My specific use case here is an ACME DNS-01 client that I want to scope to the specific subdomain that the client is on, such that if that token were to be compromised the rest of my domain is safe.
I have a few remote servers that I’d like to run a Dynamic DNS script on, but I don’t want to risk giving edit access to my entire domain in case those boxes were to be compromised.
+1 on API tokens with scope limited to specific subdomains
This is still relevant as a means to grant a host the ability to obtain a Let’s Encrypt certificate for a subdomain (e.g. www.example.com), by giving it the API token, without granting it the ability to mess with all record for the domain (example.com).
It would be possible with subdomain zones, since API tokens are scoped by zone, you could limit it to just a specific subdomain. This feature, however, is currently restricted to those on an Enterprise plan.
Using sub domain configuration seems like a very complicated way to achieve the desired result. In even a moderately sized business you would end up with hundreds of subdomains relatively quickly.
I’ll bump this. I have been wishing there was a way to specify that you only want an API key to manage one specific subdomain. Even if it does become a ton of zones, that flexibility would be nice and I’d gladly do it that way if it were a reasonable option for an individual.
+1 on this as well; it will make the setup with Let’s Encrypt or in general with DDNS solutions way safer and better. It could be as simple as adding an additional configuration option in the API key setup to restrict one level down from the Zone to the Record level.
It still has to be a Zone Level permission, as you’re adding a DNS record to the zone. Imagine something like UNIX permissions. You can’t set a permission for non-existent file. You have to set that permission for the directory you want it in.
It would be great if you could restrict an API Token to modify only a single DNS record or subdomain.
Here are specific use cases:
In AWS EC2, IP addresses are often ephemeral. Updating DNS per server could be automated with an API key and a restricted subdomain. Let’s say, create a subdomain called “dynamic” or “dyn” and let the servers modify this.
Let’s Encrypt certbot-dns-cloudflare needs access to the zone in order to renew certificates.
There is no reason these processes should have access to all DNS records in a zone. Just the ones they required. Do you agree?