Restrict Token access to specific Cloudflare Pages application
Is there a way to restrict a token to a specific Cloudflare Pages application? I want to use this token in CI/CD to automatically upload my deployments.
CNot to a specific one
JIs there a best practises for this? I assume this is not an uncommon use case
CPut it as a Github Actions Secret and give it access just to the bare minimum amount of resources
JIt would still theoretically allow anyone who has push/pull access to, even if by accident, mess with all applications. This is not something people typically restrict?
CIt's not an uncommon wish but sadly permissions are pretty iffy right now. Keep in mind API Tokens are per your user account and not per actual account either. You can only restrict them to CF Accounts, no other product other then R2 can scope to actual instances of a product
JEven with R2, the API tokens it generates do not actually work with the cloudflare API afaik
Jthey are only to be used with S3
JAt least, I never got cloudflare to accept its own tokens
CDepends how you scope them? They're just normal API Tokens, you'd have to make sure you're using the normal token secret and not the s3 secret (Which is sha256sum of the normal)
CEitherway my example was just saying no other product has what you're looking for other then R2 and even then that's brand new, CF just doesn't have great permissions scoping
JYeah, when using the normal token secret I get a bunch of missing permission errors, but as they are R2 tokens I cannot add the needed permissions
CI don't see how it would help you to use those anyway over a specifically created token?
JYeah we are getting a bit side tracked, thanks for the help
CIf you use the Github Integration with a Pages Project, which most people do, you would be sort of protected in the sense that it would only be able to trigger builds for that project
JSadly we are running on our own gitlab instance
C(you could probably edit them via the API if you really wanted to)
Chmm yea kind of limited then. You could make seperate CF Accounts with specific projects & Domains
Cit gets kind of tricky though with the fact you can only use custom apex domains with zones/domains in the same account
JAnd I assume the double billing
Cif you needed Workers Paid yea
