Jira Cloud IP Allowlisting and Automation Web Request

I have automation rules that call Jira Cloud REST APIs of itself.

e.g. I have automation rule that sends web request to read group membership (/rest/api/3/group/member?groupname=)

But if I enable IP allowlisting, the rule will fail:

Send web request

Error publishing web request. Response HTTP status:

403

Error response HTTP body:

{ “errorMessages”: [ “The IP address has been rejected because it is not on the allowedlist. See your admin for more information.” ], “errors”: {} }

The IP list at https://ip-ranges.atlassian.com/ has 122 entries, while IP allowlisting only allows 100 items.

I need 2 for my users, so I only got 98 left.

How do I know which IPs are used for automation web reqeusts? I tried filtering the 122 IPs based on region, product or direction, but the results are either too huge (>98) or not working (IP still blocked for automation rule).

Run this JavaScript on the IP list page (https://ip-ranges-atlassian.com/):

var json = JSON.parse(document.body.innerText);
var list = new Set();
json.items.filter(function(entry){
return (
entry.direction.indexOf(“egress”) != -1 &&
entry.product.indexOf(“jira”) != -1 &&
entry.mask_len == 28
);
}).forEach(function(entry){
list.add(entry.cidr);
});
var result = “”;
list.forEach(function(item) {
result += “,” + item
});
console.log(result.substring(1));

The result is a comma-delimited list of CIDRs, currently size 15.

With those added Automation rules can use Web Request on REST APIs in the same site.

1 Like

Good that you found the relevant IP addresses to whitelist and that it’s now working for you.
But honestly, I would have expected that Jira’s own REST API is always accessible from Automation. For an automation point-of-view I see it as an extension of the existing Automation building blocks, and therefore expect to be able to call it without any whitelisting. Is that something that Atlassian can set up, or maybe is already possible in another way?

2 Likes

When trying to run the code, I was thrown an error. The code has been corrected, and the following JS works:

var json = JSON.parse(document.body.innerText);
var list = new Set();
json.items.filter(function(entry){
    return (
        entry.direction.indexOf("egress") != -1 &&
        entry.product.indexOf("jira") != -1 &&
        entry.mask_len == 28
    );
}).forEach(function(entry){
    list.add(entry.cidr);
});
var result = "";
list.forEach(function(item) {
    result += "," + item;
});
console.log(result.substring(1));

Just an update to whoever is using IP allowlisting and running into issues still. The code provided here helped me somewhat but I found that there were still IPs missing that the Jira API needed. The original code only pulls out IPv4 and subnet mask lengths of 28. In my use case, I needed only US IPs and found that the /28 was not inclusive of everything I needed to make the API work. I tinkered with it and the below code should work for you. Keep in mind if you are trying to grab the US only, you will need to iterate the code with the regions you need to grab. In my case, I needed us-east-1, us-west-1, us-west-2, and global.

To make it easy for people in the US, here is the list of IPs I gathered that worked for me. This is as of August 2024, this list can change in the future, so be aware.

US WEST 1

3.101.177.128/26,13.52.5.0/25,13.52.5.96/28,104.192.138.0/24,104.192.138.240/28,2401:1d80:3000::/36,2401:1d80:3220:2::/64,2401:1d80:3220:3::/64,2600:1f1c:cc5:2300::/56,2600:1f1c:cc5:2304::/64,2600:1f1c:cc5:2305::/64

US WEST 2

18.246.31.128/25,18.246.31.224/28,18.246.188.0/25,18.246.188.32/28,35.84.197.128/26,104.192.140.0/24,104.192.140.240/28,2401:1d80:3000::/36,2401:1d80:3224:3::/64,2401:1d80:3224:4::/64,2401:1d80:3224:5::/64,2600:1f14:824:300::/56,2600:1f14:824:304::/64,2600:1f14:824:305::/64,2600:1f14:824:306::/64

US EAST 1

18.234.32.128/25,18.234.32.224/28,44.197.146.192/26,44.220.40.128/25,44.220.40.160/28,104.192.142.0/24,104.192.142.240/28,2401:1d80:3000::/36,2401:1d80:321c:3::/64,2401:1d80:321c:4::/64,2401:1d80:321c:5::/64,2600:1f18:2146:e300::/56,2600:1f18:2146:e304::/64,2600:1f18:2146:e305::/64,2600:1f18:2146:e306::/64

Global

104.192.136.0/21,2401:1d80:3000::/36
var json = JSON.parse(document.body.innerText);
var list = new Set();
json.items.filter(function(entry){
    return (
        entry.direction.indexOf("egress") != -1 &&
        entry.product.indexOf("jira") != -1 &&
        entry.region.indexOf("global") != -1
    );
}).forEach(function(entry){
    list.add(entry.cidr);
});
var result = "";
list.forEach(function(item) {
    result += "," + item;
});
console.log(result.substring(1));

I hope this helps other people, as it’s been a pain point for me. Atlassian should automatically approve their own IP space for customers that utilize the API (as most integrations use it) or just offer a feature checkbox that says, “Check here to automatically add Atlassian API IPs.”