Consider parameter to pass Zone ID directly

[JakeWharton]

Cloudflare lists the Zone ID value on the "Overview" page now which makes it easy to grab. This means the only permission the token requires is DNS edit.

[JakeWharton]

It also means you only need to give access to a specific zone, rather than all zones.

[JakeWharton]

Looking into this more, it's probably not worthwhile because it also has implications on how the subdomain is computed (which is currently prepended to the zone). You would have to specify the fully-qualified record name yourself and further conditional logic.

Going to preemptively close since it would require too many changes for little benefit.

[ptts]

I was just about to open a separate issue for this before I saw this one. The feature is supported for example here: https://github.com/joshuaavalon/docker-cloudflare

[JakeWharton]

I'll reopen then and let @oznu weigh in

[ptts]

Thanks! For a current project I am uncomfortable saving an API token that gives access to all of my managed domains in my personal zone on a machine... This would be a great and easy solution.

Looking into this more, it's probably not worthwhile because it also has implications on how the subdomain is computed (which is currently prepended to the zone). You would have to specify the fully-qualified record name yourself and further conditional logic.

I was looking at the code and I don't understand what implications it would have for the subdomain computation. If the user supplies the variables API_KEY, ZONE, ZONE_ID and SUBDOMAIN everything should work fine, right? Doesn't the user have to specify the full domain name anyway (as in SUBDOMAIN.ZONE?

What would happen if you just change the getZoneId() function to check for a supplied ZONE_ID environment variable and then return it instead of making an API call?

[ptts]

Another option would be to split API Tokens like this: Apart from the regular API_KEY there could be an additional, optional variable ZONE_API_KEY. API_KEY is used to change DNS records, ZONE_API_KEY is used to resolve a zone name to a zone id. If no ZONE_API_KEY is supplied it is set equal to API_KEY at launch.

This would allow users to create two create more narrowly defined scopes. For API_KEY: Token permissions: Zone - DNS - Edit Zone resources: Include - Only the domain's zone

For ZONE_API_KEY: Token permissions: Zone - Zone Settings - Read / Zone - Zone - Read Zone resources: Include - All zones

[Appelg]

Yeah, we really need the split token approach here.

[hyperknot]

Giving access to all zones is a blocker for me as well.

[mrhotio]

I hate doing this, but seeing you all suffer like this is no picknick either...until oznu ever decides to pick up development again, have a look at https://github.com/hotio/docker-cloudflare-ddns

[oznu]

I'll accept pull requests 😄

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.