a single Arraylake organization, and an Arraylake User can belong to one or more organizations.
When using the Arraylake API, the org identifier prefixes a repository name to uniquely identify a repository. For example
my-company/sentinel-repo
represents the sentinel-repo
belonging to my-company
.
Access
Arraylake supports two methods of authenticating requests to the service:
- User identities: A User authenticates directly
- Service Accounts: An API token associated with a shared service account is used
Authenticating as a User
To authenticate as a user, use the Arraylake CLI. Running the following command will initiate the login flow by directing you to a login page associated with your organization:
- CLI
- Python
arraylake auth login
# Or, if running from a remote environment
arraylake auth login --no-browser
from arraylake import Client
client = Client()
client.login()
This flow will yield a code that can be provided to the command line prompt and ultimately authenticate your access to the service.
Subsequently you can use arraylake auth logout
to logout, or arraylake auth refresh
to refresh your authenticated status.
For customers with custom SSO authentication support, it is required to first set an explicit user organization configuration value using
arraylake config set user.org <an-org-identifier>
. If this is required, an identifier will be provided to you by the Earthmover team.
Authenticating as a Service Account
At this time, Service Account authentication is available via the Python API only. To authenticate as a service account pass the
appropriate API token as a parameter to the Client
. We recommend storing the token as an environment variable rather than hard coding
the token in code. For example, if the environment variable MY_ARRAYLAKE_API_TOKEN
is set,
you can access it as follows:
- Python
import os
from arraylake import Client
api_token = os.environ.get('MY_ARRAYLAKE_API_TOKEN')
client = Client(token=api_token)
client.list_repos('my-org')
If present, the ARRAYLAKE_TOKEN
environment variable will automatically be detected and used to populate the client token. This is the easiest way to configure access to Arraylake from automated scripts, cron jobs, and CI environments.
Service Account API Tokens
Service Account API tokens enable programmatic authentication to Arraylake services, supporting access from deployed services and jobs that run on behalf of a team or project.
Distribution & Management
- Tokens must be issued by the Earthmover team. If you would like API tokens, please reach out.
- Tokens are a single string, prefixed with the
ema_
identifier.- Example Token:
ema_123456789123456789_123456789123456789123456789
.
- Example Token:
- Tokens should be considered secret, and should not be shared publicly. Owners should take appropriate precautions when distributing in deployed environments. For example: consider storing the token in a service like AWS SSM Paramater store to enable deployed services or jobs to acces them.
Token Properties
- Tokens are associated with shared Service Accounts. They are intended to be used for machine-to-machine authentication on behalf of these accounts, and should not be used for individual user access to services.
- Tokens are associated with a Service Account identifier of the form:
<name>@<org>.service.earthmover.io
. The<name>
component of this identifier is defined by the requester. It is possible to have multiple tokens associated with a single Service Account. (Note that this is not actually a valid email address.) - Tokens expire after 1 year by default. This is configurable as needed by the requester.