I previously had two legacy policies in Zero Trust. While troubleshooting a separate issue, I deleted these legacy policies and recreated them as reusable policies. Now, I am not able to select the reusable policies for my existing Access application or WARP Client Device Enrollment. I am directed on these configuration pages to create a new policy. I’m also unable to recreate the old legacy policies, so now I’m unable to authenticate to the application through Cloudflare or register new WARP clients.
What steps have you taken to resolve the issue?
Tried different browsers (Chrome, Edge) and incognito window
Checked browser DevTools, I see a CORS error for request to https://sparrow.cloudflare.com/api/v1/event but this appears to be unrelated. Another request to https://dash.cloudflare.com/api/v4/accounts/<account_id>/access/policies is successful and I see the list of policies in the response.
What are the steps to reproduce the issue?
I believe this issue might be specific to my account, but here is all that I did:
Remove legacy policies and associations to existing applications
Create a new reusable policy and save
Navigate to Access > Applications > Edit > Policies
Expected result:
I should see an option to select from the list of existing policies
Observed result:
No option to select existing policies, only an option to create new ones which takes me back to the Access > Policies page.
Here is the list of reusable policies I am expecting to be able to choose from in Access application policies and WARP Client Device Enrollment policies pages.
This is a bug in Zero Trust.
If all policies for an application are deleted, you won’t be able to reassign any existing policies to it. It only prompts you to create a new policy, even though there are plenty of existing ones available. For self-hosted applications, this can be worked around by deleting and re-creating the application. However, when I was unaware of this bug, I f**ked up my App Launcher — which, unfortunately, cannot be deleted and recreated (assuming you all know what App Launcher is).
I’ve written a PowerShell script to resolve this “application with no policies assigned will die” bug. Before running it, you’ll need to fill in 4 or 5 variables:
Application ID - Get the Application ID of the application you want to rescue. If you’re rescuing your App Launcher, you can skip this step 1.
Policy ID - Choose one of your existing reusable policies and obtain its Policy ID.
Cloudflare Email Address - The email you use to log in to your Cloudflare account.
Cloudflare Account ID - This is the long alphanumeric string shown in the address bar when you’re logged into the Cloudflare dashboard.
Global API Key - Copy it from your Cloudflare Profile (top-right corner of Cloudflare dashboard). You can change it after use.
Here is my PowerShell script, read the comments, fill in your values and run it with PowerShell in Windows:
Replace ****** with the application ID for the application to rescue, or leave it as is, if the application to rescue is App Launcher.
$applicationIDForApplicationToRescue = “******”
Pick an existing reusable policy, fill in with its policy ID. This policy will be assigned to the application to rescue.
$policyIDForPolicyToApply = “”
Fill in with your Cloudflare account email address, account ID, and global API key.
