airbyte-internal-ops 0.2.0__py3-none-any.whl → 0.2.2__py3-none-any.whl

airbyte_ops_mcp/cloud_admin/api_client.py

@@ -48,21 +48,36 @@ class _OriginType(str, Enum):
 
 
 def _get_access_token(
-    client_id: str,
-    client_secret: str,
+    client_id: str | None = None,
+    client_secret: str | None = None,
+    bearer_token: str | None = None,
 ) -> str:
     """Get an access token for Airbyte Cloud API.
 
+    If a bearer_token is provided, it is returned directly (already an access token).
+    Otherwise, exchanges client_id/client_secret for an access token.
+
     Args:
-        client_id: The Airbyte Cloud client ID
-        client_secret: The Airbyte Cloud client secret
+        client_id: The Airbyte Cloud client ID (required if no bearer_token)
+        client_secret: The Airbyte Cloud client secret (required if no bearer_token)
+        bearer_token: Pre-existing bearer token (takes precedence over client credentials)
 
     Returns:
         Access token string
 
     Raises:
-        PyAirbyteInputError: If authentication fails
+        PyAirbyteInputError: If authentication fails or no valid credentials provided
     """
+    # If bearer token provided, use it directly
+    if bearer_token:
+        return bearer_token
+
+    # Otherwise, exchange client credentials for access token
+    if not client_id or not client_secret:
+        raise PyAirbyteInputError(
+            message="Either bearer_token or both client_id and client_secret must be provided",
+        )
+
     # Always authenticate via the public API endpoint
     auth_url = f"{constants.CLOUD_API_ROOT}/applications/token"
     response = requests.post(
@@ -90,16 +105,18 @@ def _get_access_token(
 def get_user_id_by_email(
     email: str,
     api_root: str,
-    client_id: str,
-    client_secret: str,
+    client_id: str | None = None,
+    client_secret: str | None = None,
+    bearer_token: str | None = None,
 ) -> str:
     """Get user ID from email address.
 
     Args:
         email: The user's email address
         api_root: The API root URL
-        client_id: The Airbyte Cloud client ID
-        client_secret: The Airbyte Cloud client secret
+        client_id: The Airbyte Cloud client ID (required if no bearer_token)
+        client_secret: The Airbyte Cloud client secret (required if no bearer_token)
+        bearer_token: Pre-existing bearer token (takes precedence over client credentials)
 
     Returns:
         User ID (UUID string)
@@ -107,7 +124,7 @@ def get_user_id_by_email(
     Raises:
         PyAirbyteInputError: If user not found or API request fails
     """
-    access_token = _get_access_token(client_id, client_secret)
+    access_token = _get_access_token(client_id, client_secret, bearer_token)
 
     endpoint = f"{api_root}/users/list_instance_admin"
     response = requests.post(
@@ -152,8 +169,9 @@ def resolve_connector_version_id(
     connector_type: Literal["source", "destination"],
     version: str,
     api_root: str,
-    client_id: str,
-    client_secret: str,
+    client_id: str | None = None,
+    client_secret: str | None = None,
+    bearer_token: str | None = None,
 ) -> str:
     """Resolve a version string to an actor_definition_version_id.
 
@@ -162,8 +180,9 @@ def resolve_connector_version_id(
         connector_type: Either "source" or "destination"
         version: The version string (e.g., "0.1.47-preview.abe7cb4")
         api_root: The API root URL
-        client_id: The Airbyte Cloud client ID
-        client_secret: The Airbyte Cloud client secret
+        client_id: The Airbyte Cloud client ID (required if no bearer_token)
+        client_secret: The Airbyte Cloud client secret (required if no bearer_token)
+        bearer_token: Pre-existing bearer token (takes precedence over client credentials)
 
     Returns:
         Version ID (UUID string)
@@ -171,7 +190,7 @@ def resolve_connector_version_id(
     Raises:
         PyAirbyteInputError: If version cannot be resolved or API request fails
     """
-    access_token = _get_access_token(client_id, client_secret)
+    access_token = _get_access_token(client_id, client_secret, bearer_token)
 
     endpoint = f"{api_root}/actor_definition_versions/resolve"
     payload = {
@@ -223,8 +242,9 @@ def get_connector_version(
     connector_id: str,
     connector_type: Literal["source", "destination"],
     api_root: str,
-    client_id: str,
-    client_secret: str,
+    client_id: str | None = None,
+    client_secret: str | None = None,
+    bearer_token: str | None = None,
 ) -> dict[str, Any]:
     """Get version information for a deployed connector.
 
@@ -232,8 +252,9 @@ def get_connector_version(
         connector_id: The ID of the deployed connector (source or destination)
         connector_type: Either "source" or "destination"
         api_root: The API root URL
-        client_id: The Airbyte Cloud client ID
-        client_secret: The Airbyte Cloud client secret
+        client_id: The Airbyte Cloud client ID (required if no bearer_token)
+        client_secret: The Airbyte Cloud client secret (required if no bearer_token)
+        bearer_token: Pre-existing bearer token (takes precedence over client credentials)
 
     Returns:
         Dictionary containing:
@@ -243,7 +264,7 @@ def get_connector_version(
     Raises:
         PyAirbyteInputError: If the API request fails
     """
-    access_token = _get_access_token(client_id, client_secret)
+    access_token = _get_access_token(client_id, client_secret, bearer_token)
 
     # Determine endpoint based on connector type
     # api_root already includes /v1
@@ -294,14 +315,15 @@ def set_connector_version_override(
     connector_id: str,
     connector_type: Literal["source", "destination"],
     api_root: str,
-    client_id: str,
-    client_secret: str,
-    workspace_id: str,
+    client_id: str | None = None,
+    client_secret: str | None = None,
+    workspace_id: str | None = None,
     version: str | None = None,
     unset: bool = False,
     override_reason: str | None = None,
     override_reason_reference_url: str | None = None,
     user_email: str | None = None,
+    bearer_token: str | None = None,
 ) -> bool:
     """Set or clear a version override for a deployed connector.
 
@@ -309,14 +331,15 @@ def set_connector_version_override(
         connector_id: The ID of the deployed connector
         connector_type: Either "source" or "destination"
         api_root: The API root URL
-        client_id: The Airbyte Cloud client ID
-        client_secret: The Airbyte Cloud client secret
+        client_id: The Airbyte Cloud client ID (required if no bearer_token)
+        client_secret: The Airbyte Cloud client secret (required if no bearer_token)
         workspace_id: The workspace ID
         version: The version to pin to (e.g., "0.1.0"), or None to unset
         unset: If True, removes any existing override
         override_reason: Required when setting. Explanation for the override
         override_reason_reference_url: Optional URL with more context
         user_email: Email of user creating the override
+        bearer_token: Pre-existing bearer token (takes precedence over client credentials)
 
     Returns:
         True if operation succeeded, False if no override existed (unset only)
@@ -335,7 +358,7 @@ def set_connector_version_override(
             message="override_reason is required when setting a version and must be at least 10 characters",
         )
 
-    access_token = _get_access_token(client_id, client_secret)
+    access_token = _get_access_token(client_id, client_secret, bearer_token)
 
     # Build the scoped configuration
     scope_type = _ScopeType.ACTOR
@@ -479,6 +502,7 @@ def set_connector_version_override(
             api_root=api_root,
             client_id=client_id,
             client_secret=client_secret,
+            bearer_token=bearer_token,
         )
 
         # Get user ID from email if provided
@@ -489,6 +513,7 @@ def set_connector_version_override(
                 api_root=api_root,
                 client_id=client_id,
                 client_secret=client_secret,
+                bearer_token=bearer_token,
             )
 
         # Create the override with correct schema

airbyte_ops_mcp/cloud_admin/connection_config.py

@@ -13,8 +13,8 @@ from pathlib import Path
 
 from pydantic import BaseModel, Field
 
-from airbyte_ops_mcp.live_tests.connection_fetcher import fetch_connection_data
-from airbyte_ops_mcp.live_tests.connection_secret_retriever import (
+from airbyte_ops_mcp.regression_tests.connection_fetcher import fetch_connection_data
+from airbyte_ops_mcp.regression_tests.connection_secret_retriever import (
     retrieve_unmasked_config,
 )
 

airbyte_ops_mcp/constants.py

@@ -3,7 +3,9 @@
 
 from __future__ import annotations
 
-from enum import Enum
+from enum import Enum, StrEnum
+
+from airbyte.exceptions import PyAirbyteInputError
 
 MCP_SERVER_NAME = "airbyte-internal-ops"
 """The name of the MCP server."""
@@ -59,6 +61,64 @@ CLOUD_REGISTRY_URL = (
 )
 """URL for the Airbyte Cloud connector registry."""
 
