Service Tokens not working with Access Policies

Myself and two others spent a whole 2.5 hours trying to debug why we couldn’t access an Argo Tunnel using the Service Token we created and included in an Access Policy. It turns out (as I discovered from a fellow forum post), one must select the Non Identity Decision instead of Allow in order for Service Token Include rules to actually work. Why is it even possible to add a Service Token to an Allow policy if that won’t work? This is UX 101.
There is zero documentation that I can find on this, and the error returned by the tunnel when trying to access with client id/secret is a generic client credentials rejected by cloudflare access. I am clearly not the only one who has experienced this frustration.
Cloudflare, please improve the UX, or at the very least improve the documentation in this area. It would be great if Access could provide a more descriptive error message. Some sort of warning when adding a Service Token to a Policy it won’t work with would certainly be helpful to many others, as well.

1 Like

Hi @hmnd!

https://developers.cloudflare.com/cloudflare-one/tutorials/ssh-service-token#add-the-service-token-to-an-app-rule does say:

To use a service token, you must select Service Auth instead.

Pull request to GitHub - cloudflare/cloudflare-docs: Cloudflare’s developer docs. are always welcome.

Forgot about that! Will certainly send one in :).