Trouble with token for clearing cache: Could not find Zone ID for Zone

Hello,

I’ve setup a token for remotely clearing Cloudflare cache for one of my websites.

Token settings are as following:

Permissions

  • Zone | Zone | Read
  • Zone | Cache Purge | Edit

Zone Resources

  • Include | Specific Zone | (zone name)

On my CMS’s side I get following error:

CloudFlare Message: Could not find Zone ID for Zone: [zone/domain name here]

When I test the token as following:

curl -X GET "https://api.cloudflare.com/client/v4/zones" \
 -H "Authorization: Bearer [token here]" \
 -H "Content-Type: application/json"

And I get the following reply:

 {"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.c1aa142e9a67ff22a2c46def0bd7a187' requires permission 'com.cloudflare.api.account.zone.list' to list zones"}],"messages":[],"result":null}

Any ideas on how to solve this issue?

1 Like

Hi @proudpixel, I’ve seen similar instances with these tokens, does the token have access to “All zones from an account”? I’ve also seen suggestions to remove and recreate the token, but I don’t have an instance (yet) where that was successful.

Hi @cloonan, thanks for replying.

This token has access only to a specific zone, as I want to purge cache for a single website, not all my websites.
Before posting here, I removed and recreated the token but without any improvement to the situation.

1 Like

At the moment (though I do have a support request put in), the only solution I’ve found is to enable “Account - Account Settings:Read”. Still looking for a more fine-grained Principle-of-least-privilege approach.

I’m still looking for “Account - Account Settings:Read” :joy:

No improvement, same result as before. :cry:

Thanks for the suggestion though.

Interestingly, this worked a few days ago. I reported a bug, and it seems in fixing the bug, they broke the com.cloudflare.api.account.zone.list permission. There is a workaround, which is to change the zone resources to all zones. “Account - Account Settings:Read” literally worked a few days ago…

Completely agree. Some weeks ago this subtle permissions set was the most possibly secure one available (although not the ideal one).
But I noticed that during last days this permission set stopped working.

@cloudflare: Any plan on finally fixing this and creating a blog post clarifying? This created a lot of noise and uncertainty until now for people who just want a token to be used for a simple use-case (like letsencrypt & clear-cache).

Thank you.

This is not working anymore for LetsEncrypt.

For some weeks : All Zone resources must be granted for the token to be able to generate certificate for only these two domains.