OpenID Connect Authentication for Cloudflare API

It would be nice if the Cloudflare API can support OpenID Connection authentication. In essence, one would establish trust between Cloudflare and our environment (such as a CI / CD pipeline) before hand. During runtime, when we need to access the Cloudflare API, we would exchange a signed JWT that is verified by Cloudflare’s authentication in exchange for an access token.

We have been updating our pipelines to use oidc to access resources in AWS, Azure and Vault while running GitHub Actions pipelines and it works really well. We have now completely eliminated static credentials from our pipelines.

Examples from GitHub’s documentation: About security hardening with OpenID Connect - GitHub Docs

3 Likes

+1

I’m using OIDC for GitHub Actions to auth with AWS, and it’s so sweet. Zero secret in my repo, and I can safely manage my AWS account from there.

I was considering switching some services from AWS to Cloudflare, but Cloudflare not having this kind of secret-less auth is giving me pause.