+# =============================================================================
+# Organization ID Aliases
+# =============================================================================
+
+
+class OrganizationAliasEnum(StrEnum):
+    """Organization ID aliases that can be used in place of UUIDs.
+
+    Each member's name is the alias (e.g., "@airbyte-internal") and its value
+    is the actual organization UUID. Use `OrganizationAliasEnum.resolve()` to
+    resolve aliases to actual IDs.
+    """
+
+    AIRBYTE_INTERNAL = "664c690e-5263-49ba-b01f-4a6759b3330a"
+    """The Airbyte internal organization for testing and internal operations.
+
+    Alias: @airbyte-internal
+    """
+
+    @classmethod
+    def resolve(cls, org_id: str | None) -> str | None:
+        """Resolve an organization ID alias to its actual UUID.
+
+        Accepts either an alias string (e.g., "@airbyte-internal") or an
+        OrganizationAliasEnum enum member, and returns the actual UUID.
+
+        Returns:
+            The resolved organization ID (UUID), or None if input is None.
+            If the input doesn't start with "@", it is returned unchanged.
+
+        Raises:
+            PyAirbyteInputError: If the input starts with "@" but is not a recognized alias.
+        """
+        if org_id is None:
+            return None
+
+        # Handle OrganizationAliasEnum enum members directly
+        if isinstance(org_id, cls):
+            return org_id.value
+
+        # If it doesn't look like an alias, return as-is (assume it's a UUID)
+        if not org_id.startswith("@"):
+            return org_id
+
+        # Handle alias strings or raise an error if invalid
+        alias_mapping = {
+            "@airbyte-internal": cls.AIRBYTE_INTERNAL.value,
+        }
+        if org_id not in alias_mapping:
+            raise PyAirbyteInputError(
+                message=f"Unknown organization alias: {org_id}",
+                context={
+                    "valid_aliases": list(alias_mapping.keys()),
+                },
+            )
+        return alias_mapping[org_id]
+
+
 CONNECTION_RETRIEVER_PG_CONNECTION_DETAILS_SECRET_ID = (
     "projects/587336813068/secrets/CONNECTION_RETRIEVER_PG_CONNECTION_DETAILS"
 )

airbyte_ops_mcp/github_actions.py

@@ -83,6 +83,74 @@ class WorkflowDispatchResult:
     """Direct URL to the workflow run, if discovered"""
 
 
+@dataclass
+class WorkflowJobInfo:
+    """Information about a single job in a workflow run."""
+
+    job_id: int
+    """GitHub job ID (use with git_ci_job_logs to retrieve logs)"""
+
+    name: str
+    """Job name as defined in the workflow"""
+
+    status: str
+    """Job status: queued, in_progress, completed"""
+
+    conclusion: str | None = None
+    """Job conclusion: success, failure, cancelled, skipped (only set when completed)"""
+
+    started_at: str | None = None
+    """ISO 8601 timestamp when the job started"""
+
+    completed_at: str | None = None
+    """ISO 8601 timestamp when the job completed"""
+
+
+def get_workflow_jobs(
+    owner: str,
+    repo: str,
+    run_id: int,
+) -> list[WorkflowJobInfo]:
+    """Get jobs for a workflow run from GitHub API.
+
+    Args:
+        owner: Repository owner (e.g., "airbytehq")
+        repo: Repository name (e.g., "airbyte")
+        run_id: Workflow run ID
+
+    Returns:
+        List of WorkflowJobInfo objects for each job in the workflow run.
+
+    Raises:
+        ValueError: If no GitHub token is found.
+        requests.HTTPError: If API request fails.
+    """
+    token = resolve_github_token()
+
+    url = f"{GITHUB_API_BASE}/repos/{owner}/{repo}/actions/runs/{run_id}/jobs"
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Accept": "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+    }
+
+    response = requests.get(url, headers=headers, timeout=30)
+    response.raise_for_status()
+
+    jobs_data = response.json()
+    return [
+        WorkflowJobInfo(
+            job_id=job["id"],
+            name=job["name"],
+            status=job["status"],
+            conclusion=job.get("conclusion"),
+            started_at=job.get("started_at"),
+            completed_at=job.get("completed_at"),
+        )
+        for job in jobs_data.get("jobs", [])
+    ]
+
+
 def find_workflow_run(
     owner: str,
     repo: str,
@@ -167,7 +235,7 @@ def trigger_workflow_dispatch(
     Args:
         owner: Repository owner (e.g., "airbytehq")
         repo: Repository name (e.g., "airbyte-ops-mcp")
-        workflow_file: Workflow file name (e.g., "connector-live-test.yml")
+        workflow_file: Workflow file name (e.g., "connector-regression-test.yml")
         ref: Git ref to run the workflow on (branch name)
         inputs: Workflow inputs dictionary
         token: GitHub API token

