Vault secrets plugins to simplify creation, management, and revocation of Cloudflare API tokens.
This is a fork of https://github.com/bloominlabs/vault-plugin-secrets-cloudflare, created because I wanted to see a version with the following changes:
- Built with go 1.21
- Built with cloudflare-go v0.81.0
- Built with vault/api v1.10.0
- Built with vault/sdk v0.10.2
- Improved the README to support usability.
-
Download and enable plugin locally (TODO)
-
Configure the plugin with a Cloudflare token capable of generating other tokens:
vault write /cloudflare/config/token token=<token>
Note when creating policies the Cloudflare API docs are of help:
- Token Creation information: https://developers.cloudflare.com/api/operations/user-api-tokens-create-token
- Note that only the contents of the
policies
block is required, not thename
orcondition
block etc.
- Note that only the contents of the
- The
id
values in thepermission_groups
correspond to the relevant permission groups on Cloudflare. The doc at https://developers.cloudflare.com/api/operations/permission-groups-list-permission-groups can be used as a reference to retrieve a list of values to use. - The resources block references the domains on which the permissions are applied.
- A list of zones and their details can be retrieved via the Cloudflare API, see https://developers.cloudflare.com/api/operations/zones-get for an example.
An example policy which allows for reading and editing of DNS records on a zone with the id
069d3066870c958bad1cd2a767b78g86
is included below.
- Create a role and supply an appropriate policy:
vault write /cloudflare/roles/<role-name> policy_document=-<<EOF
[
{
"effect": "allow",
"permission_groups": [
{
"id": "82e64a83756745bbbb1c9c2701bf816b",
"name": "DNS Read"
},
{
"id": "4755a26eedb94da69e1066d98aa820be",
"name": "DNS Write"
}
],
"resources": {
"com.cloudflare.api.account.zone.069d3066870c958bad1cd2a767b78g86": "*"
}
}
]
EOF
vault read /cloudflare/creds/<role-name>
The plugin supports rotating the configured admin token to seamlessly improve security.
To rotate the token, perform a 'write' operation on the
config/rotate-root
endpoint
> export VAULT_ADDR="http://localhost:8200"
> vault write -f config/rotate-root
Key Value
--- -----
name vault-admin-{timestamp in nano seconds}
To generate a new token:
Create a new cloudflare policy and perform a 'read' operation on the creds/<role-name>
endpoint.
# To read data using the api
$ vault read cloudflare/role/dns-edit
Key Value
--- -----
lease_id cloudflare/creds/test/956Fo9MQgleoqosK5wuMVwPC
lease_duration 768h
lease_renewable true
id 9c40db059267e91c7f3f22220c1536ed
token <token>
The provided Earthfile (think makefile, but using docker) is used to build, test, and publish the plugin. See the build targets for more information. Common targets include
# build a local version of the plugin
$ earthly +build
# execute integration tests
#
# use https://developers.cloudflare.com/api/tokens/create to create a token
# with 'User:API Tokens:Edit' permissions
$ TEST_CLOUDFLARE_TOKEN=<YOUR_CLOUDFLARE_TOKEN> earthly --secret TEST_CLOUDFLARE_TOKEN +test
# start vault and enable the plugin locally
earthly +dev