Using Cloudflare without Global API Key
-
I'd prefer to restrict a Cloudron instance to a particular zone rather than use the Global API Key. Whenever I do so, I get an error from Cloudron. What should the account be scoped to? Or is it even possible to use this?
-
Do you get any more specific error codes/messages while trying to add a domain with such a key?
-
@nebulon not really. It just said it cannot connect.
-
@iamthefij Do those API keys start with
v1.0-? If so, per the docs, we have to set a special header variable unlike the global API key (https://api.cloudflare.com/#getting-started-requests)
-
4.4 has support for API tokens - https://git.cloudron.io/cloudron/box/commit/b0420889adac8de3ae9edf9f2bd1e96c7c9c1191
-
Awesome! Thanks Girish!
-
Do you have a documentation/blog post about the Cloudflare API setup for Cloudron?
This is my settings for now, but I'm not sure if I miss something. My instance working alright with the following settings, but if you know the better/secure/correct settings, could you let me know?
-
Configuration looks correct. Ideally, Cloudron does not require access to all zones but without it we have to make the user enter the zone id which is kinda hard to find in the cloudflare UI.
-
Thank you for having a look, @girish !
-
@hiyukoim said in Using Cloudflare without Global API Key:
This is my settings for now, but I'm not sure if I miss something. My instance working alright with the following settings, but if you know the better/secure/correct settings, could you let me know?
Thank for this screenshot
it's work like a charm
-
I wish we can remove the "All zones" setting but afaict there is no way to get the zone id (which is required by the API) without listing the zones. I guess one alternative is to let users the zone id in the DNS setup form but this appears complicated.
-
@girish said in Using Cloudflare without Global API Key:
I wish we can remove the "All zones" setting but afaict there is no way to get the zone id (which is required by the API) without listing the zones. I guess one alternative is to let users the zone id in the DNS setup form but this appears complicated.
I don't know if something change from Cloudflare and/or Cloudron side around this but I was able to limit the API to a specific zone without issue
and then to 3 specific zone and one specific IP
It's still working with these only this Permission
- Zone.DNS Edit
-
@JOduMonT thanks for the heads up. Looks like this is something new in Cloudflare, will test it out and update docs accordingly.
-
Can confirm that all zones access is not required in cloudflare anymore. Will update docs.
-
@girish said in Using Cloudflare without Global API Key:
Can confirm that all zones access is not required in cloudflare anymore. Will update docs.
I had to reinstall my Cloudflare than with these setting at Cloudflare
the detail of this Token
I had zero issue to install and configure my 5 domains
the only right my Cloudron API have is to
Edit specific Zone from a specific IP
-
@girish said in Using Cloudflare without Global API Key:
Can confirm that all zones access is not required in cloudflare anymore. Will update docs.
I just added a domain than, just to be more concise
we have to specify the Zone Name
unless it will not work with only
Zone -> DNS -> Editpermissions at Cloudflare