airbyte_ops_mcp/mcp/_http_headers.py

@@ -15,6 +15,8 @@ for the MCP module and should not be imported directly by external code.
 
 from __future__ import annotations
 
+import os
+
 from airbyte.cloud.auth import (
     resolve_cloud_api_url,
     resolve_cloud_client_id,
@@ -49,6 +51,33 @@ def _get_header_value(headers: dict[str, str], header_name: str) -> str | None:
     return None
 
 
+def get_bearer_token_from_headers() -> SecretString | None:
+    """Extract bearer token from HTTP Authorization header.
+
+    This function extracts the bearer token from the standard HTTP
+    `Authorization: Bearer <token>` header when running as an MCP HTTP server.
+
+    Returns:
+        The bearer token as a SecretString, or None if not found or not in HTTP context.
+    """
+    headers = get_http_headers()
+    if not headers:
+        return None
+
+    auth_header = _get_header_value(headers, "Authorization")
+    if not auth_header:
+        return None
+
+    # Parse "Bearer <token>" format (case-insensitive prefix check)
+    bearer_prefix = "bearer "
+    if auth_header.lower().startswith(bearer_prefix):
+        token = auth_header[len(bearer_prefix) :].strip()
+        if token:
+            return SecretString(token)
+
+    return None
+
+
 def get_client_id_from_headers() -> SecretString | None:
     """Extract client ID from HTTP headers.
 
@@ -196,3 +225,30 @@ def resolve_api_url(api_url: str | None = None) -> str:
         return header_value
 
     return resolve_cloud_api_url()
+
+
+def resolve_bearer_token() -> SecretString | None:
+    """Resolve bearer token from HTTP headers or environment variables.
+
+    Resolution order:
+    1. HTTP Authorization header (Bearer <token>)
+    2. Environment variable AIRBYTE_CLOUD_BEARER_TOKEN
+
+    Returns:
+        The resolved bearer token as a SecretString, or None if not found.
+
+    Note:
+        Unlike resolve_client_id/resolve_client_secret, this function returns
+        None instead of raising an exception if no bearer token is found,
+        since bearer token auth is optional (can fall back to client credentials).
+    """
+    header_value = get_bearer_token_from_headers()
+    if header_value:
+        return header_value
+
+    # Try env var directly
+    env_value = os.environ.get("AIRBYTE_CLOUD_BEARER_TOKEN")
+    if env_value:
+        return SecretString(env_value)
+
+    return None

airbyte_ops_mcp/mcp/_mcp_utils.py

@@ -76,8 +76,8 @@ class ToolDomain(str, Enum):
     PROMPTS = "prompts"
     """Prompt templates for common workflows"""
 
-    LIVE_TESTS = "live_tests"
-    """Live tests for connector validation and regression testing"""
+    REGRESSION_TESTS = "regression_tests"
+    """Regression tests for connector validation and comparison testing"""
 
 
 _REGISTERED_TOOLS: list[tuple[Callable[..., Any], dict[str, Any]]] = []

airbyte_ops_mcp/mcp/cloud_connector_versions.py

@@ -5,16 +5,15 @@ This module provides MCP tools for viewing and managing connector version
 overrides (pins) in Airbyte Cloud. These tools enable admins to pin connectors
 to specific versions for troubleshooting or stability purposes.
 
-Uses PyAirbyte's CloudWorkspace, CloudSource, and CloudDestination classes
-for all cloud operations.
+Uses direct API client calls with either bearer token or client credentials auth.
 """
 
 from __future__ import annotations
 
+from dataclasses import dataclass
 from typing import Annotated, Literal
 
 from airbyte import constants
-from airbyte.cloud import CloudWorkspace
 from airbyte.exceptions import PyAirbyteInputError
 from fastmcp import FastMCP
 from pydantic import Field
@@ -29,41 +28,57 @@ from airbyte_ops_mcp.cloud_admin.models import (
     VersionOverrideOperationResult,
 )
 from airbyte_ops_mcp.mcp._http_headers import (
+    resolve_bearer_token,
     resolve_client_id,
     resolve_client_secret,
 )
 from airbyte_ops_mcp.mcp._mcp_utils import mcp_tool, register_mcp_tools
 
 
-def _get_workspace(workspace_id: str) -> CloudWorkspace:
-    """Get a CloudWorkspace instance for the specified workspace.
+@dataclass(frozen=True)
+class _ResolvedCloudAuth:
+    """Resolved authentication for Airbyte Cloud API calls.
 
-    Credentials are resolved in priority order:
-    1. HTTP headers (X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret)
-    2. Environment variables (AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET)
+    Either bearer_token OR (client_id AND client_secret) will be set, not both.
+    """
+
+    bearer_token: str | None = None
+    client_id: str | None = None
+    client_secret: str | None = None
 
-    Args:
-        workspace_id: The Airbyte Cloud workspace ID (required).
+
+def _resolve_cloud_auth() -> _ResolvedCloudAuth:
+    """Resolve authentication credentials for Airbyte Cloud API.
+
+    Credentials are resolved in priority order:
+    1. Bearer token (Authorization header or AIRBYTE_CLOUD_BEARER_TOKEN env var)
+    2. Client credentials (X-Airbyte-Cloud-Client-Id/Secret headers or env vars)
 
     Returns:
-        CloudWorkspace instance configured for the specified workspace.
+        _ResolvedCloudAuth with either bearer_token or client credentials set.
 
     Raises:
         CloudAuthError: If credentials cannot be resolved from headers or env vars.
     """
+    # Try bearer token first (preferred)
+    bearer_token = resolve_bearer_token()
+    if bearer_token:
+        return _ResolvedCloudAuth(bearer_token=str(bearer_token))
+
+    # Fall back to client credentials
     try:
-        return CloudWorkspace(
-            workspace_id=workspace_id,
-            client_id=resolve_client_id(),
-            client_secret=resolve_client_secret(),
-            api_root=constants.CLOUD_API_ROOT,  # Used for workspace operations
+        client_id = resolve_client_id()
+        client_secret = resolve_client_secret()
+        return _ResolvedCloudAuth(
+            client_id=str(client_id),
+            client_secret=str(client_secret),
         )
     except Exception as e:
         raise CloudAuthError(
-            f"Failed to initialize CloudWorkspace. Ensure credentials are provided "
-            f"via HTTP headers (X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret) "
-            f"or environment variables (AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET). "
-            f"Error: {e}"
+            f"Failed to resolve credentials. Ensure credentials are provided "
+            f"via Authorization header (Bearer token), "
+            f"HTTP headers (X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret), "
+            f"or environment variables. Error: {e}"
         ) from e
 
 
@@ -91,11 +106,12 @@ def get_cloud_connector_version(
     an override (pin) is applied.
 
