An account with "Gateway API Read" role cannot read dns_records

user9373 · August 13, 2024, 10:23am

For Workes & Pages, what is the name of the domain?

What is the error number?

10000

What is the error message?

Authentication error

What is the issue or error you’re encountering

Unable to read dns records via the API using an account with the “Gateway API Read” role

What steps have you taken to resolve the issue?

We have looked at the available account scope roles available on https://dash.cloudflare.com/0f6a7a9d5f0effe679873e8827bf4e3d/members/invite/f78af0280d1ec4c3585695dc7c79a713 and have enabled “Gateway API Read” for all domains, but not enabled any other roles. The only other role that I can see that is specifocally DNS related is the “DNS” role which the descriptions says “Can edit DNS records” (but we only want to enable read access).

What are the steps to reproduce the issue?

Call GET zones/ec716a29dc5c67d471c20658d4b70e97/dns_records with an account with the above role. This fails with the 10000 error.

However GET zones/ec716a29dc5c67d471c20658d4b70e97 suceeds and returns the zone record.

dmartin1 · August 14, 2024, 2:42pm

There is no DNS- Read only role.

The closest you can get would be to give out the Domain Administrator - Read Only.
Grants read-only access to domains in an account.

You can view all the roles below:

user9373 · August 15, 2024, 7:46am

Thanks for the reply dmartin1,

I had looked at that list of roles and was hoping that I had missed something, but in my opinion adding a role that gives read-only access to all dns records without the need to give access to everything is something that Cloudflare probably aught to add.

Thanks for your time.

user9373 · August 15, 2024, 8:02am

As a follow up,

You suggested using the “Domain Administrator - Read Only” role as the means of given read only access the dns_records via the API, but I note that that is a Domain-scoped role rather and an Account-scoped role.

The existing role that we had given to this account was the Account-scoped “API Gateway Read” and not the Domain-scoped “Domain API Gateway Read” role.

If were to give the account the Account-scoped “Domain Administrator Read Only” role instead of the Domain-scoped “Domain Administrator Read Only” role what extra information would that enable them to see on our account?

In fact, if we were to use the Domain-scoped roles, does Cloudflare even support the ability to add thousands of Domain-scoped roles to a single account?

user9373 · August 15, 2024, 9:34am

As another follow up I just tried giving the account the Domain-scoped “Domain Administrator - Read Only” role and can confirm that the account can now read dns_records via the API.

However with regards to the question about adding that domain-scoped role to the account individually to for thousands of domains I not that you can also create a Domain Group.

So would would be better/simplest approach (that give the account access to dns_records with the least amount of access to anything else) be:

Use the Account-scoped “Administrator Read Only” role;
Create a Domain Group that countains every single domain in our account (many thousands) and give that Domain Group the Domain-scoped “Domain Administrator Read Only” role.

However, I have looked all through the apis and found Cloudflare API Documentation which shows the Custom Lists on our account, it does not show the Domain Group Manager List that I created for testing.

So how do I add and remove domains from a Domain Group via the API?

CFBrandon · August 15, 2024, 6:49pm

Hi! My name is Brandon and I’m happy to help further here.

You’re on the right track with the Lists API. I had the same thought, but as you discovered, the Domain Groups Manager is not part of that API endpoint.

I’ve found it to be under the Resource Groups API endpoint.

I have a pre-made Domain Group, but when I GET this endpoint, it returns the Domain Group:

{
    "result": [
        {
            "id": "19321cxxxxxxxxxxxxxxxx4a46340b",
            "name": "CFBrandon",
            "status": "V",
            "created_on": "2024-03-14T19:25:02.833505Z",
            "modified_on": "2024-03-14T19:25:02.833505Z",
            "scope": {
                "key": "com.cloudflare.api.account.374xxxxxxxxxxxxxxxx8ca",
                "objects": [
                    {
                        "key": "com.cloudflare.api.account.zone.29bxxxxxxxxxxxxxxxx7ed"
                    },
                    {
                        "key": "com.cloudflare.api.account.zone.9c5xxxxxxxxxxxxxxxxa90"
                    }
                ]
            }
        }
    ],
    "success": true,
    "errors": [],
    "messages": []
}

Looking at this, it looks like you can use the Create Resource Group API call, using the Key
com.cloudflare.api.account.<account_id> (can be found on Zone Overview pages)

With the Objects;
com.cloudflare.api.account.zone.<zone_id> (also on Zone Overview pages, in the right column).

Using that, you should be able to create a Domain Group via API.
To get a list of all your Zone IDs, the List Zones API endpoint may be helpful.

