Whitelist cloud.gov IPs for server-side API keys [Due 12/29/19]

[lbeaufort]

We should whitelist cloud.gov IPs for server-side API keys.

Private API keys (to be documented in fec-accounts repo) should only be used by cloud.gov apps, which have egress IPs.

We have TRUSTED_PROXY_IPS that are in environment vars for API umbrella and should follow a similar route for whitelisting the private api keys. When rotating the keys, we'll need to update the Key-ID env var. See

openFEC/webservices/rest.py

Line 135 in 4b21dbf

DOWNLOAD_WHITELIST_API_KEY_ID = env.get_credential('DOWNLOAD_WHITELIST_API_KEY_ID')

Completion criteria

• put a note in the code to update the fec-accounts wiki if the key is rotated.
• update the fec-accounts wiki with instructions on updating the env vars if the key is rotated.

[pkfec]

For private keys, mainly used for the server side calls, there is a setting in api umbrella that we can update to include the cloud.gov IP's. Thanks @lbeaufort for pointing this out. I have updated the setting for stage private key and tested the server side calls. They all seems to work as expected.

I will update the settings on prod space coming Monday 12/23.
cc @lbeaufort

[pkfec]

In api umbrella, I have added clould.gov IP's to the prod private api key.

[lbeaufort]

@pkfec thanks so much for your work on this! I tried to use the private key on my local machine with curl and got the following error message:

{
  "error": {
    "code": "API_KEY_UNAUTHORIZED",
    "message": "The api_key supplied is not authorized to access the given service. Contact us at https://github.com/fecgov/openFEC/issues for assistance"
  }