ipam authorization - any managed identity can get access token and vend/reservation of a new address space #248
omerzubair
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi @DCMattyG ,
Problem Domain:
I have my terraform calling the ipam solution.i.e using devops pipeline going via public and reaching the app gateway infront of ipam.
I am unable to limit my app gateway to ip ranges as my pipelines use azure AU BGP range.
Furthermore anyone in directory with admin RBAC can create a UAMI/managed identity/Azure AD App
and once they do create it they can get token and using that new token, they can vend out the cidr/addressspace.
Feature:
I would like to limit the api calls using limited identities (allowlist) human and service principals of MI/UAMI etc.
if a reservation request comes via API and that identity is not in allowlist then POST call should fail perhaps ? or other mechanism i am not sure how terraform will react if call fails? will it destruct all ciders on apply? dono to be tested?
happy to hear comments from others on this feature.
Beta Was this translation helpful? Give feedback.
All reactions