Automation Rules fail to run or can't be enabled/edited due to the error 'Provided URL is not present in Jira allowlist or request from anonymous users is not enabled'

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After an upgrade of Automation For Jira (A4J) to 9.x (or an upgrade of Jira to 9.11.x which ships with this A4J version), it might become impossible to edit or enable some automation rules due to the error Provided URL is not present in Jira allowlist or request from anonymous users is not enabled:

The affected rules will also fail to send the notification with the same error in the audit logs. This includes rules using any of the action listed below: 

  • Send HipChat message
  • Send Microsoft Teams message
  • Send Slack message
  • Send Stride message
  • Send Twilio message
  • Send web request


This will most likely happen after upgrading Automation for Jira to v9 and above. However, the behaviour may also be seen in any version of Automation after v7.3.

Environment

Automation for Jira v7.3 and above

More likely to happen in Automation for Jira v9 and above

Diagnosis

  1. When checking the audit logs for the rule, you see the error message 'Provided URL is not present in Jira allowlist or request from anonymous users is not enabled.'

  2. When checking the automation Global Configuration, the 'Check all URLs against the Jira allowlist.' option is checked.
  3. Your endpoint is not configured in Jira's allowlist in (Settings > System > Allowlist)

Cause

As per Automation for Jira release notes, the 'Check all URLs against the Jira allowlist' option is enabled by default beginning from v9 so it will be very common to face this after updating Automation to v9 and above. As a result, if any rule was configured before the upgrade to use an action that requires a Webhook URL such as the Send Slack Notification action, it will no longer be possible to publish or enable these rules, unless the Webhook URL was added to the Jira Global allowlist.

Solution

Solution 1 - Add the Webhook URL to the Jira allow list

Resolution steps

  1. Log in as a Jira Administrator
  2. Go to ⚙ > System > Allowlist
  3. Add the URL(s) that need(s) to be whitelisted based on the type of actions used by your automation rules (more information below)

Identifying the list of URLs to be whitelisted

For the rules using the "Send Slack Message" action:

You can use the following setting in the allowlist page:

  1. Type: Wildcard expression
  2. Expression: https://hooks.slack.com/*


For the rules using the "Send Twilio Message" action:

You can use the following setting in the allowlist page:

  1. Type: Wildcard expression
  2. Expression: https://api.twilio.com/*


For the rules using the "Sent Microsoft Team Message", "Send HipChat Message", and "Send Stride Message" actions:

The URLs that needs to be whitelisted will depend on how these actions are configured in your automation rules. The most efficient way to identify which URLs are used in this action is to query the table AO_589059_RULE_SECRET in the Jira Database. This table will include all the Webhook URLs used the "message type" actions such as the MS Team action/Stride action/HipChat action as mentioned in the documentation Create and edit masked secret keys for automation rules

You can execute the SQL query below to get the full list of URLs that need to be added to the Jira Allow Llist:

select * from "AO_589059_RULE_SECRET" where "VALUE" like 'http%';


For the rules using the "Send web request" action:

To get the list of URLs used by this action that need to be added to the Jira Allow List, you need to run the SQL query below, and get the value the "url" parameter in each row returned by the query:

select "VALUE" from "AO_589059_RULE_CFG_COMPONENT" where "TYPE" = 'jira.issue.outgoing.webhook';


(info) Note about this solution

If A4J is on version 9.0.1, the Webhook URLs from rules configured while on A4J 8.x will be shown as generic name, for example slack_notification_XXXXXXXXXX_XXXXXXXXX in case of Slack Webhook URLs. This behavior is due to this bug which was fixed in A4J 9.0.2:

The fact that the Slack Webhook URLs are showing as generic key names rather than URLs does not change the steps to be followed for this solution. The actual Webhook URLs are stored in the Jira DB table AO_589059_RULE_SECRET, and adding https://hooks.slack.com/* to the Jira allowlist will fix the error.

Solution 2 - Disable the A4J allowlist setting

Resolution steps:

  1. Log in as a Jira Administrator
  2. Go to ⚙ > System > Automation Rules
  3. Go to ... > Global configuration 
  4. Untick the option Check all URLs against the Jira allowlist and save the change


Last modified on Dec 8, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.