Insufficient permissions error with Zone-specific API tokens

[tornyairoland]

Hi!

I was directed here from this pulumi-cloudflare issue.

While trying to limit the access of our Cloudflare API Tokens, I have come across an error.
I have created a new Token, added permissions to "Edit" the "Zone Settings" and "Included" only that "Specific Zone".

Terraform Version

The Pulumi Cloudflare provider is using the Cloudflare Terraform provider, v2.7.0, and github.com/terraform-providers/terraform-provider-cloudflare v1.18.2-0.20200520193353-7dbdc13b06b6.

Affected Resource(s)

I tried it with cloudflare_zone_settings_override, but other cloudflare_* resources could be affected.

Terraform Configuration Files

Based on the pulumi code I tried to run:

resource "cloudflare_zone_settings_override" "settings" {
    zone_id = var.cloudflare_zone_id
    settings {
        ssl = "flexible"
        min_tls_version = "1.2"
    }
}

I tried getting the cloudflare_zone_id programmatically and copying the Zone ID manually from Cloudflare as well.

Expected Behavior

Zone settings should have been applied as the token used for this has the permissions to do that.

Actual Behavior

Got the following error from Pulumi:

Error: invocation of cloudflare:index/getZones:getZones returned an error: invoking cloudflare:index/getZones:getZones: error listing Zone: error from makeRequest: HTTP status 403: insufficient permissions

Steps to Reproduce

1. Create an API Token limited to just a specific Zone, nothing Account related.
2. Try to apply some setting to just the specified Zone.

Important Factoids

1. Using the same token and calling the Cloudflare API with curl works:

$ curl -X GET "https://api.cloudflare.com/client/v4/zones?name=<zone name>" -H "Authorization: Bearer <api token>" -H "Content-Type:application/json"

{"result":[{"id":"be2[...]","name":"<zone name>","status":"active",[...]}

2. Using the same curl command, but without the ?name=<zone name> part returns an error from the Cloudflare API:

{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.81a[...]' requires permission 'com.cloudflare.api.account.zone.list' to list zones"}],"messages":[],"result":null}

3. Some related info is mentioned on the Cloudflare forums here

References

Pulumi issue

[jacobbednarz]

Are you able to re-run the command with TF_LOG=DEBUG and we can see which HTTP call is getting this exception?

[jacobbednarz]

The Pulumi Cloudflare provider is using the Cloudflare Terraform provider, v2.7.0, and github.com/terraform-providers/terraform-provider-cloudflare v1.18.2-0.20200520193353-7dbdc13b06b6.

Would you also be able to expand on this as the way I read this, it's conflicting information. You can't be running two different versions of the provider (2.7.0 and 1.18.2) at the same time.

[mrtristan]

i'm seeing much the same thing. my api tokens have zone specific permissions.

when doing:

data "cloudflare_zones" "XXXXXXX" {
  filter {
    name   = "xxxx.com"
    # status = "active"
    # paused = false
  }
}

fiddler captured:

GET https://api.cloudflare.com/client/v4/zones?per_page=50 HTTP/1.1
Host: api.cloudflare.com
User-Agent: HashiCorp Terraform/0.12.26 (+https://www.terraform.io) Terraform Plugin SDK/1.13.0 terraform-provider-cloudflare/2.7.0
Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/json
Accept-Encoding: gzip

it seems that the api calls are too generic when the api token only has a subset of access.

a curl like this works with the same token:

curl -X GET "https://api.cloudflare.com/client/v4/zones?name=xxxx.com" -H "Authorization: Bearer XXXXXXXXXXXXXXXXXXX" -H "Content-Type:application/json"

is this sufficiently similar? not looking to cause duplication, and not looking to hijack... :-)

[jacobbednarz]

@mrtristan Your issue could be similar but really should be a separate issue as it's not related to Pulumi from my understanding here. With your API calls, it's failing because we do the filtering in the application following fetching all the zones which is probably why your seeing the issue. We can probably look to do the filtering on Cloudflare's side to mitigate but we'll need to do some testing that we don't lose any functionality in doing so.

[mrtristan]

yep. completely aligned. moving to new issue

[tornyairoland]

Hi!
I recreated the issue using terraform and not pulumi, and the same error is happening.
I think it is similar to the issue that @mrtristan mentioned.

Cloudflare Terraform provider: v2.8.0 (the other version number above was the go package version from the provider repository)

Here are the debug logs: https://gist.github.com/tornyairoland/6cd8ab4146851b97273545fa114af671

[jacobbednarz]

@tornyairoland the issue @mrtristan raised was moved to #707 and the fix is currently under review at #708. If you believe you're having the same issue, please follow that issue and checkout the PR if you're wanting to test out the fix.

[jacobbednarz]

#708 has been merged so fetching a single zone shouldn't be causing these issues (providing Cloudflare permissions are correct).

Feel free to pull the master branch down, build it per the README documentation and let me know if you hit any snags. Alternatively, this will land in the next release.