OctoDNS 0.19.4 and Cloudflare Authentication Error

I use Cloudflare and OctoDNS to manage my DNS zones. Today I updated OctoDNS from 0.19.2 to 0.19.4 and run into the following authentication error:

octodns_cloudflare.CloudflareAuthenticationError: Unauthorized to access requested resource
Traceback (most recent call last):
  File "/PATH/TO/REPO/github.com/lowply/dns/env/bin/octodns-dump", line 8, in <module>
  File "/PATH/TO/REPO/github.com/lowply/dns/env/lib/python3.9/site-packages/octodns/cmds/dump.py", line 34, in main
    manager.dump(args.zone, args.output_dir, args.lenient, args.split,
  File "/PATH/TO/REPO/github.com/lowply/dns/env/lib/python3.9/site-packages/octodns/manager.py", line 519, in dump
    source.populate(zone, lenient=lenient)
  File "/PATH/TO/REPO/github.com/lowply/dns/env/lib/python3.9/site-packages/octodns_cloudflare/__init__.py", line 328, in populate
    records = self.zone_records(zone)
  File "/PATH/TO/REPO/github.com/lowply/dns/env/lib/python3.9/site-packages/octodns_cloudflare/__init__.py", line 291, in zone_records
    resp = self._try_request('GET', path, params={'status': 'active'})
  File "/PATH/TO/REPO/github.com/lowply/dns/env/lib/python3.9/site-packages/octodns_cloudflare/__init__.py", line 84, in _try_request
    return self._request(*args, **kwargs)
  File "/PATH/TO/REPO/github.com/lowply/dns/env/lib/python3.9/site-packages/octodns_cloudflare/__init__.py", line 105, in _request
    raise CloudflareAuthenticationError(resp.json())
octodns_cloudflare.CloudflareAuthenticationError: Unauthorized to access requested resource

I’ve checked the Cloudflare token but it wasn’t expired. I rolled it just in case, but no luck. I learned that OctoDNS now separates providers into a different repositories, such as octodns/octodns-cloudflare so I installed it via pip and updated the config/production.yaml file to use it, but the error persists.

Quick GitHub search retuened an interesting issue: CloudflareAuthenticationError with valid token in 0.9.14 · Issue #791 · octodns/octodns. According to the report, it seems that the token now needs the Zone.Page Rules:Read permission in addition to what it has been required: Zone.DNS:Edit.


Adding the permission fixed the authentication error.