Restricted API keys


#1

As far as I know there are only 2 API keys for any account:

  • The Global API key
  • The Origin CA API key

the global CA key is essentially like the authentication to your whole account, it can do ANYTHING.

The Origin CA key is essentially the first step to this Idea since it is restricted to only obtain certificates from cloudflare’s origin CA.

the problem is if for example you want to automate ANYTHING except for the Origin certs in your account (for example dynamically update a DNS Record to make a dynamic DNS, or have a software obtain wildcard Letsencrypt certificates which need a certain TXT record set) you have to entrust the system your Global API key.

This means that, if anything happens to the key, for example if the machine is hacked or whatever, the entity who obtained the key can do EVERYTHING in your whole account even things that arent even remotely related to what the client has to do, an attacker could for example mess with the complete domain data of even totally different domains or whatever.

however if such a restricted API key would be inplace, that for example could only mess with

  • _acme-challenge.example.com
  • _acme-challenge.*.example.com
  • (and so on)

and only their TXT records, an attacker would be able to get a rogue certificate, but that’s it anything else is relatively safe.
same if you yor example had a restricted API key that can only change the A records on dyn.example.com, an attacker can do a lot less damage if there would be restricted API keys.

and not only that, if you need to run multiple API clients on your account (for example multiple servers each for a domain or whatever, such split API keys would also mean that if one of the servers get hacked you don’t need to revoke the key for all the servers, but just the ones that got hit.

obviously this is also helpful for companies, when they have seperate departments they can get seperate keys and not accidentially (or purposely) mess with each other, and when


Cache only API key
User Permissions and API Security
Purge zone cache via API with X-Auth-User-Service-Key
#2

+1

I would certainly like to be to create API keys with restricted scope, like github keys work.


#3

Indeed. I’d like to be able to create as many API keys as I like, with each having a flexible set of permissions.

Ideally this would include account wide permissions (listing, adding/removing domains, similar).

Domain level permissions, and specific features. A request would need both the domain and feature to be permitted.


#4

+1 :+1:


#5

Full support for this request. At the barest minimum, I would like to have one key per domain


#6

Everything you said here @My1 is true. Stay tuned as we know this is a gap in our product, and are planning to make this experience better.


#7

Already voted, but I wanted to add that my desired use case is /exactly/ the one described by @My1. I’m not willing to put my main API key on a server that needs to update a letsencrypt certificate and it’s behind a firewall which leaves me in the position of having to do manual updates every three months. :frowning:


#8

+1 please


#9

I am trying to create a service user - eg a user that is restricted to do only the work it needs to do to get its job done - eg security principal of least privilege. The current granularity of basic user access inside of a company account is not flexible enough to create a user account that only has access to control a single service (eg dns) in a single domain.

I am not going to request full user access along the lines of AWS IAM, however granting a single user access to a single service, in a single domain seems like a request of reasonable constraint and consistent with best practices.


#10

Has this feature been implemented just yet? I’m using fail2ban and there’s a cloudflare ban action that I thought was going to be useful until I found out that Cloudflare only has 2 APIs, neither which can have their permissions customized.

If my server gets compromised, I probably wouldn’t mind them having control over banning/unbanning IPs, but having full access is a whole different ball game.

Hoping for this to get implemented soon so I can avoid the alternatives.


#11

+1 for this feature!


#12

+1 from me as well.
That would be a very useful feature.