Fails to update Cloudflare with zone limited API token

[Nemo157]

I setup a Cloudflare API token with limited zone access

When attempting to deploy with this it fails

ℹ 📡  Beaming new hash to DNS provider Cloudflare…
✖ 💔  Updating Cloudflare DNS didn't work.
  │ HTTPError: Response code 403 (Forbidden)

If I edit the token to remove the zone limitation it works successfully.

[Macil]

This limitation is currently mentioned in the readme:

In order to use a Cloudflare API token you need to grant zone read and dns edit permissions (both under the zone section). You also need to not restrict the zone resources to a specific zone. (This is because the list zones API call doesn't work if you only allow access to a specific zone and that is needed to look up the id of the zone you specify.)

It seems like this limitation could be solved if ipfs-deploy supported the zone id being specified in ~/.env.

[Nemo157]

Ah, whoops, I somehow missed reading that part while setting up. Being able to specify zone by id instead of name seems workable, it’s easily accessible via the UI.

It might also be worth opening an upstream issue, an API token should be able to list zones it has access to even if it can’t see them all.

[kevincox]

I would definitely like to see the ability to pass a zone id so that I can zone restrict my token.

[denzuko]

There's an easy fix and its with your cloudflare api token permissions:

Under api tokens > Permissions. Ensure that you add the following:

• Account : Account Settings : Read
• Zone : Zone Settings : Edit
• Zone : Zone : Edit
• Zone : DNS : Edit

Also when debugging; be sure to check your audit logs under dash home > audit log. There's more fine grained details there that one can use to figure out exactly what's going on.

[hacdias]

Thanks for the help here @denzuko! That should be it. I also use Cloudflare tokens and they work.