Palantir Foundry 安全最佳实践

v20260423

palantir-security-basics

本指南提供了与Palantir Foundry集成所需的全面安全最佳实践。内容涵盖安全凭证存储（使用密钥管理器），通过OAuth2范围实施最小权限原则，以及建立可靠的凭证轮换流程。适用于保护生产环境、设置新数据管道或审计API访问控制。

Palantir Foundry 安全 OAuth2 密钥管理最小权限 API 编程开发

获取技能

323 次下载

概览

Palantir Security Basics

Overview

Security best practices for Foundry API tokens, OAuth2 credentials, scope management, and secret rotation. Covers both personal access tokens (dev) and service user credentials (production).

Prerequisites

Foundry Developer Console access
Understanding of OAuth2 scopes

Instructions

Step 1: Secure Credential Storage

# .env — NEVER commit to git
FOUNDRY_HOSTNAME=mycompany.palantirfoundry.com
FOUNDRY_CLIENT_ID=your-client-id
FOUNDRY_CLIENT_SECRET=your-client-secret

# .gitignore — ensure .env files are excluded
echo '.env' >> .gitignore
echo '.env.local' >> .gitignore
echo '.env.*.local' >> .gitignore

For production, use a secrets manager:

# AWS Secrets Manager
aws secretsmanager create-secret --name foundry/prod \
  --secret-string '{"client_id":"xxx","client_secret":"yyy","hostname":"zzz"}'

# Google Cloud Secret Manager
echo -n "your-client-secret" | gcloud secrets create foundry-client-secret --data-file=-

# HashiCorp Vault
vault kv put secret/foundry client_id=xxx client_secret=yyy

Step 2: Apply Least Privilege Scopes

Environment	Recommended Scopes	Rationale
Development	`api:read-data`	Read-only prevents accidental mutations
Staging	`api:read-data`, `api:write-data`	Test writes in safe environment
Production	Only scopes your app actually needs	Minimize blast radius

# Production app that only reads Ontology objects:
auth = foundry.ConfidentialClientAuth(
    client_id=os.environ["FOUNDRY_CLIENT_ID"],
    client_secret=os.environ["FOUNDRY_CLIENT_SECRET"],
    hostname=os.environ["FOUNDRY_HOSTNAME"],
    scopes=["api:ontology-read"],  # Minimum viable scope
)

Step 3: Rotate Credentials

# 1. Generate new credentials in Developer Console
# 2. Deploy new credentials alongside old ones
# 3. Verify new credentials work
python -c "
import os, foundry
auth = foundry.ConfidentialClientAuth(
    client_id=os.environ['NEW_CLIENT_ID'],
    client_secret=os.environ['NEW_CLIENT_SECRET'],
    hostname=os.environ['FOUNDRY_HOSTNAME'],
    scopes=['api:read-data'],
)
auth.sign_in_as_service_user()
print('New credentials verified')
"
# 4. Remove old credentials from Developer Console
# 5. Update environment variables to use new credentials only

Step 4: Validate Tokens Are Not Exposed

# Scan for leaked credentials in git history
git log --all -p | grep -i "foundry_token\|foundry_client_secret" | head -5
# If found: rotate immediately, then use git-filter-repo to remove

# Pre-commit hook to prevent committing secrets
# .pre-commit-config.yaml
# - repo: https://github.com/Yelp/detect-secrets
#   hooks:
#   - id: detect-secrets

Step 5: Security Checklist

Credentials in environment variables or secrets manager (never in code)
.env files listed in .gitignore
Separate credentials per environment (dev/staging/prod)
Minimum scopes per application
Personal access tokens used only for development
OAuth2 client credentials for all production workloads
Credential rotation schedule (every 90 days)
Pre-commit hooks to detect leaked secrets

Output

Securely stored credentials using secrets manager
Least-privilege scopes per environment
Rotation procedure documented and tested
Pre-commit hooks preventing secret commits

Error Handling

Security Issue	Detection	Mitigation
Exposed token in git	`detect-secrets` scan	Rotate immediately, scrub history
Overly broad scopes	Audit app permissions	Reduce to minimum needed
Stale credentials	Age > 90 days	Rotate on schedule
Shared credentials	Multiple users same token	Create per-user service users

Resources

Next Steps

For production deployment, see palantir-prod-checklist.

信息

Category 编程开发

Name palantir-security-basics

版本 v20260423

大小 4.68KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28