fix: bypass GetAccounts API call when CF_ACCOUNTS is set

internal/refresh/manager.go

@@ -74,22 +74,36 @@ func (m *Manager) accountLoop() {
 
 func (m *Manager) refreshAccounts() {
 	m.logger.Debug("refreshing account list")
-	ctx, cancel := context.WithTimeout(m.ctx, 30*time.Second)
-	defer cancel()
 
-	accounts, err := m.client.GetAccounts(ctx)
-	if err != nil {
-		m.logger.Error("failed to fetch accounts", "err", err)
-		m.metrics.ExporterUp.Set(0)
-		m.metrics.ExporterErrorsTotal.WithLabelValues("global", "api_error").Add(1)
-		return
-	}
+	var accounts []cf.Account
 
-	allowlist := m.cfg.AccountAllowlist()
-	if len(allowlist) > 0 {
-		before := len(accounts)
-		accounts = filterAccounts(accounts, allowlist)
-		m.logger.Debug("account allowlist applied", "before", before, "after", len(accounts))
+	// If CF_ACCOUNTS is explicitly configured, use those IDs directly without
+	// hitting the Cloudflare accounts API. This avoids permission requirements
+	// for zone-scoped tokens that cannot list accounts.
+	if ids := m.cfg.AccountIDs; len(ids) > 0 {
+		m.logger.Debug("using pre-configured account IDs, skipping API call", "count", len(ids))
+		for _, id := range ids {
+			accounts = append(accounts, cf.Account{ID: id})
+		}
+	} else {
+		ctx, cancel := context.WithTimeout(m.ctx, 30*time.Second)
+		defer cancel()
+
+		var err error
+		accounts, err = m.client.GetAccounts(ctx)
+		if err != nil {
+			m.logger.Error("failed to fetch accounts", "err", err)
+			m.metrics.ExporterUp.Set(0)
+			m.metrics.ExporterErrorsTotal.WithLabelValues("global", "api_error").Add(1)
+			return
+		}
+
+		allowlist := m.cfg.AccountAllowlist()
+		if len(allowlist) > 0 {
+			before := len(accounts)
+			accounts = filterAccounts(accounts, allowlist)
+			m.logger.Debug("account allowlist applied", "before", before, "after", len(accounts))
+		}
 	}
 
 	m.mu.Lock()