Cloudflare Cloudflare API Tokens Announced No Longer Need Global API Key !

eva2000 · Sep 1, 2019

Finally Cloudflare has publicly announced Cloudflare API Tokens feature which allows you to narrow and restrict Cloudflare permissions to what a specific Cloudflare API Token can do. This is as opposed to the normal Cloudflare Global API Key. As a Cloudflare MVP member, I have been beta testing Cloudflare API Tokens for the past few months and it's great that I can now deploy Cloudflare API Tokens with minimal restricted permissions to only do some specific tasks via Cloudflare API, instead of using a Cloudflare Global API Key which has access to your entire Cloudflare account/billing etc.

Cloudflare also updated their official Wordpress plugin to support Cloudflare API Tokens instead of CF Global API Key as well.

I have been very hesitant in recommending to Centmin Mod users the use of Cloudflare Global API token in the past as compromise of your server or the web app utilising the Cloudflare Global API token, would mean potential compromise of your entire Cloudflare account and any and all web sites within that Cloudflare account. But now with restricted limited permission based Cloudflare API Tokens, you can restrict it to a specific domain site Cloudflare zone only etc This means I will be planning extended Cloudflare integration into Centmin Mod LEMP stack for supporting Cloudflare API to enhance your sites via Cloudflare API Token based API usage

About API Tokens
API Tokens provide three main capabilities:

Scoping API Tokens by Cloudflare resource

Scoping API Tokens by permission

The ability to provision multiple API Tokens

Let’s break down each of these capabilities.

Scoping API Tokens by Cloudflare Resource
Cloudflare separates service configuration by zone which typically equates to a domain. Additionally, some customers have multiple accounts each with many zones. It is important that when granting API access to a service it only has access to the accounts resources and zones that are pertinent for the job at hand. API Tokens can be scoped to only cover specific accounts and specific zones. One common use case is if you have a staging zone and a production zone, then an API Token can be limited to only be able to affect the staging zone and not have access to the production zone.

Scoping API Tokens by Permission
Being able to scope an API Token to a specific zone is great, but in one zone there are many different services that can be configured: firewall rules, page rules, and load balancers just to name a few. If a customer has a service that should only be able to create new firewall rules in response to traffic patterns, then also allowing that service to change DNS records is a violation of least privilege. API Tokens allow you to scope each token to specific permission. Multiple permissions can be combined to create custom tokens to fit specific use cases.

Multiple API Tokens
If you use Cloudflare to protect and accelerate multiple services, then may be making API changes to Cloudflare from multiple locations - different servers, VMs, containers, or workers. Being able to create an API Token per service means each service is insulated to changes from another. If one API Token is leaked or needs to be rolled, there won’t be any impact to the other services’ API Tokens. Also the capabilities mentioned previously mean that each service can be scoped to exactly what actions and resources necessary. This allows customers to better realize the practice of least privilege for accessing Cloudflare by API.

Now let’s walk through how to create an API Token and use it.
Click to expand...

Using API Tokens
To create your first API Token go to the ‘API Tokens’ section of your user profile which can be found here: dash.cloudflare.com/profile/api-tokens
Click to expand...

And yes Cloudflare is moving from Global API Keys to API Token method eventually, so your scripts and setups should start looking at conversion to support Cloudflare API Tokens

What’s coming next
For anyone using the Cloudflare API, we recommend moving to using API Tokens over their predecessor API Keys going forward. With this announcement, our Terraform provider, Cloudflare-Go library, and WordPress plugin are all updated for API Token compatibility. Other libraries will receive updates soon. Both API Tokens and API Keys will be supported for the time being for customers to be able to safely migrate. We have more planned capabilities for API Tokens to further safeguard how and when tokens are used, so stay tuned for future announcements!

Let us know what you think and what you'd like to see next regarding API security on the Cloudflare Community.
Click to expand...

Example of some of my Cloudflare API Token's I created for my custom Cloudflare Analytics/Argo API query stats reporting script and my generic Wordpress API Token restricted permissions (yes I now also use Cloudflare custom Workers for more advanced caching )

Custom zone restricted Analytics/logs and Argo stats API query API Token permssions

Which allow me to write custom scripts which report Argo analytics stats like this

Then my custom Wordpress Cloudflare API Token permissions for a restricted zone only.

AFAIK, for general Cloudflare Wordpress plugin usage, you don't need the Account level permissions, only Zone ones for:

Zone Settings:Edit

DNS:Read

Zone:Edit

Cache Purge:Edit

Analytics:Read

Log in / Register

Forums

Welcome to Centmin Mod Community

Cloudflare Cloudflare API Tokens Announced No Longer Need Global API Key !

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

Cloudflare Cloudflare API Tokens Announced No Longer Need Global API Key !

eva2000 Administrator Staff Member

.