How to allow/deny list of IPs per user

This document describes the steps for setting up allow/deny lists of IPs per user using Firebolt’s REST API. This is a temporary API that will be replaced with SQL in the future.

In order to set up allow/deny lists of IPs per user, follow these steps:

  1. Receive a token for your user. The user should have an account admin role in the needed account:

    curl --location --request POST 'https://api.app.firebolt.io/auth/v1/login'\--header 'Content-Type: application/json' \--data-raw '{    "password": "<password>",    "username": "<email>"}'
  1. Get the id of your account:

curl 'https://api.app.firebolt.io/iam/v2/accounts:getIdByName?account_name=<ACCOUNT_NAME>'--header 'Authorization: Bearer <TOKEN>'

    and the id of the user for which you want to set up the IP allow/deny list:

  • Get all user ids for your account first:

curl 'https://api.app.firebolt.io/iam/v2/accounts/<ACCOUNT_ID>/accountMembers'--header 'Authorization: Bearer <TOKEN>'
  • Get all users data:

curl --request POST 'https://api.app.firebolt.io/iam/v2/users:getByIds' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <TOKEN>' \--data-raw '{    "user_ids": ["<USER_ID1>", "<USER_ID2>", ...]}'

The response contains a list of all users which can be filtered by email or any other user data to get the id of the specific user.    

  1. Set IP allow/deny lists for a given user. For example to allow access from 110.200.55.55, use the below request:

curl --request PATCH 'https://api.app.firebolt.io/iam/v2/accounts/<account_id>/accountMembers/<user_id>:setIPAllowDenyLists' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <token>' \--data-raw '{    "allow_list": ["110.200.55.55"],    "deny_list": []}'

You can also use the CIDR notation instead of a single IP:

curl --request PATCH 'https://api.app.firebolt.io/iam/v2/accounts/<account_id>/accountMembers/<user_id>:setIPAllowDenyLists' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <token>' \--data-raw '{    "allow_list": ["110.200.55.0/24"],    "deny_list": []}'

Every request will overwrite existing allow/deny lists. To change the lists, you need to get the existing ones first by getting user data, updating them, and sending the request.    

Fetch user data:

curl 'https://api.app.firebolt.io/iam/v2/users/<user_id>' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <token>'

  The response looks like this:

{    "user": {        "id": "87983b73-73a3-4594-889e-d879422cdcd9",        ...        "ip_allow_list": ["110.200.55.55"],        "ip_deny_list": []    }}

  • To clear both settings, you must set both lists as empty:

curl --request PATCH 'https://api.app.firebolt.io/iam/v2/accounts/<account_id>/accountMembers/<user_id>:setIPAllowDenyLists' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <token>' \--data-raw '{    "allow_list": [],    "deny_list": []}'