There’s a fail-open API security logic in place I notice with Atlas API. I can perform atlas cluster list under an authenticated session with a valid service account, yet my IP address is not in the service account’s API Access List, which is empty.
However, if I add a random IP addres, suddenly I encounter this error:
atlas clusters list
Warning: Secure storage is not available, falling back to insecure storage
To disable this alert, run "atlas config set silence_storage_warning true"
Error: https://cloud.mongodb.com/api/atlas/v2/groups/69f5a94637eebff58e9fd971/clusters GET: HTTP 403 Forbidden (Error code: "IP_ADDRESS_NOT_ON_ACCESS_LIST") Detail: IP address <redacted> is not allowed to access this resource. Reason: Forbidden. Params: [<redacted>]This because Require IP Access List for the Atlas Administration API is turned off. Basically, if it’s off, it allows all IP address to use the API when the list is empty; if there’s at least one IP address there, only that can access the API. You can access the setting from the organization setting page (https://cloud.mongodb.com/v2#/org/69f5a94637eebff58e9fd972/settings/general). If you can’t find it, check this page: https://www.mongodb.com/docs/atlas/configure-api-access/?interface=atlas-ui&programmatic-access=service-account#provide-access-to-whitelisted-api-operations