This document describes the steps for setting up allow/deny lists of IPs per user using Firebolt’s REST API. This is a temporary API that will be replaced with SQL in the future.
In order to set up allow/deny lists of IPs per user, follow these steps:
Receive a token for your user. The user should have an account admin role in the needed account:
curl --location --request POST 'https://api.app.firebolt.io/auth/v1/login'\
--header 'Content-Type: application/json' \
--data-raw '{
"password": "<password>",
"username": "<email>"
}'
Get the id of your account:
curl 'https://api.app.firebolt.io/iam/v2/accounts:getIdByName?account_name=<ACCOUNT_NAME>'
--header 'Authorization: Bearer <TOKEN>'
and the id of the user for which you want to set up the IP allow/deny list:
Get all user ids for your account first:
curl 'https://api.app.firebolt.io/iam/v2/accounts/<ACCOUNT_ID>/accountMembers'
--header 'Authorization: Bearer <TOKEN>'
Get all users data:
curl --request POST 'https://api.app.firebolt.io/iam/v2/users:getByIds' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <TOKEN>' \
--data-raw '{
"user_ids": ["<USER_ID1>", "<USER_ID2>", ...]
}'
The response contains a list of all users which can be filtered by email or any other user data to get the id of the specific user.
Set IP allow/deny lists for a given user. For example to allow access from 110.200.55.55, use the below request:
curl --request PATCH 'https://api.app.firebolt.io/iam/v2/accounts/<account_id>/accountMembers/<user_id>:setIPAllowDenyLists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>' \
--data-raw '{
"allow_list": ["110.200.55.55"],
"deny_list": []
}'
You can also use the CIDR notation instead of a single IP:
curl --request PATCH 'https://api.app.firebolt.io/iam/v2/accounts/<account_id>/accountMembers/<user_id>:setIPAllowDenyLists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>' \
--data-raw '{
"allow_list": ["110.200.55.0/24"],
"deny_list": []
}'
Every request will overwrite existing allow/deny lists. To change the lists, you need to get the existing ones first by getting user data, updating them, and sending the request.
Fetch user data:
curl 'https://api.app.firebolt.io/iam/v2/users/<user_id>' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>'
The response looks like this:
{
"user": {
"id": "87983b73-73a3-4594-889e-d879422cdcd9",
...
"ip_allow_list": ["110.200.55.55"],
"ip_deny_list": []
}
}
To clear both settings, you must set both lists as empty:
curl --request PATCH 'https://api.app.firebolt.io/iam/v2/accounts/<account_id>/accountMembers/<user_id>:setIPAllowDenyLists' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <token>' \
--data-raw '{
"allow_list": [],
"deny_list": []
}'