Manage Deployment API keys
An API key is a unique key ID and secret pair that you can use as an alternative to manual user authentication for some Astro actions. You can also use API keys to automate common actions on Astro that require manual inputs.
You can use Deployment API keys to complete the following actions:
- Automate deploying code to Astro in CI/CD with tools such as GitHub Actions or Circle CI.
- Automate updating environment variables.
- Fetch a short-lived access token that assumes the permissions of the Deployment API key. This access token can be used to make requests to the Airflow REST API.
Use API keys
When using a Deployment API key, keep the following in mind:
- A Deployment API key ID and secret are permanently valid.
- Deployment API keys are deleted permanently if their corresponding Deployment is deleted.
- A Deployment API key is not bound to the user who creates it. When a user who created the API key is removed from the Workspace, or their permissions change, the Deployment and CI/CD workflows that use the API key are not affected.
- Any user or service with access to an API key and secret can access the corresponding Deployment. The only way to delete this access is to delete the API key or delete the Deployment.
You can't use API keys to automate the creation and updating of Deployments or Workspaces, or inviting and removing users.
A new API key framework to unlock advanced automation workflows will soon be available in Astro. If you're interested in learning more about this feature or have questions, contact Astronomer support.
Create an API key
In the Cloud UI, select a Workspace and then select a Deployment.
Click the API Keys tab.
Click API Key:
Enter a name and an optional description for the API key and then click Create API Key:
Optional. Copy the API key ID and secret for use in API calls and CI/CD pipelines and then click I've saved the Key Secret. Make sure you save the key secret securely, as this is the only time you will have access to see it in plain text.
If you just need to make a single API call, you can use a temporary user authentication token instead of a Deployment API key ID and secret pair. To retrieve a temporary authentication token, go to cloud.astronomer.io/token and copy the token that appears. This token is valid only for 24 hours.
Use an API key with the Astro CLI
To use a Deployment API key with the Astro CLI, you must make your API key ID and secret accessible to the Astro CLI by setting the following OS-level environment variables:
ASTRONOMER_KEY_IDASTRONOMER_KEY_SECRET
For example, to update a Deployment using the Astro CLI on a Mac machine, set temporary OS-level environment variables with the following commands:
export ASTRONOMER_KEY_ID=<your-key-id>
export ASTRONOMER_KEY_SECRET=<your-key-secret>
After you set the variables, you can run astro deployment update for the Deployment and you don't have to manually authenticate to Astronomer. Astronomer recommends storing ASTRONOMER_KEY_SECRET as a secret before using it to programmatically update a Deployment.
Use an API key for CI/CD
If you deploy DAGs regularly to a production environment, Astronomer recommends using Deployment API keys to automate pushing code with a tool such as GitHub Actions or Circle CI.
For more information and examples, see Automate code deploys with CI/CD.
Delete an API key
If you delete an API key, make sure that no existing CI/CD pipelines are using it. Once deleted, an API key and secret cannot be recovered. If you unintentionally delete an API key, create a new one and update any CI/CD workflows that used the deleted API key.
In the Cloud UI, select a Workspace and then select a Deployment.
Click the API Keys tab.
Click Edit next to your API key.
Click Delete API Key, enter
Delete, and then click Yes, Continue.