API Token requires access to all zones on account about acme-dns-01-cloudflare HOT 8 CLOSED

Ugh, lame. Let me poke some people internally about this.

Though I guess this is still much better than the pre-api-token world...

from acme-dns-01-cloudflare.

Good news! With changes to Cloudflare's new zone-scoped roles, this no longer seems to be an issue. A "zone list" API request now returns just the zones an account has access to, without requiring the "all zones" permission 🥳

from acme-dns-01-cloudflare.

Hi Kenton, thanks so much for the info!

I actually noticed this myself on Friday when trying to generate a certificate but didn't get around to creating an issue or solution yet.

What do you think of something like this, which would allow users to pass in a zone map of domain => zone ID?

const cloudflareDns01 = new acmeDnsCloudflare({
	token: 'xxxxxx',
	verifyPropagation: true,
	verbose: true,
	zones: {
		"example.com": "asdfgh",
		"example2.com": "zxcvbn"
	}
});

The module could then first check the zones configuration as passed in, but fallback to querying Cloudflare's API for the zones if it needs to.

As a side note, allowing com.cloudflare.api.account.zone.list as a separate explicitly granted permission would be really awesome. 😉

from acme-dns-01-cloudflare.

Oh geez... The API doesn't provide any way to map a zone name to an ID without listing zones?

(Yeah this is not my department at Cloudflare. 😅)

from acme-dns-01-cloudflare.

As far as I can tell looking at https://api.cloudflare.com/#zone-list-zones, there's a filter name for the GET zones call, but no way to specify multiple filters. So if you wanted to create certs for 30 zones on your account, this would be 30 separate API calls vs 1 or 2 for a generic GET zones listing.

But, that's assuming the GET zones call would take into account permissions on specific zones, and with some quick testing, it doesn't seem to. Even if I explictly do GET zones?name=example.com where example.com is a zone I have access to, I still receive the com.cloudflare.api.account.zone.list permission error until I set Zone -> Zone:Read for all zones.

Unless I'm missing an available API call on Cloudflare's end, the only 2 solutions that I can think of here (when using an API token, without API changes are Cloudflare's end) are passing in the zone names/IDs map to this module, or giving your API token access to all zones are on the account, neither of which are ideal. 😕

from acme-dns-01-cloudflare.

Yeah, a revocable token is still way better than a global API key, even if you have to give it more permissions than really intended. 😀

I'll see about updating the README here shortly with the new permission information. Hopefully we can find a better solution soon!

from acme-dns-01-cloudflare.

I checked internally and it seems like there is a desire to fix this, but it's not as easy as it looks, so probably shouldn't expect it to change in the near term.

I guess having some way to specify zone tags manually might be neat though I expect most people won't want to do the work of looking them all up.

from acme-dns-01-cloudflare.

Thanks for the update. I'll think about this a little and see what I want to do. Specifying a zones map could be a nice interim feature, and just fallback to using the API for those who don't wish to configure this, or for missing zones, with hopefully a better solution coming in the future.

from acme-dns-01-cloudflare.