How to get zone id with zone specific api key?

The key has permission “Zone:Read” on specific zone.
Always got “… requires permission ‘com.Cloudflare.api.account.zone.list’ to list zones” from API “/client/v4/zones?name={domain name}”.

If I change “Specific zone” to “All zones”, it works, emmmmmm…

Is any other API for this? Or additional permission?

5 Likes

+1 to this issue. I believe this is a bug with the API. It’s caused a lot of grief when trying to be more secure and scope tokens to a single zone. When performing a GET on the /zones endpoint, if an account has Zones - Zones - Read permissions, the endpoint should filter all zones found in the lookup by all the zones my token has access to.

Example: Assume my account has foo.com, bar.com, and bim.com. Assume my generated token has included zones foo.com, bar.com

  • GET /zones - should return records for foo.com, bar.com
  • GET /zones?name=foo.com - should return records for foo.com
  • GET /zones?name=bim.com - should return no results, NOT an error (since the token does have valid permissions; it just didn’t find any matching records within the token’s included zones)
2 Likes

Did anyone get a resolution from support on this? I was hoping to avoid tracking zone IDs in some CI scripting but I would prefer not to need to give access to all zones when it would otherwise not be necessary.

+1
@tjtaubit described the issue wonderfully.

Just to add:
If we switch to All zones rather than Specific zones, and then exclude specific zones that we do not want access granted to, the token is still able to list zones and grab the zone identifier(s) for the specifically excluded zone(s). The token can then use the other perms it’s granted on these excluded zones.