Bug in list zones endpoint when using API token?

wrtn7pwbv4 · September 18, 2019, 1:53am

Prior to the introduction of API tokens, I had been using the the Global API key and a call to GET /client/v4/zones?name=myzone.com to check for the existence of a given zone on my account.

Whether the specified zone existed or not, the call always returned an HTTP 200 json result. If the zone didn’t exist, the result object was simply empty and result_info contained properties like count=0 and total_count=0.

Now I’m testing the same code using an API token that has been given the following permissions:

Zone - Zone Settings - Read
Zone - Zone - Read
Zone - DNS - Edit
Include: All zones

When the zone exists, everything works just like before with the Global API key. But when the zone doesn’t exist, I now get an HTTP 403 error with the following body:

{ 
   "success":false,
   "errors":[ 
      { 
         "code":0,
         "message":"Actor 'com.cloudflare.api.token.REDACTED' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
      }
   ],
   "messages":[ 

   ],
   "result":null
}

Is this a bug or working as intended? I tried adding every other zone/account related READ permission I could find to the token, but nothing seemed to help.

dezsjunk · October 5, 2019, 12:03pm

I seem to be having a similar issue. I am using the acme.sh script to generate ssl certs based on dns but I keep getting a permission issue just like you. Global key works but my token doesn’t. Where you able to resolve this?

wrtn7pwbv4 · October 5, 2019, 2:14pm

Coincidentally, I also ran into this issue in the context of an ACME client. https://github.com/rmbolger/Posh-ACME/issues/176

I also have a Cloudflare support case open about it, but no resolution yet. In the meantime, I worked around the problem by updating the plugin to list all zones on the account and check for existence locally.