CD

Cloudflare Developers•3y ago•

7 replies

Nikita Savchenko

Security best practices for dev and prod API tokens for editing DNS for a single zone

Hello! I have example.com and dev.example.com, which are respectively my dev & prod environments.

+ dev.example.com, app.dev.example.com and a bunch of other domains with

dev.example.com

dev.example.com

as a root point to a development cluster, which all developers have access to (including secrets etc).
+ example.com, app.example.com point to an isolated production cluster.

Due to a specifics of my app, the "orange cloud" is not enabled for some domains, and I need to manually generate TLS certificates with letsencrypt (https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-tokens). This is perfectly possible by creating an API token in Cloudflare for DNS zone example.com (

Zone:DNS:Edit

Zone:DNS:Edit

) BUT this token gives access to entire zone (including production DNS), while I ideally need to restrict it to only allow to edit

*dev.example.com

*dev.example.com

DNS records.

Is it in any way possible to restrict the Cloudflare's DNS API token to a specific subzone/subdomain (

dev.example.com

dev.example.com

)? As otherwise, in my case, anyone who has access to a dev cluster can edit production DNS records.

I am wondering how others deal with this in their dev/production environments. I guess most of users are orange-clouded and hence Cloudflare provisions your certificates, but what if you need to edit DNS from within your dev/prod infra? How do you manage it?