Manage your Cloudflare credentials, securely.
The goal of this project is to ensure that when you need to interact with Cloudflare:
- You're not storing credentials unencrypted; and
- You're not exposing your credentials to the entire environment or to all processes; and
- You're not using long lived credentials
To achieve this, cf-vault
uses the concept of profiles with associated scopes
to either generate short lived API tokens or retrieve the API key from secure
storage (such as Mac OS keychain).
$ brew tap jacobbednarz/tap
$ brew install jacobbednarz/tap/cf-vault
-
First step is to generate a new API key or API token. Either will work however there are some subtle differences to take into consideration before choosing your path.
- API tokens are not supported by all services yet. Regardless of whether you are using the short lived credentials or long lived token, it may not work for all services and you may need to have a backup profile defined using an API key to cover all scenarios .
- API keys are supported everywhere however they cannot be scoped. API keys have the permission and scopes that your user account has. This can be dangerous so be sure to tread carefully as it may have unintended consequences.
While it is possible (and better practice of principle of least privilege), to use an API token with only permissions to create a new API token, this isn't really viable for all use cases yet. The recommended approach is to use the API key for the profile and rely on a custom policy to scope the short lived credential. This allows the best of both worlds where if you need to use a service that doesn't support API tokens, you don't need to create a new profile.
To create a new API token:
> https://dash.cloudflare.com/ > My Profile > API Tokens > Create API token
To retrieve your API key:
> https://dash.cloudflare.com/ > My Profile > API Tokens > Global API Key
-
If you're using an API key, you can skip to the next step. Otherwise, navigate through the UI and configure what permissions and resources you'd like to assign to the token. If you're looking to use an API token to generate short lived API tokens, you should only need the single predefined "Create API tokens" permission. See the section below on generating the desired TOML output for instructions on how to do automatically convert policies from API responses.
Note: Be sure to note down the API token before closing/navigating away from the UI as you won't be able to retrieve it again.
-
Once you have your API key or API token value, you can start using
cf-vault
by creating a profile. A profile is the collection of configuration that tellscf-vault
how you intend to interact with the Cloudflare credentials. You need to start by callingcf-vault add [your-profile-name]
where[your-profile-name]
is a label for what the credential/use of the profile is. Some examples:cf-vault add write-everything
cf-vault add read-only
cf-vault add super-scary-access-everything
cf-vault add api-token-to-create-other-tokens
There is no limit on how many profiles you have if you prefer to have specific profiles for your use cases.
-
Now that you have created a profile, you can use it with
cf-vault exec [your-profile-name]
.
If you do not wish to use the short lived credentials functionality,
that's totally fine and you can do so by omitting the session_duration
value
and instead the long lived credentials you've setup will be used.
cf-vault
allows you to manage your Cloudflare credentials in a safe place and
only expose the credentials to the processes that require them and only for a
limited timespan.
$ env | grep -i cloudflare
# => no results
$ cf-vault exec work -- env | grep -i cloudflare
CLOUDFLARE_VAULT_SESSION=work
CLOUDFLARE_EMAIL=jacob@example.com
CLOUDFLARE_API_KEY=s3cr3t
CF_EMAIL=jacob@example.com
CF_API_KEY=s3cr3t
If you don't provide a command, you will be dropped into a new shell with the credentials populated.
$ cf-vault exec work
$ env | grep -i cloudflare
CLOUDFLARE_VAULT_SESSION=work
CLOUDFLARE_EMAIL=jacob@example.com
CLOUDFLARE_API_KEY=s3cr3t
CF_EMAIL=jacob@example.com
CF_API_KEY=s3cr3t
$ exit
$ env | grep -i cloudflare
# => no results
If you don't need to generate a custom token policy, you can instead use one of
the predefined templates which takes care of the heavy lifting for you. You can
use read-only
(read all resources) or write-everything
(write all resources)
as the --profile-template
flag and it will generate everything needed behind
the scenes on your behalf. Note: You still need to provide
--session-duration
as well otherwise the short lived tokens will not be
generated.
Examples:
cf-vault add my-read-profile-name --profile-template "read-only" --session-duration "15m"
cf-vault add my-write-profile-name --profile-template "write-everything" --session-duration "15m"
While TOML is more readable, its not always straight forward to generate the desired output. Instead, you can use the Cloudflare dashboard to build the policy you'd like and then covert that to TOML using some tooling to avoid manually building your policy (though you can if you understand the syntax!).
-
Using
cf-vault add
create your profile following the prompts. -
Create the token you'd like to use on the command line using the Cloudflare dashboard.
-
Make the API call to fetch the token you've just created. See https://developers.cloudflare.com/api/operations/user-api-tokens-token-details or https://developers.cloudflare.com/api/operations/user-api-tokens-list-tokens to fetch all tokens.
-
Write the contents of the single
result
JSON payload to a local file. For the example, I'll useexample_token.json
for the documentation. -
Run the following command using
docker
which will pull thego-toml
tool for coverting JSON -> TOML. Remember to replaceexample_token.json
with your filename.docker run -v $PWD:/workdir pelletier/go-toml jsontoml /workdir/example_token.json
-
Paste the generated
policy
into your configuration file. You will need to adjust the structure slightly to match the hierarchy. For instance, if I have the following profile:
[profiles]
[profiles.doco-example]
auth_type = "api_token"
email = "me@example.com"
session_duration = "15m"
and my policy output:
[[policies]]
effect = "allow"
[[policies.permission_groups]]
id = "eb258a38ea634c86a0c89da6b27cb6b6"
name = "Access: Apps and Policies Read"
[[policies.permission_groups]]
id = "517b21aee92c4d89936c976ba6e4be55"
name = "Zone Settings Read"
[[policies.permission_groups]]
id = "c8fed203ed3043cba015a93ad1616f1f"
name = "Zone Read"
# .. snip
The policy needs to be updated to prepend profiles.doco-example
to the
section keys.
[[profiles.doco-example.policies]]
effect = "allow"
[[profiles.doco-example.policies.permission_groups]]
id = "eb258a38ea634c86a0c89da6b27cb6b6"
name = "Access: Apps and Policies Read"
[[profiles.doco-example.policies.permission_groups]]
id = "517b21aee92c4d89936c976ba6e4be55"
name = "Zone Settings Read"
[[profiles.doco-example.policies.permission_groups]]
id = "c8fed203ed3043cba015a93ad1616f1f"
name = "Zone Read"
# .. snip
Making the complete configuration look like:
[profiles]
[profiles.doco-example]
auth_type = "api_token"
email = "me@example.com"
session_duration = "15m"
[[policies]]
effect = "allow"
[[policies.permission_groups]]
id = "eb258a38ea634c86a0c89da6b27cb6b6"
name = "Access: Apps and Policies Read"
[[policies.permission_groups]]
id = "517b21aee92c4d89936c976ba6e4be55"
name = "Zone Settings Read"
[[policies.permission_groups]]
id = "c8fed203ed3043cba015a93ad1616f1f"
name = "Zone Read"
# .. snip