Using Cloudflare without Global API Key

iamthefij

I'd prefer to restrict a Cloudron instance to a particular zone rather than use the Global API Key. Whenever I do so, I get an error from Cloudron. What should the account be scoped to? Or is it even possible to use this?

nebulon

Do you get any more specific error codes/messages while trying to add a domain with such a key?

iamthefij

@nebulon not really. It just said it cannot connect.

girish

@iamthefij Do those API keys start with v1.0- ? If so, per the docs, we have to set a special header variable unlike the global API key (https://api.cloudflare.com/#getting-started-requests)

girish

4.4 has support for API tokens - https://git.cloudron.io/cloudron/box/commit/b0420889adac8de3ae9edf9f2bd1e96c7c9c1191

iamthefij

Awesome! Thanks Girish!

hiyukoim

Do you have a documentation/blog post about the Cloudflare API setup for Cloudron?
This is my settings for now, but I'm not sure if I miss something. My instance working alright with the following settings, but if you know the better/secure/correct settings, could you let me know?

girish

Configuration looks correct. Ideally, Cloudron does not require access to all zones but without it we have to make the user enter the zone id which is kinda hard to find in the cloudflare UI.

hiyukoim

Thank you for having a look, @girish !

JOduMonT

@hiyukoim said in Using Cloudflare without Global API Key:

This is my settings for now, but I'm not sure if I miss something. My instance working alright with the following settings, but if you know the better/secure/correct settings, could you let me know?

Thank for this screenshot
it's work like a charm

girish

I wish we can remove the "All zones" setting but afaict there is no way to get the zone id (which is required by the API) without listing the zones. I guess one alternative is to let users the zone id in the DNS setup form but this appears complicated.

JOduMonT

@girish said in Using Cloudflare without Global API Key:

I wish we can remove the "All zones" setting but afaict there is no way to get the zone id (which is required by the API) without listing the zones. I guess one alternative is to let users the zone id in the DNS setup form but this appears complicated.

I don't know if something change from Cloudflare and/or Cloudron side around this but I was able to limit the API to a specific zone without issue

and then to 3 specific zone and one specific IP

It's still working with these only this Permission

1. Zone.DNS Edit

girish

@JOduMonT thanks for the heads up. Looks like this is something new in Cloudflare, will test it out and update docs accordingly.

girish

Can confirm that all zones access is not required in cloudflare anymore. Will update docs.

JOduMonT

@girish said in Using Cloudflare without Global API Key:

Can confirm that all zones access is not required in cloudflare anymore. Will update docs.

I had to reinstall my Cloudflare than with these setting at Cloudflare

the detail of this Token

I had zero issue to install and configure my 5 domains

the only right my Cloudron API have is to
Edit specific Zone from a specific IP

JOduMonT

@girish said in Using Cloudflare without Global API Key:

Can confirm that all zones access is not required in cloudflare anymore. Will update docs.

I just added a domain than, just to be more concise
we have to specify the Zone Name

unless it will not work with only Zone -> DNS -> Edit permissions at Cloudflare