Desec has the functionality to create tokens that are only allowed to modify certain records but this needs to be done manually via the API for now AFAIK.
Has anyone built a tool to automate this to some degree?
I want to be able to give this tool a record and get back an API key that is able to either manage this entire record or ideally only do the ACME DNS-01 challenge so that I can deploy it to a machine.
It will let you create new API tokens and impose policies on them. However, it’s a fairly manual process, far from the ease of use you envision. But it’s a python module, so it should be fairly straightforward to build you own automated workflow with a few lines of code.
I’m not aware of any other tools that support token policies at all, but I did not actively search for any either.