API Tokens are good, but it would be much better if they could be scoped to a specific subdomain.
I believe this is the same request as Having different api key per domain, from nearly a year ago - any progress since then?
My specific use case here is an ACME DNS-01 client that I want to scope to the specific subdomain that the client is on, such that if that token were to be compromised the rest of my domain is safe.
+1 For this, would love to see.
I have a few remote servers that I’d like to run a Dynamic DNS script on, but I don’t want to risk giving edit access to my entire domain in case those boxes were to be compromised.
+1 on API tokens with scope limited to specific subdomains
This is still relevant as a means to grant a host the ability to obtain a Let’s Encrypt certificate for a subdomain (e.g. www.example.com), by giving it the API token, without granting it the ability to mess with all record for the domain (example.com).
Is there any news on this?
Hi @kidmose,
It would be possible with subdomain zones, since API tokens are scoped by zone, you could limit it to just a specific subdomain. This feature, however, is currently restricted to those on an Enterprise plan.
Is this only available on Enterprise or Business as well?
I do not see this feature listed anywhere.
Using sub domain configuration seems like a very complicated way to achieve the desired result. In even a moderately sized business you would end up with hundreds of subdomains relatively quickly.
I’ll bump this. I have been wishing there was a way to specify that you only want an API key to manage one specific subdomain. Even if it does become a ton of zones, that flexibility would be nice and I’d gladly do it that way if it were a reasonable option for an individual.
+1 on API tokens with scope limited to specific resource records (LetsEncrypt being the primary use case here)