Auth problem listing DNS records, export OK

I’m using the API to manage DNS records (and worker routes) for environments created in our CI pipeline. Until last Friday this had been working fine (for at least several weeks) but at that point listing (and creating/deleting) DNS records started failing.
Odd thing is that exporting the DNS zone file using the API still works. Managing worker routes is still fine too.

Our initial thought was that the permissions assigned to the token had changed so we created a new one with the same permissions but same behaviour.
Script I’m using to test this is as follows

curl --silent --show-error -H "Authorization: Bearer $token" -H Content-Type:application/json -X GET https://api.cloudflare.com/client/v4/zones/$zoneid/dns_records/export | sed 5q; echo
curl --silent --show-error -H "Authorization: Bearer $token" -H Content-Type:application/json -X GET https://api.cloudflare.com/client/v4/zones/$zoneid/dns_records | jq .

The export works fine but the second GET fails with

{
  "success": false,
  "errors": [
    {
      "code": 9109,
      "message": "Unauthorized to access requested resource"
    }
  ],
  "messages": [],
  "result": null
}

I’m assuming/hoping that if this was a rate/record limit problem I’d get a different error. But if it’s not that then I don’t understand since the docs say that both methods just need #dns_records:read (Cloudflare API v4 Documentation). We have 192 records in the DNS zone which should be fine and we’re not making updates every second.

Any thoughts/suggestions? We’re raising a ticket with support as well but posting here in the hopes that I’m doing something obviously dumb.

Sorted with support - related to the account used to issue the original token being moved (as associated with someone who was leaving the company). Good reason to follow advice to issue such tokens from a dedicated service account.

1 Like