I am trying to update the IP range for a specific Access Group via the API but can’t seem to understand the right combination of API token and zone/account keys.
Use case: when accessing some services behind Access, I want to transparently check (via allowlist) if the user is at that location (home). I have been using the public IP from my ISP. It’s dynamic so when it changes I need to manually update the IP in the access.
I can create a new Group but it does not show in the Access Group UI so I suspect I have the endpoint incorrect (it’s really confusing).
I am copying the group ID from inside the access rule.
I am copying the token from my user account (see permissions below).
I am copying the zone ID from the zone home page (account ID is also available here).
I have created a custom API token with the following permissions:
All accounts - Zero Trust:Edit, Access: Organizations, Identity Providers, and Groups:Edit, Access: Apps and Policies:Edit
All zones - Access: Apps and Policies:Edit, Firewall Services:Edit
curl --request PATCH \
--url "https://api.cloudflare.com/client/v4/zones/{{ zone ID }}/firewall/access_rules/rules/{{ group ID}}" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer {{ custom API token }}" \
--data '{
"mode": "whitelist",
"configuration":{
"target":"ip",
"value":"{{ public IP }}"
},
"notes": "Updated with latest public IP"
}'
I get the response:
{
"result": null,
"success": false,
"errors": [
{
"code": 10001,
"message": "firewallaccessrules.api.not_found"
}
],
"messages": []
}
Can someone please point me in the right direction (or at least identify if there is something wrong with what I have above)?