Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This introduces the ability to generate short lived tokens from your long lived credentials. Under the covers, it uses the same flow (`cf-vault add ...`) but instead of populating the environment with those credentials, it uses those credentials to call the Cloudflare API and generate an API token scoped and with a TTL you define. Here is an example without the short lived tokens ```toml [profiles.long-lived-api-token] auth_type = "api_token" email = "[email protected]" ``` To use this, you can call `cf-vault exec long-lived-api-token` and the environment will be populated like so: ``` CLOUDFLARE_VAULT_SESSION=long-lived-api-token CLOUDFLARE_API_TOKEN=xxxxx ``` Similarly for an API key but with the addition of the `CLOUDFLARE_EMAIL`. Now, providing your API token (or global API key) has permissions to create new API tokens, you can update your configuration to generate the short lived credentials using the following configuration. ```toml [profiles.my-api-key] auth_type = "api_key" email = "[email protected]" session_duration = 10 permission_group_ids = [ "c8fed203ed3043cba015a93ad1616f1f", "82e64a83756745bbbb1c9c2701bf816b" ] [[profiles.my-api-key.resources]] "com.cloudflare.api.account.zone.*" = "*" ``` Breaking down the new bits. - `session_duration` is an integer of minutes you want to have the token alive. Generally this should be low enough to only last a session (15-60m) but does not have a maximum value. - `permission_group_ids` an array of permission group IDs that map to the IDs from the API[1]. Only the IDs are needed here and the names are not required. - `resources` is a map of objects (TOML calls them inline tables?) that have a key/value combination. This represents the scopes of which the *new* token will receive upon creation. For ease of creation, I recommend building the configuration you want in the UI and then as you hit send, watch the network calls and pull in the scopes to avoid fiddling with it manually. Example of the single use token flow - `cf-vault add my-long-lived-token` and follow the steps to add the new token (or API key). - modify your `session_duration` to be greater than 0 but within an acceptable timeframe. - `cf-vault exec my-long-lived-token -- <cmd here>` which will use the short lived credentials. You're able to confirm it is working by running `cf-vault exec ... -- env | grep -i cloudflare` and looking for the new CLOUDFLARE_SESSION_* variables. The recommended way to use this is to generate a single API token that has permissions to generate new tokens and store that in `cf-vault`. While the global API key will work, it isn't scoped and can create gun-foot scenarios due to having all the permissions. Closes #1 [1]: https://api.cloudflare.com/#permission-groups-list-permission-groups
- Loading branch information