Authentication error with zone DNS API token

[mbrodala]

For minimal permissions I have created an API token locked down to zone DNS edits using the "Edit zone DNS" template:

When launching this service I get an Authentication error:

cloudflare-companion | [INFO] ** [traefik-cloudflare-companion] Starting Traefik Cloudflare Companion
cloudflare-companion | Traceback (most recent call last):
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 276, in <module>
cloudflare-companion |     init(doms)
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 211, in init
cloudflare-companion |     check_container_t2(c, doms)
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 176, in check_container_t2
cloudflare-companion |     point_domain(extracted_domains[0], doms)
cloudflare-companion |   File "/usr/sbin/cloudflare-companion", line 91, in point_domain
cloudflare-companion |     records = cf.zones.dns_records.get(dom['zone_id'], params={u'name': name})
cloudflare-companion |   File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 672, in get
cloudflare-companion |     return self._base.call_with_auth('GET', self._parts,
cloudflare-companion |   File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 126, in call_with_auth
cloudflare-companion |     return self._call(method, headers, parts,
cloudflare-companion |   File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 502, in _call
cloudflare-companion |     raise CloudFlareAPIError(code, message)
cloudflare-companion | CloudFlare.exceptions.CloudFlareAPIError: Authentication error

Am I missing other permissions?

[mbrodala]

By now I've switched to a wildcard certificate, thus I don't need specific DNS entries (and this image) anymore.

Still it would be interesting what the issue could be here.

[sebdanielsson]

Yeah I'm getting the same error myself even after generating a token with full permissions. Either the documentation is bad or something is broken for now..

[Northguy]

Same issue here upon launching the service... no clue on how to debug unfortunately :-(

[Northguy]

OK, figured it out. Please note the comment Leave Blank for Scoped API behind the CF_EMAIL environment variable. This is important! You need to remove the CF_EMAIL environment variable when using a domain specific API token!

The long explanation:

According to Cloudflare documentation here one of the common issues with API tokens is using the wrong authentication.

On occasion, customers will attempt to use an API Token with an API Key syntax. Ensure you are using the Bearer option, rather than the Email and API key pair.

According to the documentation of the Python wrapper for the Cloudflare v4 API, there are multiple ways to make a call:

    # A minimal call - reading values from environment variables or configuration file
    cf = CloudFlare.CloudFlare()

    # A minimal call with debug enabled
    cf = CloudFlare.CloudFlare(debug=True)

    # An authenticated call using an API Token (note the missing email)
    cf = CloudFlare.CloudFlare(token='00000000000000000000000000000000')

    # An authenticated call using an API Key
    cf = CloudFlare.CloudFlare(email='[email protected]', token='00000000000000000000000000000000')

    # An authenticated call using an API Key and CA-Origin info
    cf = CloudFlare.CloudFlare(email='[email protected]', token='00000000000000000000000000000000', certtoken='v1.0-...')

    # An authenticated call using using a stored profile (see below)
    cf = CloudFlare.CloudFlare(profile="CompanyX"))

As we are using an API token, we need to use the 1st option of the authenticated call and omit the e-mail address.

[sebdanielsson]

Good catch, now it's working. Thanks!