External-dns: Add support for CloudFlare API Tokens (Authorization: Bearer)

Created on 2 Aug 2019 · 11Comments · Source: kubernetes-sigs/external-dns

API Tokens use the standard Authorization: Bearer header for authentication instead of x-auth-email and x-auth-key that API Keys use.

API tokens would allow granting external-dns access to only a specific DNS zone and not the whole CloudFlare account 🔒

Source

ilyasotkov

👍12

Most helpful comment

Hi @Evesy thanks for adding support for API token. But for now, the API token must be granted for all zone, cannot only to a specific zone.
when you generate token for specific zone, you will get this error:
level=error msg="error from makeRequest: HTTP status 403: insufficient permissions".

zackijack on 1 Oct 2019

👍9

All 11 comments

zackijack on 1 Oct 2019

👍9

I do confirm the assumption of @zackijack, il only works when the token has granted permissions for all zones

rofra on 13 Dec 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 12 Mar 2020

/remove-lifecycle stale

onedr0p on 12 Mar 2020

/remove-lifecycle stale

simplyzee on 1 Apr 2020

Do we have an update on this? I'm also seeing this with Cloudflare API tokens.

level=error msg="error from makeRequest: HTTP status 403: insufficient permissions"

I don't necessarily want to generate wider permissions to see a zone specifically if I can help that.

simplyzee on 1 Apr 2020

👍4

This appears to have regressed further, in that even with a token with zone.DNS.Edit permissions on all zones, you still get the above error. Seen as it's probably wise to rollback to 0.5.17 because of #1463 anyway, I'm going to wait until both of these are fixed before upgrading to something more recent than that.

iMartyn on 7 Apr 2020

I am facing this issue currently with both latest and v0.5.17 docker images. My cloudflare token has zone:read and DNS:edit permissions for a particular zone in my client's account. Any updates on this issue will be really helpful, as we are depending on this setup for a multi-ingress setup.

tapanhalani on 22 Apr 2020

Also ran into this issue. Is anyone actively working on this?

alexnauda on 6 May 2020

This should be implemented and fixed as of 0.7.2

To use api token you can write:

cloudflare:
  apiToken: "xxx"

To synchronize just single zone you can use:

zoneIdFilters:
  - asdfas

If someone has other issues or ideas, please open another issue

/close

sheerun on 4 Jun 2020

@sheerun: Closing this issue.

In response to this:

This should be implemented and fixed as of 0.7.2

To use api token you can write:
cloudflare:
 apiToken: "xxx"
To synchronize just single zone you can use:
zoneIdFilters:
 - asdfas
If someone has other issues or ideas, please open another issue

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.