Skip to content

rowansmithhc/vault-plugin-secrets-cloudflare

 
 

Repository files navigation

Vault Secrets Plugin - Cloudflare

Vault secrets plugins to simplify creation, management, and revocation of Cloudflare API tokens.

This is a fork of https://github.com/bloominlabs/vault-plugin-secrets-cloudflare, created because I wanted to see a version with the following changes:

  1. Built with go 1.21
  2. Built with cloudflare-go v0.81.0
  3. Built with vault/api v1.10.0
  4. Built with vault/sdk v0.10.2
  5. Improved the README to support usability.

Usage

Configure Endpoint

  1. Download and enable plugin locally (TODO)

  2. Configure the plugin with a Cloudflare token capable of generating other tokens:

vault write /cloudflare/config/token token=<token>

Configure Policies

Note when creating policies the Cloudflare API docs are of help:

An example policy which allows for reading and editing of DNS records on a zone with the id 069d3066870c958bad1cd2a767b78g86 is included below.

  1. Create a role and supply an appropriate policy:
vault write /cloudflare/roles/<role-name> policy_document=-<<EOF
[
  {
        "effect": "allow",
        "permission_groups": [
          {
            "id": "82e64a83756745bbbb1c9c2701bf816b",
            "name": "DNS Read"
          },
          {
            "id": "4755a26eedb94da69e1066d98aa820be",
            "name": "DNS Write"
          }
        ],
        "resources": {
          "com.cloudflare.api.account.zone.069d3066870c958bad1cd2a767b78g86": "*"
        }
  }
]
EOF

Generate a Cloudflare token using the role:

vault read /cloudflare/creds/<role-name>

Rotating the Root Token

The plugin supports rotating the configured admin token to seamlessly improve security.

To rotate the token, perform a 'write' operation on the config/rotate-root endpoint

> export VAULT_ADDR="http://localhost:8200"
> vault write -f config/rotate-root
Key      Value
---      -----
name     vault-admin-{timestamp in nano seconds}

Generate a new Token

To generate a new token:

Create a new cloudflare policy and perform a 'read' operation on the creds/<role-name> endpoint.

# To read data using the api
$ vault read cloudflare/role/dns-edit
Key                Value
---                -----
lease_id           cloudflare/creds/test/956Fo9MQgleoqosK5wuMVwPC
lease_duration     768h
lease_renewable    true
id                 9c40db059267e91c7f3f22220c1536ed
token              <token>

Development

The provided Earthfile (think makefile, but using docker) is used to build, test, and publish the plugin. See the build targets for more information. Common targets include

# build a local version of the plugin
$ earthly +build

# execute integration tests
#
# use https://developers.cloudflare.com/api/tokens/create to create a token
# with 'User:API Tokens:Edit' permissions
$ TEST_CLOUDFLARE_TOKEN=<YOUR_CLOUDFLARE_TOKEN> earthly --secret TEST_CLOUDFLARE_TOKEN +test

# start vault and enable the plugin locally
earthly +dev

About

create @cloudflare api tokens using vault

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 95.6%
  • Shell 2.5%
  • Earthly 1.9%