What API token permissions level to edit "IP Access Rules"

I cannot, for the life of me, figure out what Permission(s) to select for an API token that can only edit “IP Access Rules” (under ANY_ZONE → Firewall → Tools). I thought it would be Account Firewall Access Rules Write, but that’s not it. It’s also not DNS Firewall Write.

Full API URL: https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules

Thoughts?

For fun, I granted just about everything I could think of:

  • All accounts - Rule Policies:Edit, Account Firewall Access Rules:Edit, DNS Firewall:Edit, Account Settings:Edit
  • All zones - Zone Settings:Edit, Firewall Services:Edit

But that’s still enough. Are IP Access Rules only editable with a Global API Key?

The IP Access Rules feature is so old and nearly outdated that it wouldn’t surprise me if there’s no Token option for this.

You may need to open a support ticket to confirm (or deny).

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.

Hi there @xnaas,

You can edit using token, I have just tried it in my test zone to confirm and I was successfully able to edit my IP access rule. Please give the token the permissions as mentioned in the API document

https://api.cloudflare.com/#firewall-access-rule-for-a-zone-edit-access-rule

For e.g my token summary is as below and I have also limited to a specific zone.

Let us know if any issues.

2 Likes

This still does not work for me. Here’s a sample of the command:

curl -X POST -H 'X-Auth-Email: MY_CF_EMAIL' -H \
'X-Auth-Key: MY_CF_TOKEN' \
-H 'Content-Type: application/json' \
-d '{ "mode": "block", "configuration": { "target": "ip", "value": "xxx.xxx.xxx.xxx" } }' \
https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules

The IP is just something random, but valid for testing. This is what’s returned to me:

{"success":false,"errors":[{"code":10000,"message":"Authentication error"}]}

My token is very similar to yours, but I imagine the issue I’m running into is that I’m targeting all of my zones and not just one.

This all works just fine if I use my Global API Key, of course.

And before you ask: removing the IP Address Filtering doesn’t affect anything. It still returns an authentication error.

No additional thoughts on this from anyone? :upside_down_face:

Hey I don’t know if you are still having trouble with this. I figured I would share my experience as I was struggling with this as well for the past few hours. Under the api tokens there is a help button in your profile that explains it. You are using the authentication for API Keys not API Tokens. you have to have change it to -H “Authorization Bearer API_TOKEN_HERE” and get rid of X-AUTH-EMAIL and X-Auth-Key. keep the same permissions for the token but change your URL to https://api.cloudflare.com/client/v4/accounts/ACCOUNT_ID/firewall/access_rules/rules/

2 Likes

It’s amazing what a fresh set of eyes can do for a thread. That “Authentication Error” should have woken us up.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.