Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authentication error with zone DNS API token

See original GitHub issue

For minimal permissions I have created an API token locked down to zone DNS edits using the “Edit zone DNS” template:

image

image

When launching this service I get an Authentication error:

cloudflare-companion | [INFO] ** [traefik-cloudflare-companion] Starting Traefik Cloudflare Companion
cloudflare-companion | Traceback (most recent call last):
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 276, in <module>
cloudflare-companion |     init(doms)
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 211, in init
cloudflare-companion |     check_container_t2(c, doms)
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 176, in check_container_t2
cloudflare-companion |     point_domain(extracted_domains[0], doms)
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 91, in point_domain
cloudflare-companion |     records = cf.zones.dns_records.get(dom['zone_id'], params={u'name': name})
cloudflare-companion |   File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 672, in get
cloudflare-companion |     return self._base.call_with_auth('GET', self._parts,
cloudflare-companion |   File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 126, in call_with_auth
cloudflare-companion |     return self._call(method, headers, parts,
cloudflare-companion |   File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 502, in _call
cloudflare-companion |     raise CloudFlareAPIError(code, message)
cloudflare-companion | CloudFlare.exceptions.CloudFlareAPIError: Authentication error

Am I missing other permissions?

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:5

github_iconTop GitHub Comments

4reactions
Northguycommented, Mar 27, 2021

OK, figured it out. Please note the comment Leave Blank for Scoped API behind the CF_EMAIL environment variable. This is important! You need to remove the CF_EMAIL environment variable when using a domain specific API token!

The long explanation:

According to Cloudflare documentation here one of the common issues with API tokens is using the wrong authentication.

On occasion, customers will attempt to use an API Token with an API Key syntax. Ensure you are using the Bearer option, rather than the Email and API key pair.

According to the documentation of the Python wrapper for the Cloudflare v4 API, there are multiple ways to make a call:

    # A minimal call - reading values from environment variables or configuration file
    cf = CloudFlare.CloudFlare()

    # A minimal call with debug enabled
    cf = CloudFlare.CloudFlare(debug=True)

    # An authenticated call using an API Token (note the missing email)
    cf = CloudFlare.CloudFlare(token='00000000000000000000000000000000')

    # An authenticated call using an API Key
    cf = CloudFlare.CloudFlare(email='user@example.com', token='00000000000000000000000000000000')

    # An authenticated call using an API Key and CA-Origin info
    cf = CloudFlare.CloudFlare(email='user@example.com', token='00000000000000000000000000000000', certtoken='v1.0-...')

    # An authenticated call using using a stored profile (see below)
    cf = CloudFlare.CloudFlare(profile="CompanyX"))

As we are using an API token, we need to use the 1st option of the authenticated call and omit the e-mail address.

0reactions
SebDanielssoncommented, Mar 27, 2021

Good catch, now it’s working. Thanks!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Authorization error with API TOKEN while reading DNS Zone
I have created an API Token with read permission for ALL DNS zones. I´m trying to get the ID of one of the...
Read more >
Cloudfare Api zone api key is failing to auth - Stack Overflow
I have a website that adds dns records to itself automatically using the cloudfare api. So here is the fetch request that I...
Read more >
Cloudflare - cert-manager Documentation
API Tokens allow application-scoped keys bound to specific zones and permissions, ... Cloudflare API error for POST "/zones/<id>/dns_records generic error.
Read more >
Welcome to certbot-dns-cloudflare's documentation! — certbot ...
Previously, Cloudflare's “Global API Key” was used for authentication, ... The Token needed by Certbot requires Zone:DNS:Edit permissions for only the zones ......
Read more >
Cloudflare API V4 Error - Method not allowed for this ... - Reddit
... authentication scheme. Hey,. I've been given API tokens to integrate Cloudflare into an application I'm building for a client.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Disabling Log Shipping Functionality

Next page

domain-specific TARGET_DOMAIN?