Granular permissions for API Tokens - DNS


It would be great if you could restrict an API Token to modify only a single DNS record or subdomain.

Here are specific use cases:

  • In AWS EC2, IP addresses are often ephemeral. Updating DNS per server could be automated with an API key and a restricted subdomain. Let’s say, create a subdomain called “dynamic” or “dyn” and let the servers modify this.

  • Let’s Encrypt certbot-dns-cloudflare needs access to the zone in order to renew certificates.

There is no reason these processes should have access to all DNS records in a zone. Just the ones they required. Do you agree?


3 posts were merged into an existing topic: Restrict/scope API tokens to a subdomain

6 votes have been moved. A vote could not be moved because the user already voted in the other topic.