Please let me know if you have any questions or require further assistance!

user9373 · August 19, 2024, 12:51pm

Hi Brandon, thanks for getting back to me with the reference to the Resource Groups API.

I have tried this out and can confirm that I can both read and write to the resource group but note that when writing to the group, there is no endpoint available for adding or deleting individual “objects”. Unless you can point me to the appropriate API endpoint, as far as I can see you are required to provide the entire list of objects every time you want to update the resource group.

Unfortunately this does not work when trying to add all of our domains to the resource group and the API returns a 500 “Internal Server” error.

This is an example of setting a small number of domains:

PUT accounts/0f6a7a9d5f0effe679873e8827bf4e3d/iam/resource_groups/545ec699c6784b2da92c9dc1456e5019
{
    "scope": {
        "key": "com.cloudflare.api.account.0f6a7a9d5f0effe679873e8827bf4e3d",
        "objects": [
            {
                "key": "com.cloudflare.api.account.zone.85fa4a346804940b59b9410cd635c2e8"
            },
            {
                "key": "com.cloudflare.api.account.zone.6c95c37ca1dd7e08cc8155ef9e161f10"
            },
            {
                "key": "com.cloudflare.api.account.zone.41332351b65e80c54c02ced2a643f78b"
            },
            {
                "key": "com.cloudflare.api.account.zone.ddd0f18362cfbc6429f911a3889f97e2"
            },
            {
                "key": "com.cloudflare.api.account.zone.f7bd9660c3b032e93623af89f97c98c2"
            },
            {
                "key": "com.cloudflare.api.account.zone.bca10462e61fcab4895cae96b356d9d1"
            }
        ]
    }
}
{
    "result": {
        "id": "545ec699c6784b2da92c9dc1456e5019",
        "name": "All Domain Group",
        "status": "V",
        "created_on": "2024-08-15T08:23:11.991725Z",
        "modified_on": "2024-08-19T11:40:44.46143Z",
        "scope": {
            "key": "com.cloudflare.api.account.0f6a7a9d5f0effe679873e8827bf4e3d",
            "objects": [
                {
                    "key": "com.cloudflare.api.account.zone.85fa4a346804940b59b9410cd635c2e8"
                },
                {
                    "key": "com.cloudflare.api.account.zone.6c95c37ca1dd7e08cc8155ef9e161f10"
                },
                {
                    "key": "com.cloudflare.api.account.zone.41332351b65e80c54c02ced2a643f78b"
                },
                {
                    "key": "com.cloudflare.api.account.zone.ddd0f18362cfbc6429f911a3889f97e2"
                },
                {
                    "key": "com.cloudflare.api.account.zone.f7bd9660c3b032e93623af89f97c98c2"
                },
                {
                    "key": "com.cloudflare.api.account.zone.bca10462e61fcab4895cae96b356d9d1"
                }
            ]
        }
    },
    "success": true,
    "errors": [],
    "messages": []
}

But if I try to add all of our domains I get:

PUT accounts/0f6a7a9d5f0effe679873e8827bf4e3d/iam/resource_groups/545ec699c6784b2da92c9dc1456e5019
{
  // record with over 6000 "objects" deleted to save space
}
{
    "result": [],
    "success": false,
    "errors": [
        {
            "code": 500,
            "message": "Internal Server Error"
        }
    ],
    "messages": []
}

I don’t know if you have any suggestions, but even of the above worked, it would still be completely unusable due to race conditions. This is because updating the groups would require that api code reads the group, modifies it, and then updates the group. This clearly suffers from a fatal race condition that will manifest when two people try to update the group at roughly the same time.

Thanks for your time.

user9373 · September 2, 2024, 8:28am

Hi again Brandon,

I was just wondering if you had found a solution to my problem with giving access to DNS records via the API.

As noted the goal is to give the user account read-only access to the the zone record (so that they can checked the status, nameservers etc), and the dns_records for the zone (so that they can verify what dns records have been set up and which are proxied), but if possible we really don’t want that account to have even read-only access to anything else at all.

If Cloudflare really doesn’t support that sort of granular control of the permissions via the API we will have to come up with an alternative workaround.

Topic		Replies	Views
API Key Permissions Issue When Listing DNS Records API	3	189	October 1, 2024
API dns_records error 10000 Authentication Error Getting Started	1	4350	September 9, 2021
Cannot access my DNS records - Getting Error 404 DNS & Network	5	21	March 13, 2025
Authorization error with API TOKEN while reading DNS Zone API	7	4716	January 23, 2023
Auth Error code 10000 when trying to list DNS records API	3	48	September 5, 2024