I'd like to give another user access to manage the DNS settings for just this domain name

I’d like to give another user access to manage the DNS settings for just one domain name (I have over 100 in my account). The domain was transferred to Cloudflare a short while ago so I cannot move it elsewhere. I also cannot move it to a new Cloudflare account.

I have tried to create a new Cloudflare account for the other user to access but I’m being asked to replace my current Cloudflare nameservers with new Cloudflare nameservers. That seems to be impossible to do (or am I missing something?). That’s why I’m asking if it’s possible to give someone access to manage DNS for just a single domain name within my current Cloudflare account?

Based on your requirements, your only option is to generate an API Token and have the user make all their DNS changes through the API.

https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys

https://api.cloudflare.com/#dns-records-for-a-zone-properties

Thank you for that update. I think it’s unreasonable for me to ask a client to use an API when all they want to do is let Google Workspace set up their MX records automatically.

I wish Cloudflare would allow domain-level access (and further restrict to DNS only) under my account so I could keep everything under one roof too. This is frustrating and makes me almost wish I had never moved the domain to Cloudflare.

They do, and I just showed you how.

It sounds like you want to give someone access to your dashboard. But only part of your dashboard.

Putting client domains in your personal account is often a problem, which is why you should set up separate accounts for separate clients, then enable Multi User Access to give you access to their account, rather than the other way around.

https://support.cloudflare.com/hc/en-us/articles/205065067-Setting-up-Multi-User-accounts-on-Cloudflare

Yes, I see that now but didn’t realize it over the past few years and I now have over 100 domain configurations set up. I’m struggling to understand what to do now to move some domains out of my personal account but still have access to them. I don’t have a “select account” dropdown option in Cloudflare when I login like the example in the support doc you linked above shows.

Thank you for your insights on this.

I confess that I don’t use Multi-User, but it just so happens I have that dropdown, but only because of my own particular Cloudflare account works. If you ignore that part, you should still see the “Members” tab.

But that’s backwards. You want to create a new account for that client. It’s best to set up a Gmail account as well because that email address will be the login and recovery for that account:

  1. Gmail account: [email protected] with a password that your client should know as well. You need access to this email account as it controls the new Cloudflare account you’ll create next. So don’t use a client’s personal address you don’t have a login for.
  2. Cloudflare account: [email protected], but your client will need to know this password.

Then you log into thatnewclient account here and go to the Members tab and invite your main account to join. Now you’ll get that dropdown menu so you can switch over to that new client Cloudflare account.

Remember that you’ll have to go through the same “Add Site” onboarding process in the new account, including changing the name servers at the registrar.

You may have to copy DNS records over as well, but this will help:
https://support.cloudflare.com/hc/en-us/articles/200168856-Importing-and-exporting-DNS-records

Thank you for these instructions. Am I correct that the shared email address would be the super-admin and my old login would merely become the admin when I linked the accounts?

In any case, I see two potential problems for me:

  1. Minor-ish problem: Sharing passwords is a security risk and virtually eliminates 2FA usage, right? That concerns me.
  2. Major problem: The domain name I’m trying to address is registered at Cloudflare and Cloudflare cannot move a domain name registered at Cloudflare from one account to another right now. That seems to also mean I cannot update the name servers.

For number 1 I can create an alias email on my side that auto-forwards to me and the client so either of us could reset the password as needed. That seems to eliminate the shared password issue for me while giving us both access. It doesn’t address 2FA.

Number 2 above is my big problem in this case. It’s further compounded by the transfer timeframe: I cannot even move this domain out of Cloudflare to another registrar since it was recently transferred (so I cannot unlock it). It seems I’m stuck in a loop here.

Does this all make sense?

That’s correct. Granted, this gives the client the ability to completely shoot themselves in the foot, but hopefully they’re smarter than that. However, given that it’s their site, I feel they have the right to control their property.

I don’t see how you can give them access to DNS settings without some sort of authentication. But you’re not really sharing a login. There’s an account with a password that you really won’t be using because you’ll access it from your own 2FA-protected account.

Speaking of 2FA, when you get that QR code, there’s usually a numerical code that goes along with it. You can plug that code into a different authenticator and have synced 2FA.

Yes, that’s a major problem. It’s extremely difficult to get Cloudflare to transfer a registration to a different account. I believe it’s possible, but you’d have to open a ticket to ask. Going back to #1, it’s still my opinion that a client should have control of their property, and domain registration is a big deal in my book. It should ultimately be controlled by an account they have access to.

This will be an arduous process, but I feel it’s the right thing to do and will get them that DNS access they want.

Getting back to that…how is Google Workspace going to set up their MX records “automatically”? MX record changes should be quick and easy.

I’m not exactly sure but Google Workspace must use the Cloudflare API because they want to login to Cloudflare and do the MX records themselves. I don’t like it personally but I don’t like a lot of the way Google does some things.

I agree with you in principle on the domain issue. On the practical side, I’ve found that clients tend to lose their domain names when I don’t manage them on their behalf (not paying due to an expired credit card is a big problem). They also get scammed and some have paid those bogus “invoices” they get in the mail. My compromise is to let them know the domain is theirs (that’s detailed on their invoice too) and I’ll move it to them upon request but will manage it for them if they don’t want the hassle. Most just want me to “take care of it”.

Thank you for the synced 2FA tip. I wasn’t aware of that possibility.

API isn’t the same thing as logging in. And if they’re like other third-parties that use the API, it’s usually the Global API key they want, which is the keys to the kingdom. Granted, if this is for a separate account, it’s “less bad”, but if Google Workspace knows how to use API tokens, you can easily allow this from your current account.

If it’s logging in, that’s a clumsy approach. As they’d either have a human do this manually, or have an automated process that stumbles around the account messing with settings.

I’m sure in your case this is fine, but if I were advising someone, I advise them to keep an iron grip on their domain registration because it’s extremely valuable and is the key to their online presence. If you die, they’ll have a hard time getting that domain back.

Agreed on both points.

I’ve got to dig around more in Google to see how they are doing this and why they “need to” login. As you noted that bothers me as well.

Thank you for your help in this challenge.

1 Like