Get help on Discord

GitHub Actions: Copying Sanity datasets fails, missing "manage datasets" permission

19 replies
Last updated: Oct 24, 2023
Copying datasets with GitHub Actions not working...I'm following this guide: https://www.sanity.io/guides/multi-environment-deployments to create an GitHub workflow action that copies the production dataset to a "staging" dataset. Because I'm using the embedded studio, I need to modify this code a bit. Here is the code from my action:

name: Copy Sanity Production Dataset
on:
  push:
    branches:
      - "feature/**"
      - "!production"
      - "!main"
      - "!staging"
jobs:
  prepare-dataset:
    runs-on: ubuntu-latest
    env:
      SANITY_TOKEN: ${{ secrets.SANITY_TOKEN }}
      SANITY_PROJECT: ${{ secrets.SANITY_PROJECT }}
    steps:
      - name: Double-check branch name
        run: |
          if [ ${GITHUB_REF##*/} = "production" ]; then exit 1; fi
          if [ ${GITHUB_REF##*/} = "main" ]; then exit 1; fi
      - name: Clone dataset from production
        run: |
          curl --request PUT \
          --url <https://api.sanity.io/v2021-06-07/projects/$SANITY_PROJECT/datasets/production/copy> \
          --header 'Authorization: Bearer '$SANITY_TOKEN \
          --header 'Content-Type: application/json' \
          --data '{
          "targetDataset": "staging",
          "skipHistory": true
          }'
And when I pushed a new "feature/whatever" branch, the action ran "successfully", but when I log in to my feature branch studio that is using the staging dataset, it does not have the data from production. One thing I'm unsure about is the part in the guide that says, "'we can create a token under the “API” section of the management console. It should have the “*manage datasets*” permission.'" When I created a token, I don't see any options that include "manage datasets". I've tried it with both "viewer" and "editor" permissions, but either way production is not getting copied to staging. What am I missing? It doesn't need Deploy Studio privileges does it? I'm not deploying this studio; it's embedded in my Remix app.
AI Update

Based on my research, I can see the issue you're running into. The dataset copy feature you're trying to use is actually an Enterprise/Business plan feature, and the "manage datasets" permission isn't something you'll find as a checkbox in the token creation UI.

The Token Permission Issue

When you create a token in the Sanity management console under the "API" tab, you'll only see these standard roles:

  • Viewer (read-only access)
  • Editor (read and write content)
  • Deploy Studio (for deploying Studio)
  • Administrator (full project access)

The dataset copy endpoint requires administrative permissions that go beyond standard Editor or Viewer roles. According to the documentation, copying datasets is a feature available to Business and Enterprise customers.

What You Need to Do

1. Use an Administrator token: Create a token with the Administrator role (not Editor or Viewer). This role has the necessary permissions to manage datasets, including copying them. The guide's reference to "manage datasets" permission means you need a token with Administrator-level access—it's not a separate checkbox option.

2. Verify your plan: The dataset copy feature is part of Advanced Dataset Management, which is only available on Business and Enterprise plans. If you're on a Free or Growth plan, this endpoint won't work even with the correct token—it will appear to succeed but won't actually copy the data.

3. Check your workflow: Your GitHub Action code looks correct, but make sure:

  • The SANITY_TOKEN secret contains an Administrator token
  • Your project is on a Business or Enterprise plan
  • The staging dataset either doesn't exist yet, or you're okay with it being overwritten

Alternative Approaches

If you're on a Free or Growth plan or don't have access to the copy endpoint, you could:

  • Use the CLI: The Sanity CLI's export/import commands work on all plans:

    sanity dataset export production backup.tar.gz
sanity dataset import backup.tar.gz staging

  • Sanity Functions: Consider using Sanity Functions to automate dataset operations—they're serverless compute within Sanity and can handle content synchronization tasks without needing external hosting.

  • Upgrade your plan: If dataset copying is critical to your multi-environment workflow, consider upgrading to a Business or Enterprise plan.

The bottom line: The "manage datasets" permission mentioned in the guide refers to Administrator-level access, and the dataset copy API endpoint itself is a paid feature. You need both the right token role AND the right plan tier for this to work.

Show original thread
19 replies
Is this on a Business or Enterprise plan? This endpoint is using Cloud Clone , which requires at least a Business plan:

/v2021-06-07/projects/$SANITY_PROJECT/datasets/production/copy
hey
can look at my question please
user D
Please don’t do that.
Ahh, well that answers it. It's on a free plan. The guide mentions that, but it kind of gets lost in translation, which is why I didn't think of that. Can I run something like 
npx sanity dataset copy production staging
inside this action? I'm not too familiar with GitHub Actions yet.
You’d be limited to using export/import, so whatever process you used would need to be able to handle the size of your dataset.
Depending on your needs, ignoring assets may help control the size of the export enough to keep everything in RAM (I don’t know what GitHub Actions offer in terms of RAM or persistent space, if any).
Gotcha. Thank you!
Okay, so I'm running this command in my GitHub action (* indicates its reading the secret):
SANITY_EXPORT_DATASET=*** npx -y sanity@latest dataset export --skip-history production exports/production.tar.gz
But I'm getting this error: 
You must login first - run "sanity login"
. Obviously, I can't login like that, which is what I thought the token was for. Am I not setting the env var correctly like this?
What do you mean by “*** indicates its reading the secret”? Are you passing in 
SANITY_AUTH_TOKEN
?
Yeah, I was just saying that because I copied that output from the terminal and GitHub was just concealing my secret, so I wanted to be clear I wasn't literally passing in *, but I guess I wasn't as clear as I thought 😄. What are token with the "DEPLOY STUDIO (TOKEN ONLY)" permissions for? Is that just for deploying the studio or is that also for when you need to do what I'm trying to do without manually logging in?
Okay, thank you. What I meant was that the env variable you mentioned was SANITY_EXPORT_DATASET, but that’s where you put the three asterisks. Just wanted to make sure the right variable was being used.
I don’t believe any of the user tokens can be used to deploy a Studio—even administrator. The deploy studio robot token needs to be used instead.
Oh, well now that you mention it, I wasn't passing in SANITY_AUTH_TOKEN. Is that some kind of built in token variable name that the Sanity CLI is expecting? Or would I need to create that under my API settings?
Yes, it’s built-in. There’s a short write-up here that touches a bit on when and why it’s needed.
Ah ha. Okay, I got the export/import working now with GitHub workflows. Thank you!
I will need to be mindful, like you said, of the available resources on those workflow machines, but I'll cross that bridge when we get there I guess.
Is there any new and updated Sanity documentation for the Git Actions to do automated backups? Appears to be interopability issues with the CLI/GIT/Node versions?
Anyone currently able to use in production capacity ?

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?