GraphQL: createDelegatedWireGuardToken and addWireGuardPeer

Questions / Help
1

Hello!

I’m attempting to use the GraphQL api to create a wireguard peer using a delegated wireguard token.

I can call addWireGuardPeer to successfully create a peer connection.

And I can call createDelegatedWireGuardToken to generate a delegated token.

But I can’t figure out how to call addWireGuardPeer with the delegated token to create the peer connection. I’ve tried calling addWireGuardPeer using the delegated token as the FLY_API_TOKEN like the older v3 api apparently did, but I get an error message: “You must be authenticated to view this.”

Is there a way to do this?

Here’s the two api calls I have working.

curl 'https://api.fly.io/graphql' \
  -H 'Content-Type: application/json' \
  -H "Authorization: Bearer ${FLY_API_TOKEN}" \
  --data '{
  "query": "mutation($input: CreateDelegatedWireGuardTokenInput!){ createDelegatedWireGuardToken(input: $input){ clientMutationId token } }",
  "variables": {
    "input": {
      "organizationId": "'"${FLY_ORG_ID}"'",
      "name": "'"${WG_TOKEN_NAME}"'"
    }
  }
}'; echo

curl 'https://api.fly.io/graphql' \
  -H 'Content-Type: application/json' \
  -H "Authorization: Bearer ${FLY_API_TOKEN}" \
  --data '{
  "query": "mutation($input: AddWireGuardPeerInput!){ addWireGuardPeer(input: $input){ clientMutationId endpointip peerip pubkey } }",
  "variables": {
    "input": {
      "organizationId": "'"${FLY_ORG_ID}"'",
      "region": "'"${FLY_REGION}"'",
      "name": "'"${WG_PEER_NAME}"'",
      "pubkey": "'"${WG_PEER_PUBLIC_KEY}"'",
      "network": "'"${WG_PEER_NETWORK}"'"
    }
  }
}'; echo

Cheers!

2

Hello, anyone out there have some insight on this issue?

3

Huh. What are you doing with the delegated tokens?

I might want to wave you off on using them right now, because we’re in the process of rolling out our new Macaroon-based auth tokens, which subsume those special-purpose tokens.

4

Thx for jumping in Thomas! I’m exploring being able to host a client inside an isolated network inside my org. And I want the client to be able to wireguard peer to their apps in that isolated network in my org, but nothing else. Does that make sense?