tableau-cloud-rest-keypair-publish-gap
Tableau Cloud REST API cannot attach a saved-credential by UUID at publish-time. Upstream Tableau platform limitation, no planned fix. Affects ANY workbook with non-password datasource auth: Snowflake keypair, OAuth (Salesforce/Google), Cloud-managed saved credentials. Symptom: publish_workbook (REST) AND Tableau Cloud Web UI upload both reject with 403132 — failed to establish a connection to your datasource. The Tableau Server Client (TSC.ConnectionCredentials) only accepts inline (name, password) overrides — no path to reference a site-managed saved-credential by ID. Even as_job=True + skip_connection_check=True flags don’t bypass — Cloud still rejects keypair-bound publishes.
The only working path: Tableau Desktop publish. Desktop attaches the operator’s locally-bound credential at publish time. Operator workflow: download .twbx (with bundled extract via include_extract=True to avoid Desktop’s E4DAAEC1 extract-regen-needs-local-keypair gap) → open in Desktop → Server → Publish Workbook.
Implication for ANY agent producing Tableau workbooks: cannot fully automate publish for keypair/OAuth datasources. Must produce a self-contained .twbx and hand off to operator. True regardless of build path (Tier-1 download/clone, Tier-2 XML transform, Tier-3 Web Authoring + export). Don’t promise “fully autonomous publish” for these workbook classes — promise “deterministic file + 2-click operator handoff” instead.