This PR introduces a newapi_key_scope parameter for thecoder_agent resource, allowing administrators to control what API routes an agent token can access. This feature enhances security by providing the option to restrict sensitive user data access.

The new parameter supports two options:

all: Full API access (this is the default value)
no_user_data: Blocks access to/external-auth,/gitsshkey, and/gitauth routes

Changes:

Added theapi_key_scope field to the agent resource schema with validation
Updated documentation to reflect the new parameter
Added comprehensive tests for valid transitions and invalid values
Updated examples to demonstrate usage

Development Environment:

Added direnv configuration for improved developer experience
Updated Nix flake to use Go 1.24 and nixpkgs 24.11

This change is backward compatible as the default behavior remains unchanged.

Copy link

MemberAuthor

ThomasK33 commentedMay 6, 2025

Add agent API key scope to restrict access to user data #391 👈(View in Graphite)
main

This stack of pull requests is managed byGraphite. Learn more aboutstacking.

ThomasK33 requested a review fromCopilot

May 6, 2025 09:13

CopilotAI reviewed

May 6, 2025

View reviewed changes

Copy link

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This pull request adds an "api_key_scope" parameter to the coder agent resource, enabling administrators to restrict agent token access to sensitive routes.

Added a new "api_key_scope" field with validation in the provider schema.
Integrated comprehensive tests for valid and invalid parameter values.
Updated documentation examples to include the new parameter.

Reviewed Changes

Copilot reviewed 5 out of 8 changed files in this pull request and generated no comments.

File	Description
provider/agent_test.go	Added tests for valid transitions and error handling for the new "api_key_scope".
provider/agent.go	Updated the schema for coder_agent with the new "api_key_scope" field and validation.
docs/resources/agent.md	Updated documentation to demonstrate the usage of the new "api_key_scope" parameter.

Files not reviewed (3)

.envrc: Language not supported
examples/resources/coder_agent/resource.tf: Language not supported
flake.nix: Language not supported

ThomasK33 mentioned this pull request

May 6, 2025

feat: add API key scope to restrict access to user datacoder/coder#17692

Merged

ThomasK33 marked this pull request as ready for review

May 7, 2025 13:58

ThomasK33 requested a review fromEmyrk

May 7, 2025 14:07

ThomasK33 force-pushed thethomask33/05-06-feat_agent_add_api_key_scope_to_control_agent_token_permissions branch 2 times, most recently from9861bbd tofa0fe79Compare

May 7, 2025 22:44

Emyrk approved these changes

May 8, 2025

View reviewed changes

.envrc OutdatedShow resolvedHide resolved

feat(agent): add api_key_scope to control agent token permissions

bcd6a7c

Change-Id: I90dd87756b47b589bf0a363e22de70d2cffd44faSigned-off-by: Thomas Kosiewski <tk@coder.com>

ThomasK33 force-pushed thethomask33/05-06-feat_agent_add_api_key_scope_to_control_agent_token_permissions branch fromfa0fe79 tobcd6a7cCompare

May 8, 2025 19:48

ThomasK33 merged commit01334b6 intomain

May 15, 2025

7 checks passed

ThomasK33 deleted the thomask33/05-06-feat_agent_add_api_key_scope_to_control_agent_token_permissions branch

May 15, 2025 14:33

github-actionsbot locked and limited conversation to collaborators

May 15, 2025

Labels

None yet

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add agent API key scope to restrict access to user data#391

Add agent API key scope to restrict access to user data#391

Uh oh!

Conversation

ThomasK33 commentedMay 6, 2025•
edited
Loading

Uh oh!

Add API Key Scope Control for Coder Agents

Changes:

Development Environment: