Skip to content

api: list-zones: do not send auth header#90

Draft
natalie-o-perret wants to merge 1 commit intomasterfrom
fix/list-zones-no-iam-check
Draft

api: list-zones: do not send auth header#90
natalie-o-perret wants to merge 1 commit intomasterfrom
fix/list-zones-no-iam-check

Conversation

@natalie-o-perret
Copy link
Copy Markdown

@natalie-o-perret natalie-o-perret commented Apr 28, 2026
edited
Loading

/zone is public but the server enforces IAM on authenticated requests, so a DBaaS-only key gets 403 for no reason.

In _call_operation, when the operation is list-zones, the request is sent via a plain requests.request without credentials. No IAM check fires and all zones come back.

Snippet used to verify:

from exoscale.api.v2 import Client

client = Client(key=key, secret=secret, zone="ch-gva-2")
result = client.list_zones()
zones = result["zones"]
print(f"ok: {len(zones)} zones")
for z in zones:
    print(f"  - {z['name']}")

Before (master, DBaaS-only key):

exoscale.api.exceptions.ExoscaleAPIAuthException: Authentication error 403: {"message":"Invalid request signature"}

After (this branch, same key):

ok: 8 zones
  - ch-gva-2
  - ch-dk-2
  - at-vie-1
  - de-fra-1
  - bg-sof-1
  - de-muc-1
  - at-vie-2
  - hr-zag-1

Related: exoscale/egoscale#767, exoscale/exoscale-sdk-java#14

Note

AI-assisted.

@natalie-o-perret
api: list-zones: do not send auth header
cd83127 
The /zone endpoint enforces IAM policies on authenticated requests,
causing 403 for restricted keys (e.g. DBaaS-only) even though the
endpoint returns public data.

Skip credentials for list-zones so the call always succeeds.
This was referenced Apr 28, 2026
Draft
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@natalie-o-perret