The current approach of using a single API key for the NMM API does not meet our operational or security requirements.
Multiple internal teams require access to the Nerdio API, but today all access is provided through a single key that grants extensive permissions across our customer estates. This creates a number of challenges, particularly around the principle of least privilege. For example, our reporting team requires read-only access to a limited set of data and does not need full write permissions across API endpoints.
This issue has become more significant as we integrate with a third-party billing provider that needs to retrieve billing data from NMM. We cannot provide that organisation with unrestricted access through the existing API key model.
Ideally, we would be able to generate dedicated API keys for specific users, teams, or integrations, with granular control over the endpoints they can access and the permissions granted (for example, read-only versus read/write). This would allow us to securely support a range of use cases while maintaining appropriate governance and access controls.
In the absence of this capability, we will be required to design, build, and maintain an intermediary service to proxy requests between the third-party provider and the Nerdio API. This introduces additional complexity, operational overhead, and technical debt, and runs counter to our objective of simplifying our architecture wherever possible.
Comments (0 comments)