PowerBI Query PAT Exposed in Parameter - Security Risk

kimmer · ‎Aug 02, 2024

This connector method exposed the PAT in cleartext. If I share the Excel spreadsheet, the user can discover my PAT and query other company tables. They would need to know different table and base IDs. If my computer storage gets compromised, the hacker will get access to this PAT. Is there a better way to authenticate than using a PAT as a parameter?

I do see a method in data source settings of query editor (PowerBI or Excel) called Web API but Airtable has deprecated its use.

https://support.airtable.com/docs/visualizing-airtable-records-in-microsoft-power-bi-power-query

secubic · ‎Aug 02, 2024

Using PAT in plain text as connector part exposes some security risks so always try to avoid "raw text".

My idea for your problem is to set PAT in environment variables what will give you using it without embedding it directly in the code (WIN: "set AIRTABLE_PAT=your_pat_here" , LINUX: "export AIRTABLE_PAT=your_pat_here").
In similar case I used a secure cloud storage solution, but I do not remember what exactly (you can check one of: Azure Key Vault, AWS Secrets Manager or Google Cloud Secret Manager).

It is always worth to consider use of 2FA / OAuth2 implementation.

Oh... first thing first - if you use private DNS like PiHOLE check Pi logs if endpoint isn't blocked by gravity.

GavinA · ‎Aug 06, 2024

As an FYI, if you are importing Airtable to Excel and want an easy method which shields your data and does not expose PAT then here is our quick guide:

https://www.csvgetter.com/blog/export-airtable-to-excel