Skip to content

DBT Cloud OAuth Client Secret

Service Name: DBT Cloud

Service Description: DBT Cloud is a managed service for data transformation that helps data teams build, test, deploy, and monitor data transformations in the cloud. It's the web-based UI and API for dbt (data build tool), which enables data analysts and engineers to transform data in their warehouses using SQL.

Service Address: https://cloud.getdbt.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level for dbt Cloud Enterprise plans.

Secret Access Scope: Grants programmatic access to DBT Cloud resources and services via OAuth authentication, allowing applications to interact with the DBT Cloud API on behalf of users.

Secret Revokement URL: https://cloud.getdbt.com/settings/service-tokens

Secret Example: dbt_cloud_oauth_secret_1a2b3c4d5e6f7g8h9i0j

Suspicious Activity Investigation Instructions:

  • Review DBT Cloud audit logs for unusual API calls or resource access
  • Check for unexpected changes to dbt models, jobs, or environments
  • Monitor for unauthorized access to sensitive data transformations
  • Examine job run history for anomalous patterns or failures
  • Review IP addresses that have accessed the account through the OAuth client

Mitigation Instructions:

  • Log in to your DBT Cloud account and navigate to Account Settings
  • Go to the "Service Tokens" or "API Tokens" section

  • Locate the compromised OAuth client and delete/revoke it

  • Create a new OAuth client with a new secret if needed
  • Review and update any applications or services using the old client secret
  • Consider implementing IP restrictions for your DBT Cloud account if available on

your plan

  • Enable multi-factor authentication for all users with access to DBT Cloud
  • Review permissions granted to the OAuth client and adjust if necessary