Best practices for provisioning zero-trust tunnels to cloud instances

I’m interested in using Cloudflare Zero-Trust to access a fleet of ephemeral cloud (AWS) instances via SSH, but I’m facing a few problems – here’s my situation:

  • Since I want to SSH to each instance separately, I need a unique tunnel for each instance (I can’t reuse tunnel keys across multiple instances).
  • Precreating a fixed number of tunnels manually and then assigning them to instances somehow is inappropriate – the number of instances in the fleet can change (from autoscaling) and I’d like provisioning of new instances to be automatic.
  • I don’t want to share an API token that can create tunnels with instances – it looks like API token scoping for Cloudflare Access has only “read” and “edit” levels, so I can’t have a token that can, for example, only create new tunnels without being allowed to delete existing ones. I’d rather instances not be able to impact tunnels belonging to other instances.

So, a few questions –

  • Is my read on API token scoping correct, or is it possible to create an API token with access only to create new tunnels (and not edit/delete existing ones?) This would let my instances manage their own tunnels.
  • I can pull out tunnel creation logic to a serverless function (Lambda) that instances are allowed to call – if I do this, is there any tunnel/Access API sample code available (aside from cloudflared itself)? The Access API documentation is fine, but there are some gaps :slight_smile:
  • Any other possible solutions to this problem that I’m not thinking of?