CD
Cloudflare Developers4mo ago
Jeroen

Restrict Token access to specific Cloudflare Pages application

Is there a way to restrict a token to a specific Cloudflare Pages application? I want to use this token in CI/CD to automatically upload my deployments.
15 Replies
Chaika
Chaika4mo ago
Not to a specific one
Jeroen
Jeroen4mo ago
Is there a best practises for this? I assume this is not an uncommon use case
Chaika
Chaika4mo ago
Put it as a Github Actions Secret and give it access just to the bare minimum amount of resources
Jeroen
Jeroen4mo ago
It would still theoretically allow anyone who has push/pull access to, even if by accident, mess with all applications. This is not something people typically restrict?
Chaika
Chaika4mo ago
It's not an uncommon wish but sadly permissions are pretty iffy right now. Keep in mind API Tokens are per your user account and not per actual account either. You can only restrict them to CF Accounts, no other product other then R2 can scope to actual instances of a product
Jeroen
Jeroen4mo ago
Even with R2, the API tokens it generates do not actually work with the cloudflare API afaik they are only to be used with S3 At least, I never got cloudflare to accept its own tokens
Chaika
Chaika4mo ago
Depends how you scope them? They're just normal API Tokens, you'd have to make sure you're using the normal token secret and not the s3 secret (Which is sha256sum of the normal) Eitherway my example was just saying no other product has what you're looking for other then R2 and even then that's brand new, CF just doesn't have great permissions scoping
Jeroen
Jeroen4mo ago
Yeah, when using the normal token secret I get a bunch of missing permission errors, but as they are R2 tokens I cannot add the needed permissions
Chaika
Chaika4mo ago
I don't see how it would help you to use those anyway over a specifically created token?
Jeroen
Jeroen4mo ago
Yeah we are getting a bit side tracked, thanks for the help
Chaika
Chaika4mo ago
If you use the Github Integration with a Pages Project, which most people do, you would be sort of protected in the sense that it would only be able to trigger builds for that project
Jeroen
Jeroen4mo ago
Sadly we are running on our own gitlab instance
Chaika
Chaika4mo ago
(you could probably edit them via the API if you really wanted to) hmm yea kind of limited then. You could make seperate CF Accounts with specific projects & Domains it gets kind of tricky though with the fact you can only use custom apex domains with zones/domains in the same account
Jeroen
Jeroen4mo ago
And I assume the double billing
Chaika
Chaika4mo ago
if you needed Workers Paid yea
Want results from more Discord servers?
Add your server
More Posts
early return on fetch not workinghttps://pastebin.com/qev9yb1G I have this code. On line 13 there's a return that doesn't work at alnextJS Build Manifest...We are seeing an issue where the buildManifest and other files inside of /_next/static not being buihaving trouble setting up TCP tunnelI'm trying to setup TCP tunnel with zero trust I even bought a domain for this. TCP just doesn't seeHow to Serve Uploaded Cloudflare Images in Multiple Formats?Just started using CF images recently, and am storing images uploaded via API. I would like to now pYou can't configure the KV origins. AsYou can't configure the KV origins. As for an immutable Cache, would a single DO per region not workwebsite downmy website www.frezarie.ro shows as up but i'm getting this text whenever im trying to access it "FuRequests today fluctuating around +/- 25 requestsIs this a normal behavior from the workers & pages overview page? The number of requests today displSite under DDOSwww.leaguegaming.com Site still down Any tips?Websockets, Durable Objects & Subrequest LimitsHey folks, I'm trying to design an application on Workers that involves long-lived Websockets. I wanHow do I get rid of the pages.dev domain from working for my Pages site?See attachment.