How are you supposed to enroll a non-GUI server to a Cloudflare for Teams organization?

Pretty much the same as this question. warp-cli’s “teams-enroll” subcommand can supposedly take a client id–client secret pair to do noninteractive enrollment. I’m on a free plan which supposedly doesn’t support generating service tokens. I can, though, generate them from the “Access” page in the Cloudflare dashboard, but then warp-cli won’t accept them:

Failed to enroll: Custom { kind: Other, error: “InvalidResponse” }

What is the “official” way to enroll devices without a GUI? Is this just an unsupported scenario?

This would require a service token. Are you running the command like this?

warp-cli-teams-enroll --access-client-id [client-id] --access-client-secret [client-secret]

From the help output:

Enroll with Cloudflare for Teams

    warp-cli teams-enroll [OPTIONS] <team>

    -h, --help       Prints help information
    -V, --version    Prints version information

        --access-client-id <CLIENT_ID>            Client ID for non-interactive authentication.
        --access-client-secret <CLIENT_SECRET>    Client secret for non-interactive authentication.

1 Like

Enrollment fails when I use service tokens generated form the dashboard.

# warp-cli teams-enroll [scrubbed] --access-client-id '[scrubbed].access' --access-client-secret '[scrubbed]'
Failed to enroll: Custom { kind: Other, error: "InvalidResponse" }

Other than from the dashboard I’m not sure where I can generate service tokens. I’m on a free plan.

Alright, I’ve figured it out: you need to add a rule in your device enrollment policy to allow for the service token you want to use, and the rule’s action should be “service auth” (not “allow”).

1 Like