From cd8312738293a66a206fd4e92527fcccb14472b4 Mon Sep 17 00:00:00 2001
From: Natalie Perret <11332444+natalie-o-perret@users.noreply.github.com>
Date: Tue, 28 Apr 2026 18:42:40 +0200
Subject: [PATCH] api: list-zones: do not send auth header

The /zone endpoint enforces IAM policies on authenticated requests,
causing 403 for restricted keys (e.g. DBaaS-only) even though the
endpoint returns public data.

Skip credentials for list-zones so the call always succeeds.
---
 exoscale/api/generator.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/exoscale/api/generator.py b/exoscale/api/generator.py
index 3c616eb..763098f 100644
--- a/exoscale/api/generator.py
+++ b/exoscale/api/generator.py
@@ -166,9 +166,17 @@ def _call_operation(self, operation_id, parameters=None, body=None):
             # TODO validate
             json["json"] = body
 
-        response = self.http_client.request(
-            method=op["verb"].upper(), url=url, params=query_params, **json
-        )
+        # list-zones returns public data but the server enforces IAM role policies
+        # on authenticated requests — restricted keys (e.g. DBaaS-only) get 403.
+        # Send the request without credentials so it always succeeds.
+        if operation_id == "list-zones":
+            response = requests.request(
+                method=op["verb"].upper(), url=url, params=query_params, **json
+            )
+        else:
+            response = self.http_client.request(
+                method=op["verb"].upper(), url=url, params=query_params, **json
+            )
 
         # Error handling
         if response.status_code == 403: