Forge egress limits

We are testing Forge with new runtime and remotes in manifest. I am seeing this error. There seems to be a limit but I could not find this documented. Can someone shed more light on this?

Error: There are egress permission URLs provided, exceeding the maximum of 51. (requestId: fc4c03c312ba42489400017f2d021d4d)

Can I ask why you need more that 50 egress URLs? The issue is mostly a UX one, in that we need to display the egress URLs on the installation screen and we don’t want admins to have to review a really long list of URLs.

1 Like

Our app provides integrations to many enterprise systems, allowing customers to integrate them with Jira. And some enterprise systems have more than 5 URL’s they expose - for e.g. one for US, one for EU, etc.
How is this 51 limit defined? I counted my client, backend and images list but they still don’t add up to 51.

Hello @GirishReddy, I took a close look at this today and it seems that the real limit for egress URLs is 50, the error message is misleading and I have added a bug in our backlog to fix this. We have another task to document the egress limit in our docs.

In terms of how the egress limit is calculated; it is calculated as the unique sum of all the URLs that you have defined under permissions plus the URLs defined under remotes. So if you have some URLs that you defined under remotes but not under permissions, they will also count towards your quota. Perhaps you are using some feature like external auth which allows you to define remotes and use them as the authorization remote without specifying them under permissions egress.

That helps, thanks. Can you also confirm which of the atlassian URL’s need to be explicitly mentioned in permissions.external.images section? We have these at the moment to pull icons, user profile image, etc.

      - "*.atlassian.net"
      - "*.gravatar.com"
      - "*.atlassian.com"
      - "*.atl-paas.net"
      - "*.atlassian.design"

I believe that you will need all of them. By default, the CSP directive will be img-src 'self' so you would only be able to pull images from the current origin, i.e.: <current-site>.atlassian.net (unless this is what you need under *.atlassian.net).