#nick-ip-allowlist

@viral pelican no that is Dashboard only today

nick-ip-allowlist

I don't think we have a good solution for this. If it could be done with a Secret API key then it defeats the purpose since if your key leaks someone can use it to update the IP allow list right?

I guess, but you could have updating IP restrictions as a separate permission and protect that key in a different way or use it in a separate service

Yeah I don't see this happening any time soon

What do you propose I do? It means that "let stripe store the sensitive data" as an approach is a non-starter

I would probably have to download and store it myself

I don't really get it. You should be able to detect IP changes on your end and then change the Dashboard allow list right?

I don't detect IP ranges, no. It's just a pool of public addresses managed by AWS, and servers get take in and out of service all the time.

0.0.0.0/1
128.0.0.0/2
192.0.0.0/3
224.0.0.0/4
240.0.0.0/5
248.0.0.0/6
252.0.0.0/7
254.0.0.0/8
255.0.0.0/9
255.128.0.0/10
255.192.0.0/11
255.224.0.0/12
255.240.0.0/13
255.248.0.0/14
255.252.0.0/15
255.254.0.0/16
255.255.0.0/17
255.255.128.0/18
255.255.192.0/19
255.255.224.0/20
255.255.240.0/21
255.255.248.0/22
255.255.252.0/23
255.255.254.0/24
255.255.255.0/25
255.255.255.128/26
255.255.255.192/27
255.255.255.224/28
255.255.255.240/29
255.255.255.248/30
255.255.255.252/31
255.255.255.254/32

I could do this I guess?

but it kind of also defeats the purpose of the restriction

yes that would quite defeat the purpose since your key leak would work on any IP from AWS right?

It would be any IP in the world like this, but yes. Since AWS' pool is not static (see first link), I would have to be able to automate updating the restriction, but since I can only do it via dash, this can't be done

Is it an external compliance thing that made you chose this approach? It seems it's the only resource that's protected this way.

yes

And I'm fairly certain there has to be a way to do this without just allow-listing every IP addresses (which we wouldn't want)

I'm looking, I'll circle back once I know more

Alright. Thanks

what are you using on AWS? Are you on EC2? How are your servers configured?

EC2, yes

I cannot use Elastic IPs with the service I use

which means each instance just gets a new, random IP for the region it runs in

so I can scope it to region, but regions have their ranges updated, and now we're back to square one

but their ranges are likely updated with advanced warnings right?

like we do when we change the IP addresses of api.stripe.com

I would suppose, yes, but it's all done in code with JSON publications and cloudwatch events

i.e. you are expected to automate it

I think for now you'll need to detect those changes, alert yourself and then manually update the allowlist in the Dashboard

It would still only scope it to the region I use, which does not mean "only my IPs", but everyone on AWS in that region

Which is better than every IP, sure

Can you clarify why you can't use Elastic IPs exactly?

It's not supported by the service that provisions my instances on-demand

can I ask you to be a lot more specific about what that means and what you do? I'm happy to report a feature requests but I need to know exactly what's up

Let me just verify that this is actually true

Hold on

sure

I would prefer to DM you as this channel is public.

yeah DM is fine