How can I hit a Foundry API from Code Repositories?

Question

What is the correct way to hit an internal Foundry API from a Code Repository using, for example, a Python transform?

Answer 1

当前，默认情况下不支持从代码存储库中访问 Foundry API 的功能。

Answer 2

This is possible but somewhat discouraged because of the security impacts. Specifically the token that is used to call the API. Historically, Foundry jobs were run with the building user's complete token. This allows making any API call the user could make, but could be abused by a nefarious actor. Therefore most build today use a project-scoped token which can only read and write datasets, and not make API calls.

Thus you must either un-project-scope the repository so that it uses user tokens, which can be done through the Jemma API, or by supplying a hard-coded token, which can be done through a secured dataset with an appropriate marking, but be aware anyone who can read this dataset could steal the token.

A product support solution called logic flows is coming to make this process smoother.

Once you have a token making the API calls is similar to any other API. Here's an example in python, there's more information in the documentation .

URL = f"https://foundry.url/stemma/api/repos/{repo}/checks"
headers = {
    "Authorization": "Bearer " + token
}
req = requests.get(URL, headers=headers)
if req.status_code > 299:
    continue
req_json = req.json()

Answer 3

使用例如Python转换从代码存储库中访问内部Foundry API的正确方法是什么？

Answer 4

Because of the mentioned Foundry limitations and project scoped tokens, we create dedicated Service Accounts for automations, create a bearer token for the service account and store it in a dataset which we secure with a Marking. In the transform where we use the token to make api calls, we stop_propagating the Marking to downstream transforms.

This is, unfortunately, rather cumbersome and we are looking here at Palantir's product development team for a better solution.