Restrict Token access to specific Cloudflare Pages application
Is there a way to restrict a token to a specific Cloudflare Pages application? I want to use this token in CI/CD to automatically upload my deployments.
15 Replies
Not to a specific one
Is there a best practises for this? I assume this is not an uncommon use case
Put it as a Github Actions Secret and give it access just to the bare minimum amount of resources
It would still theoretically allow anyone who has push/pull access to, even if by accident, mess with all applications. This is not something people typically restrict?
It's not an uncommon wish but sadly permissions are pretty iffy right now. Keep in mind API Tokens are per your user account and not per actual account either. You can only restrict them to CF Accounts, no other product other then R2 can scope to actual instances of a product
Even with R2, the API tokens it generates do not actually work with the cloudflare API afaik
they are only to be used with S3
At least, I never got cloudflare to accept its own tokens
Depends how you scope them? They're just normal API Tokens, you'd have to make sure you're using the normal token secret and not the s3 secret (Which is sha256sum of the normal)
Eitherway my example was just saying no other product has what you're looking for other then R2 and even then that's brand new, CF just doesn't have great permissions scoping
Yeah, when using the normal token secret I get a bunch of missing permission errors, but as they are R2 tokens I cannot add the needed permissions
I don't see how it would help you to use those anyway over a specifically created token?
Yeah we are getting a bit side tracked, thanks for the help
If you use the Github Integration with a Pages Project, which most people do, you would be sort of protected in the sense that it would only be able to trigger builds for that project
Sadly we are running on our own gitlab instance
(you could probably edit them via the API if you really wanted to)
hmm yea kind of limited then. You could make seperate CF Accounts with specific projects & Domains
it gets kind of tricky though with the fact you can only use custom apex domains with zones/domains in the same account
And I assume the double billing
if you needed Workers Paid yea