ShotGrid Legacy Login post-Autodesk ID - Personal Access Token Clarification

[mgb-ingenuity]

According to this migration support doc re: personal access tokens, for continued functionality of my company's scripts, we need to bind a Personal Access Token from our Autodesk ID to our ShotGrid account.

It's unclear, however, what combinations of credentials we should use with the Shotgun API for authentication going forward, after binding this PAT to our ShotGrid account. Additionally, I've yet to find an unambiguous way to prove that binding PATs to our shotgrid accounts is all we need to do for continued functionality.

After binding a PAT to my ShotGrid account, I wrote the script at the end of this issue (following the demo code in the video here) to test all possible combinations of credentials - only the following combinations worked:

server=PROXY, login=SG_USER, password=SG_PASS, tfa=SG_2FA
server=SG_SERVER, login=SG_USER, password=SG_PASS, tfa=SG_2FA

This indicates that only shotgrid credentials - and not those associated with my autodesk ID - work for authentication, even after PAT binding. It is implied in the documentation - though not made sufficiently explicit - that this is the intended behavior, and that by binding a PAT to our ShotGrid account all scripts should be able to work with no changes whatsoever. But, again - I've found no way to definitively prove this. If I'm wrong, several hundred of our employees may find themselves unable to continue with work after Friday.

If I'm right - if all we need to do is bind PATs to each of our employees ShotGrid accounts - there's the question of implementation. Do all of our employees need to manually generate PATs for each of their ShotGrid accounts, or is there some way to do this automatically for everyone in our domain?

Here's the script I used to check things:

from shotgun_api3.shotgun import Shotgun
import json
import itertools as it

params = json.load(open('params.json'))

servers = [
    'PROXY',
    'SG_SERVER'
]
logins = [
    'AD_USER',
    'AD_EMAIL',
    'SG_USER',
]
passwords = [
    'AD_PASS',
    'SG_PASS',
]

twofa = [
    'SG_2FA',
    'AD_2FA'
]

if __name__ == "__main__":
    import sys

    filters = [['sg_status_list', 'is', 'act']]
    fields = ['id']
    tfa_cache = {
        'SG_2FA': 'NUMS',
        'AD_2FA': 'MORE_NUMS'
    }
    for server, login, password, tfa in it.product(servers, logins, passwords, twofa):
        server_value = params[server].encode('utf-8')
        login_value = params[login].encode('utf-8')
        pw_value = params[password].encode('utf-8')
        tfa_value = tfa_cache[tfa].encode('utf-8')
        print("trying:")
        print('server="{}", login="{}", password="{}", tfa="{}"'.format(server, login, password, tfa))
        try:
            sg = Shotgun(
                server_value,
                login=login_value,
                password=pw_value,
                auth_token=tfa_value
            )
            n_users = len(sg.find('HumanUser', filters, fields))
            print('WORKED!')
        except Exception as e:
            print("FAILED... Error: {}".format(e))

[jfboismenu]

Yes, the ShotGrid user and ShotGrid passphrase are what you pass to the Shotgun API, not the Autodesk Identity email or the token, to authenticate with ShotGrid. When authenticating with your legacy login/passphrase, ShotGrid will use the token associated to your account to make requests to the Autodesk account.

When it comes to automating the PAT creation process, I'm afraid that the answer is no. Each of your user will have to go through the manual process of creating a PAT on their Autodesk account and add it to their ShotGrid account.

Don't hesitate to reach out to your support team if you have more questions.