Community Help

pushyami · ‎03-21-2023

Our Institution was part of CD2 Beta Phase, we used the identity service and was able to generate the API key and accessed the DB snapshot etc.

Now that CD2 is available as general availability, we want to generate an API key not associated with a canvas user account ( this user might be a canvas admin) since if this person leave institution then the risk of the API key getting revoked. With CD2 the API key has an expiry date with up to 1 year expiry, probably we need to create a new one after.

So my question is how do we generate a Prod API key ( that need to be created every year) without tying to a Canvas real user? Trying to understand what is the best approach for this

MikeRichards · ‎03-21-2023

I am facing a similar issue, we want to tie our API key to a local user in Canvas that has the Canvas Data User role (Data Services - manage Permission only), which is what we did for CD1. The API key generator seems to only allow the default authentication type which is of course set up for the students and faculty and is tied to their real user accounts. I also tried giving this local account "Account Admin" permissions and it makes no difference.

We are doing so for the same reason, we do not want our entire data system to screech to a halt because a specific person left our organization.

stimme · ‎03-21-2023

@MikeRichards I have a suggestion about working around default authentication method. I also was sent to the default login service when I started by going to identity.instructure.com. But I was able to get into the key service by first signing into my institution's default Canvas domain (myschool.instructure.com) using the login service for admin accounts then going to identity.instructure.com.

MikeRichards · ‎03-21-2023

It seems that the instructure.com domain works, but not the vanity URL.

I had tried that approach beforehand but was using our vanity URL for our Canvas instance.

Thanks

IanGoh · ‎03-31-2023

During the beta, we did ask that all institutional admins have access to identity so that they can co-share/manage the keys. Hopefully that'll get onto the CD2 roadmap at some point.

pushyami · ‎03-21-2023

@stimme if I understood this you have created a non-user ( at your institution) with an account admin role in Canvas and instead of your ( a person) credentials you logged in as that non-user admin (using SSO) and authorized to the identity platform?

stimme · ‎03-22-2023

@pushyami My testing so far has been with my own user account with Account Admin privileges, which does not use our default SSO method. That's why I had to work around the redirect to default SSO. To make an API key as a non-user account, I think it could be associated with institutional SSO (ours creates plenty of non-person users) or just with Canvas internal authentication framework.

My initial thought about managing keys with identity.instructure.com is that I could use my own account to create a second set of credentials for scripted refresh of CD2. I think the 1 year expiration would probably come at the same time whether or not I am still at the institution in a year.

pushyami · ‎03-22-2023

Thanks @stimme your response is useful and see which way we take for our institution.

CD2 generating API key not tying up to a canvas user account

Api key

cd2

Data Services sends incorrect Content-Type when re...

duplicates in Catalog enrollment table snapshot

Historical data of assessment decision when using ...

Roll Call Attendance / Grades Alert

CD2 - how to identify which users / sections have ...

Canvas Data 2 Documentation Down?

CD2: Microsoft Sync State (for MS Teams)

Integrating Canvas with PowerBI?

New Quizzes

Data Services sends incorrect Content-Type when re...

You're signed out

CD2 generating API key not tying up to a canvas user account

Community Help

View our top guides and resources: