BUG: Zone Detail by Name requires Zone List permission

There appears to be a missing API for Zones:

There is no way to retrieve Zone Details by name without also having the Zone List permission.

REPRO:

  1. Create a API Token with Zone.Zone:read and Zone.Zone Settings:read permissions for a specific resource.
  2. GET https://api.cloudflare.com/client/v4/zones?name=<specified resource>

RESULT:

  "success": false,
  "errors": [
    {
      "code": 0,
      "message": "Actor 'com.cloudflare.api.token.<redacted>' requires permission 'com.cloudflare.api.account.zone.list' to list zones"
    }
  ],
  "messages": [],
  "result": null
}

RESOLUTION:

Any one of the following:

  • Allow zone listings for zones that are included within a token’s permissions.
  • Enable zone detail retrieval by name.
  • Add an explicit Zone.Zone List permission to the API Token dashboard.

WORKAROUND:

Giving the API Token the Account.Account Settings:read permission appears to implicitly grant com.cloudflare.api.account.zone.list.

4 Likes

Thank you for posting this, I stumbled on the same issue.

I suspect the querystring (?name=*) is just a filter. Regardless of what filters you add, you need the corresponding permissions for the API endpoint, which is https://api.cloudflare.com/client/v4/zones.

1 Like

This workaround no longer seems to work.

Does anyone have any advice on how to resolve this issue?

1 Like

Thank you, digging internally for details.

1 Like

Sorry for the misinformation here.

I still think the issue describes in the original post should be resolved, but the workaround still works. The problem I’m having is the one described in Bug in list zones endpoint when using API token?.

1 Like

Any update on this? the workaround just broke and there dont seem to be any fixes yet.

EDIT:
new workaround is to give all perms, but that defeats the purpose

2 Likes

We’ve also encountered this issue while attempting to use Kubernetes cert-manager. The workaround does not appear to be functioning anymore.

If there’s anybody at Cloudflare that could give an ETA on this it would be much appreciated - using a global key rather than a token is a workaround that I’m not keen on at all :slight_smile:

2 Likes

Hello CloudFlare!

I have also encountered this bug. There seems to be no way to assign a list permission to the API token.

It would make use of CF API much safer with cert-manager.

Thank you!

1 Like

Just come across this same issue.

Neither of the workarounds seem to work.

Hi all,

I’ve Found the solution.

No, it’s not.

Even with this configuration, one still has to grant Zone Resources to at least All zones for an account (instead of the desirable Specific zone setting).

As such this still fail at restricting the token ability to modify all DNS records of all the zones of the account.

@cloonan Could you handle this? This is very serious issue as accessing single zone by name requires me to provide access token to all zones. The only thing I can do is to provide access to specific zone by ID, but then I’m forced to configure zones by their ID, not by theit name…

Hi everyone,

We just recently released a fix to this problem. Now if a token is granted read access to a specific zone, then you can filter the GET /zones API via the ?name= parameter. One caveat to be aware of is that this won’t work if using any other filters at the same time.

An example:
curl -X GET "https://api.cloudflare.com/client/v4/zones?name=example.com" \ -H "Authorization: Bearer <token>" \ -H "Content-Type:application/json"

Thanks for the patience here. Handling all the edge cases of the /zones call has been challenging. This API particular has many implications and combines lots of things which are challenging for supporting least privilege.

3 Likes

@garrett.galow Is it possible to fetch multiple zone ids by name, without making a call for each one? Something like https://api.cloudflare.com/client/v4/zones?name=example.com,bar.com,foo.com

Yup! It works exactly like that. Any zones that the token has ‘zone read’ privileges can be pulled like that.