You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which is quite broad, and includes endpoints such as /domain/zone/<REQUIRED_DOMAIN>/terminate or DNSSEC management.
Despite it being a little more work for the user, I believe it would be better to have a more detailed and narrow list, to limit the amount of permissions the API key has, as a matter of principle.
Using Certbot 2.1, I was able to trial-and-error narrow the list down to:
GET /domain/zone/
GET /domain/zone/<REQUIRED_DOMAIN>/
GET /domain/zone/<REQUIRED_DOMAIN>/status
POST /domain/zone/<REQUIRED_DOMAIN>/refresh
GET /domain/zone/<REQUIRED_DOMAIN>/record
POST /domain/zone/<REQUIRED_DOMAIN>/record
GET /domain/zone/<REQUIRED_DOMAIN>/record/*
PUT /domain/zone/<REQUIRED_DOMAIN>/record/*
POST /domain/zone/<REQUIRED_DOMAIN>/record/*
DELETE /domain/zone/<REQUIRED_DOMAIN>/record/*
The text was updated successfully, but these errors were encountered:
Currently, the documentation for the DNS OVH plugin lists a pretty wide set of required permissions for API keys:
GET /domain/zone/
GET /domain/zone/<REQUIRED_DOMAIN>/*
PUT /domain/zone/<REQUIRED_DOMAIN>/*
POST /domain/zone/<REQUIRED_DOMAIN>/*
DELETE /domain/zone/<REQUIRED_DOMAIN>/*
Which is quite broad, and includes endpoints such as
/domain/zone/<REQUIRED_DOMAIN>/terminate
or DNSSEC management.Despite it being a little more work for the user, I believe it would be better to have a more detailed and narrow list, to limit the amount of permissions the API key has, as a matter of principle.
Using Certbot 2.1, I was able to trial-and-error narrow the list down to:
GET /domain/zone/
GET /domain/zone/<REQUIRED_DOMAIN>/
GET /domain/zone/<REQUIRED_DOMAIN>/status
POST /domain/zone/<REQUIRED_DOMAIN>/refresh
GET /domain/zone/<REQUIRED_DOMAIN>/record
POST /domain/zone/<REQUIRED_DOMAIN>/record
GET /domain/zone/<REQUIRED_DOMAIN>/record/*
PUT /domain/zone/<REQUIRED_DOMAIN>/record/*
POST /domain/zone/<REQUIRED_DOMAIN>/record/*
DELETE /domain/zone/<REQUIRED_DOMAIN>/record/*
The text was updated successfully, but these errors were encountered: