Skip to content

synadia-labs/cidr-restricted-user-jwt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 

Repository files navigation

Synadia Cloud User Credentials with CIDR Restrictions

Example tool demonstrating how to programmatically create NATS user credentials with IP-based access controls using the Synadia Cloud API.

Overview

NATS user JWTs can include a src claim that restricts which IP addresses or CIDR ranges are allowed to connect. This provides network-level access control independent of the credentials themselves.

This tool:

  • Creates a new user if it doesn't exist, or updates an existing user
  • Sets CIDR restrictions on the user's JWT settings
  • Downloads the credentials file

Prerequisites

  • Go 1.21+
  • Synadia Cloud account with API access
  • Account ID and signing key group ID from Synadia Cloud

Build

go build -o cidr-user .

Configuration

Set environment variables:

export CLOUD_URL="https://cloud.synadia.com"
export ACCESS_TOKEN="your-api-token"

To get an API token, go to Synadia Cloud > Personal Access Tokens.

Usage

Create a new user with CIDR restrictions:

./cidr-user \
  -account 2bGxXXXXXXXXXXXXXXXXXXXX \
  -sk-group 2cHyYYYYYYYYYYYYYYYYYYYY \
  -name "restricted-user" \
  -cidrs "10.0.0.0/8,192.168.0.0/16" \
  -output restricted-user.creds

Update an existing user's CIDR restrictions:

./cidr-user \
  -account 2bGxXXXXXXXXXXXXXXXXXXXX \
  -name "restricted-user" \
  -cidrs "172.16.0.0/12"

Remove CIDR restrictions (allow all IPs):

./cidr-user \
  -account 2bGxXXXXXXXXXXXXXXXXXXXX \
  -name "restricted-user" \
  -cidrs ""

Flags

Flag Description
-account Account ID (required)
-sk-group Signing key group ID (required for new users)
-name User name (required)
-cidrs Comma-separated CIDR list
-output Output file for credentials (default: stdout)
-expires JWT expiration in seconds (0 = account default)

How It Works

The tool uses the Synadia Cloud REST API:

  1. GET /core/beta/accounts/{id}/nats-users - List users to check if name exists
  2. POST /core/beta/accounts/{id}/nats-users - Create new user with jwt_settings.src
  3. PATCH /core/beta/nats-users/{id} - Update existing user's jwt_settings.src
  4. POST /core/beta/nats-users/{id}/creds - Download credentials file

The jwt_settings.src field accepts an array of CIDR strings that are embedded in the user JWT's claims. NATS servers enforce these restrictions at connection time.

Related Documentation

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages