Security best practices for dev and prod API tokens for editing DNS for a single zone
Hello! I have example.com and dev.example.com, which are respectively my dev & prod environments.
+ dev.example.com, app.dev.example.com and a bunch of other domains with
dev.example.com as a root point to a development cluster, which all developers have access to (including secrets etc).
+ example.com, app.example.com point to an isolated production cluster.
Due to a specifics of my app, the "orange cloud" is not enabled for some domains, and I need to manually generate TLS certificates with letsencrypt (https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-tokens). This is perfectly possible by creating an API token in Cloudflare for DNS zone example.com (Zone:DNS:Edit) BUT this token gives access to entire zone (including production DNS), while I ideally need to restrict it to only allow to edit *dev.example.com DNS records.
Is it in any way possible to restrict the Cloudflare's DNS API token to a specific subzone/subdomain (dev.example.com)? As otherwise, in my case, anyone who has access to a dev cluster can edit production DNS records.
I am wondering how others deal with this in their dev/production environments. I guess most of users are orange-clouded and hence Cloudflare provisions your certificates, but what if you need to edit DNS from within your dev/prod infra? How do you manage it?
6 Replies
Is it in any way possible to restrict the Cloudflare's DNS API token to a specific subzone/subdomain (dev.example.com)?If you were Enterprise you could make a subdomain zone and restrict it that way. You could as well get a dedicated dev domain (devcompany.com), makes it harder to make other mistakes as well
I guess most of users are orange-clouded and hence Cloudflare provisions your certificates, but what if you need to edit DNS from within your dev/prod infra? How do you manage it?Well, even with proxy enabled, you still need some cert on your origin. CF provided Origin Certs are an option though. You also have the option of using HTTP Validation and not DNS if your certs aren't wildcard
Thanks!
As for the Enterprise option, I can’t just buy the enterprise plan first and then start building a company with a comfortable dev subdomain. So no, this is not an option.
As for completely separating dev domain from prod, this is indeed the only viable option I see as of now, but it comes with pitfalls in other 3p services we use. Also another kind of questions arise: for instance even in that enterprise example, it seems that we’d have to apply pro/business/enterprise plan twice, for dev and prod, if we would want to use features from the enterprise plan in future on dev. TL;DR As Cloudflare’s pricing seem to be shaped around TLDs, we’d need to use the same for all our dev/test/dynamic/prod domains etc etc, or indeed one enterprise plan, but again, we can’t start from it.
Anyways, instead of making customers to think hard, I have a feeling that just a single security feature is missing from Cloudflare offerings (a bit more granular DNS permission control), seemingly needed by many: https://community.cloudflare.com/t/restrict-scope-api-tokens-to-a-subdomain/156702/17
For now it feels that we need to compromise on security until we’re finally on the enterprise plan.
As for the Enterprise option, I can’t just buy the enterprise plan first and then start building a company with a comfortable dev subdomain. So no, this is not an option.Yea, I was just saying it as it's an option that some companies may use.
for instance even in that enterprise example, it seems that we’d have to apply pro/business/enterprise plan twice, for dev and prod, if we would want to use features from the enterprise plan in future on dev.For Pro/Biz, sure. Enterprise? The pricing is all custom and based on the exact features you need, bandwidth, etc, my understanding is the amount of domains is just another small factor in it. You have Pro Zones, Business Zones, and Enterprise Accounts
Enterprise? The pricing is all custom and based on the exact features you need, bandwidth, etc, my understanding is the amount of domains is just another small factor in it. You have Pro Zones, Business Zones, and Enterprise AccountsYea makes sense. But as mentioned, many can't start from enterprise, there should be another solution.
Yea it's always nice to have more granular permissions. The only other solution I could think of would be Let's Encrypt HTTP Challenges: https://letsencrypt.org/docs/challenge-types/
Then you wouldn't need DNS permissions at all
Challenge Types
When you get a certificate from Let’s Encrypt, our servers validate that you control the domain names in that certificate using “challenges,” as defined by the ACME standard. Most of the time, this validation is handled automatically by your ACME client, but if you need to make some more complex configuration decisions, it’s useful to know more ...
It could work, but I need a cert for the wildcard domain; HTTP challenge doesn't allow issuing wildcard certs
The API call is deep down in the letsencrypt library and k8s Issuer controller, as per https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-tokens. I think I could do it manually, but it would be a huge engineering overhead.