     Authentication credentials are resolved in priority order:
-    1. HTTP headers: X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret
-    2. Environment variables: AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET
+    1. Bearer token (Authorization header or AIRBYTE_CLOUD_BEARER_TOKEN env var)
+    2. HTTP headers: X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret
+    3. Environment variables: AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET
     """
     try:
-        workspace = _get_workspace(workspace_id)
+        auth = _resolve_cloud_auth()
 
         # Use vendored API client instead of connector.get_connector_version()
         # Use Config API root for version management operations
@@ -103,8 +119,9 @@ def get_cloud_connector_version(
             connector_id=actor_id,
             connector_type=actor_type,
             api_root=constants.CLOUD_CONFIG_API_ROOT,  # Use Config API, not public API
-            client_id=workspace.client_id,
-            client_secret=workspace.client_secret,
+            client_id=auth.client_id,
+            client_secret=auth.client_secret,
+            bearer_token=auth.bearer_token,
         )
 
         return ConnectorVersionInfo(
@@ -220,8 +237,9 @@ def set_cloud_connector_version_override(
     - Release candidates (-rc): Any admin can pin/unpin RC versions
 
     Authentication credentials are resolved in priority order:
-    1. HTTP headers: X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret
-    2. Environment variables: AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET
+    1. Bearer token (Authorization header or AIRBYTE_CLOUD_BEARER_TOKEN env var)
+    2. HTTP headers: X-Airbyte-Cloud-Client-Id, X-Airbyte-Cloud-Client-Secret
+    3. Environment variables: AIRBYTE_CLOUD_CLIENT_ID, AIRBYTE_CLOUD_CLIENT_SECRET
     """
     # Validate admin access (check env var flag)
     try:
@@ -288,17 +306,18 @@ def set_cloud_connector_version_override(
             audit_parts.append(f"AI Session: {ai_agent_session_url}")
         enhanced_override_reason = " | ".join(audit_parts)
 
-    # Get workspace and current version info
+    # Resolve auth and get current version info
     try:
-        workspace = _get_workspace(workspace_id)
+        auth = _resolve_cloud_auth()
 
         # Get current version info before the operation
         current_version_data = api_client.get_connector_version(
             connector_id=actor_id,
             connector_type=actor_type,
             api_root=constants.CLOUD_CONFIG_API_ROOT,  # Use Config API
-            client_id=workspace.client_id,
-            client_secret=workspace.client_secret,
+            client_id=auth.client_id,
+            client_secret=auth.client_secret,
+            bearer_token=auth.bearer_token,
         )
         current_version = current_version_data["dockerImageTag"]
         was_pinned_before = current_version_data["isVersionOverrideApplied"]
@@ -306,14 +325,7 @@ def set_cloud_connector_version_override(
     except CloudAuthError as e:
         return VersionOverrideOperationResult(
             success=False,
-            message=f"Failed to initialize workspace or connector: {e}",
-            connector_id=actor_id,
-            connector_type=actor_type,
-        )
-    except Exception as e:
-        return VersionOverrideOperationResult(
-            success=False,
-            message=f"Failed to get connector: {e}",
+            message=f"Failed to resolve credentials or get connector: {e}",
             connector_id=actor_id,
             connector_type=actor_type,
         )
@@ -324,14 +336,15 @@ def set_cloud_connector_version_override(
             connector_id=actor_id,
             connector_type=actor_type,
             api_root=constants.CLOUD_CONFIG_API_ROOT,  # Use Config API
-            client_id=workspace.client_id,
-            client_secret=workspace.client_secret,
+            client_id=auth.client_id,
+            client_secret=auth.client_secret,
             workspace_id=workspace_id,
             version=version,
             unset=unset,
             override_reason=enhanced_override_reason,
             override_reason_reference_url=override_reason_reference_url,
             user_email=admin_user_email,
+            bearer_token=auth.bearer_token,
         )
 
         # Get updated version info after the operation
@@ -339,8 +352,9 @@ def set_cloud_connector_version_override(
             connector_id=actor_id,
             connector_type=actor_type,
             api_root=constants.CLOUD_CONFIG_API_ROOT,  # Use Config API
-            client_id=workspace.client_id,
-            client_secret=workspace.client_secret,
+            client_id=auth.client_id,
+            client_secret=auth.client_secret,
+            bearer_token=auth.bearer_token,
         )
         new_version = updated_version_data["dockerImageTag"] if not unset else None
         is_pinned_after = updated_version_data["isVersionOverrideApplied"]