API Token permission for Access Application Tags (+Terraform)

I was looking to use Access Application Tags to filter things down in the launch, all created with terraform.
It works fine with my “global api key” but I can’t find a corresponding permission to give to our regular terraform-token - it’s complaining about not even being able to read the tags config.

Is there a permission I should be using to access this via the API?

What permissions does the token currently have?

I’ve tried all the permissions I can find in the API Tokens-edit page.

Currently:

Account - Cloudflare Tunnel:Edit, Access: Organizations, Identity Providers, and Groups:Edit, Access: Apps and Policies:Edit
Zone - Access: Apps and Policies:Edit, DNS:Edit

Test as well, and it seems that the Access Application Tags don’t have an API token permissions :confused:

I’m glad it’s not just me - means I didn’t miss something obvious!

Does suggest that the only option ends up being to use the global api key, which works fine, but has access to everything. I had hoped that there might be a permission that would mean the tags could at least be read via the API (which would allow general use of the tags with a limited token, only using the global key for making changes to the tags) but the terraform config actually fails while trying to get the current state of things, so it can’t even see the tags :confused: