Closed JakeWharton closed 4 years ago
It also means you only need to give access to a specific zone, rather than all zones.
Looking into this more, it's probably not worthwhile because it also has implications on how the subdomain is computed (which is currently prepended to the zone). You would have to specify the fully-qualified record name yourself and further conditional logic.
Going to preemptively close since it would require too many changes for little benefit.
I was just about to open a separate issue for this before I saw this one. The feature is supported for example here: https://github.com/joshuaavalon/docker-cloudflare
I'll reopen then and let @oznu weigh in
Thanks! For a current project I am uncomfortable saving an API token that gives access to all of my managed domains in my personal zone on a machine... This would be a great and easy solution.
Looking into this more, it's probably not worthwhile because it also has implications on how the subdomain is computed (which is currently prepended to the zone). You would have to specify the fully-qualified record name yourself and further conditional logic.
I was looking at the code and I don't understand what implications it would have for the subdomain computation. If the user supplies the variables API_KEY
, ZONE
, ZONE_ID
and SUBDOMAIN
everything should work fine, right? Doesn't the user have to specify the full domain name anyway (as in SUBDOMAIN.ZONE
?
What would happen if you just change the getZoneId() function to check for a supplied ZONE_ID
environment variable and then return it instead of making an API call?
Another option would be to split API Tokens like this:
Apart from the regular API_KEY
there could be an additional, optional variable ZONE_API_KEY
.
API_KEY
is used to change DNS records, ZONE_API_KEY
is used to resolve a zone name to a zone id. If no ZONE_API_KEY
is supplied it is set equal to API_KEY
at launch.
This would allow users to create two create more narrowly defined scopes.
For API_KEY
:
Token permissions: Zone - DNS - Edit
Zone resources: Include - Only the domain's zone
For ZONE_API_KEY
:
Token permissions: Zone - Zone Settings - Read / Zone - Zone - Read
Zone resources: Include - All zones
Yeah, we really need the split token approach here.
Giving access to all zones is a blocker for me as well.
I hate doing this, but seeing you all suffer like this is no picknick either...until oznu ever decides to pick up development again, have a look at https://github.com/hotio/docker-cloudflare-ddns
I'll accept pull requests 😄
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Cloudflare lists the Zone ID value on the "Overview" page now which makes it easy to grab. This means the only permission the token requires is DNS edit.