KNOWLEDGE BASE

Access Token Logging in Tableau Server Logs and Tableau Cloud


Published: 17 Jun 2022
Last Modified Date: 28 Jun 2022

Issue

In a REST API call, the Personal Access Token (PAT) was used rather than the authentication token which resulted in Tableau Server logging the PATs in plain text stored in the internal log repositories.

Environment

  • Tableau Server versions released May 24, 2022 or earlier
  • Tableau Cloud

Resolution

For Tableau Server using REST API authentication, please review the following:

Option 1

Upgrade to a version of Tableau Server released June 21, 2022 or later.

Option 2

Identify, revoke and renew all affected PATs.
  1. Search the logs for affected files:
    • Locate the Vizportal service logs for your Tableau Server Windows or Linux
    • Search through the logs to find any Personal Access Tokens using the following regular expression:
      .*,(.*=:[a-zA-Z0-9]*),.*
      • Linux example: sed -rn 's/.*,(.*=:[a-zA-Z0-9]*),.*/token: \1 /p' vizportal.log
      • Windows PowerShell exampleSelect-String -path "<\path\to\vizportal.log>" -pattern '.*,(.*=:[a-zA-Z0-9]*),.*' | % {"token is $($_.matches.groups[1]) "}
    • Record found tokens to be revoked. If no results are returned, you are not affected by this issue.
  2. Revoke affected tokens by following the API method below:
                    Linux command examplecurl -v -X POST "https://<<MY_SERVER>>/oauth2/v1/revoke/?token=<<PersonalAccessToken>>&token_hint=refresh_token"
                    Windows PowerShell example: Invoke-WebRequest -Method 'Post' -Uri "https://<<MY_SERVER>>/oauth2/v1/revoke/?token=<<PersonalAccessToken>>&token_hint=refresh_token"

    Provide appropriate inputs for <<MY_SERVER>> and <<PersonalAccessToken>>
  3. Renew PATs and update scripts with new token value.
Tableau Cloud
  • Tableau has successfully patched all Tableau Cloud instances to address this issue on June 21, 2022.
  • As a security best practice, Tableau strongly recommends that customers replace their API token.

Cause

The incorrect token was used with the REST API call.
Did this article resolve the issue?