Skip to content

Lucretius/vault-plugin-auth-cloudflare-access

Repository files navigation

Vault Plugin: Cloudflare Access Auth Backend

Note! This plugin is based off a fork of the Vault JWT Auth Plugin, and has just been modified to work with Cloudflare's specific implementation of OIDC, using the programmatic token verification outlined here

This is a standalone backend plugin for use with Hashicorp Vault. This plugin allows for Cloudflare Access specific JWTs to authenticate with Vault.

Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at [email protected].

Quick Links

- Vault Website: https://www.vaultproject.io
- JWT Auth Docs: https://www.vaultproject.io/docs/auth/jwt.html
- Main Project Github: https://www.github.com/hashicorp/vault

Getting Started

This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.

Otherwise, first read this guide on how to get started with Vault.

To learn specifically about how plugins work, see documentation on Vault plugins.

Usage

Compile it using go build (inside the cmd/vault-plugin-auth-cloudflare-access folder, where main.go is)

This plugin will need to be added to Vault like so:

SHASUM=$(shasum -a 256 "<PLUGIN_BINARY_PATH>" | cut -d " " -f1) vault write sys/plugins/catalog/auth/cloudflare   sha_256="$SHASUM" \   command="vault-plugin-auth-cloudflare-access"
Success! Data written to: sys/plugins/catalog/auth/cloudflare
$ vault auth enable -path=cloudflare cloudflare 
Success! Enabled cloudflare method at: cloudflare/

Configuration

The plugin has the following configuration options:

default_role The default role to be given to those logging in using this method

auth_domain The domain of your Cloudflare Access configuration, i.e. https://sampledomain.cloudflareaccess.com

audience_tag The audience tag of your Cloudflare Access application

You can set them like so:

vault write auth/cloudflare/config auth_domain=https://<AUTH_DOMAIN>.cloudflareaccess.com default_role=<my-role> audience_tag=<CF AUDIENCE TAG>

Create a role:

vault write auth/cloudflare/role/<my-role> policies=<my-policies> user_claim=<user_claim> groups_claim=<groups_claim>

where user_claim is probably something like email, and groups_claim is groups. These are automatically pulled from Cloudflare's identity endpoint after the token is validated (see Groups within a JWT)

To login use your JWT you get from running

cloudflared access token -app=<CLOUDFLARE_APP>
vault write auth/cloudflare/login jwt=<JWT>

In order to use with the UI, you will need to use the generated token from the CLI login call.

Tests

Tests are currently broken!

If you are developing this plugin and want to verify it is still functioning (and you haven't broken anything else), we recommend running the tests.

To run the tests, invoke make test:

$ make test

You can also specify a TESTARGS variable to filter tests like so:

$ make test TESTARGS='--run=TestConfig'

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages