🐛 BUG: Wrangler fails token authorization when ID is not provided

[CxRes]

trafficstars

What version of Wrangler are you using?

2.0.29 - 2.1.4

What operating system are you using?

Windows and Linux

Describe the Bug

Create a new token for with the following permissions:

User > User Details > Read Account > Account Settings > Read Account > Cloudflare Pages > Edit

Now run CLOUDFLARE_API_TOKEN=<token> wrangler pages publish <folder> --project-name <project>

You will see an error:

Failed to automatically retrieve account IDs for the logged in user.
  You may have incorrect permissions on your API token. You can skip this account check by adding an account_id in your wrangler.toml, or by setting the value of CLOUDFLARE_ACCOUNT_ID. 

Since my token is associated with a single account, wrangler should not ask for CLOUDFLARE_ACCOUNT_ID to log me in.

This is in part a security issue, as a compromised token can be invalidated but a compromised account ID cannot!

[petebacondarwin]

I can reproduce this. Has it just started happening @CxRes or is this the first time you've tried this? An account_id is not much use without access tokens, so it should not cause security concern. But I agree this needs to be fixed.

[CxRes]

@petebacondarwin So, I tried this for the first time last week and the bug was there already. But check out the #wrangler channel on Discord where others are reporting the same issue as a regression.

[petebacondarwin]

OK so we looked in to this and you need an additional permission, which is not added to the normal Workers Edit API token template:

• All users - Memberships:Read

including this permission will allow the account id look-up and should unblock you and resolve this issue.

We are going to update the "Edit Cloudflare Workers" API token template to include this permission in the future.

[CxRes]

@petebacondarwin Thanks! this works for me. Infact for pages I only need:

• My Account - Cloudflare Pages:Edit
• All users - Memberships:Read

Please document at all the relevant places (specifically, the fact that All users - Memberships:Read is necessary for login without ID). IMHO these places include (at least):

• https://developers.cloudflare.com/api/tokens/create/permissions/
• https://developers.cloudflare.com/workers/wrangler/cli-wrangler/authentication/
• https://developers.cloudflare.com/api/tokens/create/
• https://support.cloudflare.com/hc/en-us/articles/4422104171533-Troubleshooting-API-Tokens-and-Keys
• https://developers.cloudflare.com/workers/wrangler/ci-cd/
• https://developers.cloudflare.com/cloudflare-one/api-terraform/scoped-api-tokens/
• https://developers.cloudflare.com/api/tokens/create/template/ (for "Edit Cloudflare Workers")

Once those documentation changes are made I shall close the issue!

[domnantas]

Faced the same issue. On the same note ☝️ The CI/CD section in Workers docs is not very helpful. I'd hope at least for a link to Create API token page and pointing out that you need to use "Edit Cloudflare Workers" template.

[caass]

I've opened a PR internally to update the "Edit Cloudflare Workers" template to include the "User Memberships: Read" permission, and opened https://github.com/cloudflare/cloudflare-docs/pull/6273 to update the docs once the internal PR is merged. It seems to me like once those go live that should be enough to solve this problem, or am I misunderstanding?

[domnantas]

Yep, that should fix the issue. And CI/CD docs section got an update with a very clear explanation 🎉

[caass]

Note to self: Blocked on new dashboard release