Vault Plugin: Cloudflare Access
This is a standalone backend plugin for use with Hashicorp Vault.
This plugin provides handling of Cloudflare Access service tokens by Vault.
This plugin creates ✨ zone-level 🧙 Access service tokens. If you want the regular account wide stuff, pull-requests are welcome. :neckbeard:
Getting Started
This is a Vault plugin
and is meant to work with Vault. This guide assumes you have already installed Vault
and have a basic understanding of how Vault works.
Otherwise, first read this guide on how to get started with Vault.
To learn specifically about how plugins work, see documentation on Vault plugins.
Installation
Currently no built release is distributed, you'll have to build from source for your chosen OS and architecture.
- Clone this repository and change directory into the root.
- For good measure, run some tests:
go test -v
.
- Change directory into
cmd/vault-plugin-secrets-cloudflare-access
- Build the plugin
go build
and then get the SHA256 hash of the binary.
- Install the plugin and register it with the hash, see the Vault plugin docs for more information.
Setup (Cloudflare)
- Sign in to your Cloudflare dashboard and head over to your API Tokens page.
- Create a new token that has Edit access to Access: Service Tokens.
- Keep the tab showing the secret token open for now, you shall need it.
Setup (Vault)
- With the plugin installed from the steps above, mount it at some endpoint of your choosing
vault secrets enable -path=cloudflare-access vault-plugin-secrets-cloudflare-access
- Configure the plugin
vault write cloudflare-access/config api_token=<API token from Cloudflare in that tab you kept open>
- Create a role for the zone you are going to create tokens for, see Cloudflare docs for getting the Zone ID
vault write cloudflare-access/role/alice zone_id=<The Zone ID>
- To test that it works, retrieve a new Cloudflare Access service token from Vault
vault read cloudflare-access/creds/alice
- You should now have gotten a service token for Cloudflare Access, now lets revoke it (using the output
lease_id
)
vault lease revoke cloudflare-access/creds/alice/<lease id>
All good, remember to close that tab from the Cloudflare dashboard showing your secret API token. 🙏
Contribute
Pull requests welcome, and be nice.