Skip to content

Commit

Permalink
update tunnel permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@ranbel
ranbel committed Dec 13, 2024
1 parent afb54d8 commit 8af6822
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 5 deletions.
8 changes: 6 additions & 2 deletions ...ions/connect-networks/configure-tunnels/local-management/tunnel-permissions.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ sidebar:

---

import { Render } from "~/components";

Tunnel permissions determine who can run and manage a Cloudflare Tunnel. Two files control permissions for a locally-managed tunnel:

* **An account certificate** (`cert.pem`) is issued for a Cloudflare account when you login to `cloudflared`. Make sure you are intentional about the locations and machines you store this certificate on, as this certificate allows users to create, delete, and manage all tunnels for the account.
Expand All @@ -26,8 +28,10 @@ Refer to the table below for a comparison between the two files and the purposes
| **Valid for** | At least 10 years, and the service token it contains is valid until revoked | Does not expire |
| **Needed to** | Manage tunnels (for example, create, route, delete and list tunnels) | Run a tunnel. Create a config file. |



## Tunnel ownership

Tunnel ownership is bound to the Cloudflare account for which the `cert.pem` file was issued upon authenticating `cloudflared`. If a user in a Cloudflare account creates a tunnel, any other user in the same account who has access to the `cert.pem` file for the account can delete, list, or otherwise manage tunnels within it.

## Account-scoped roles

<Render file="tunnel/account-scoped-roles" />
4 changes: 2 additions & 2 deletions ...dflare-one/connections/connect-networks/configure-tunnels/remote-management.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ sidebar:
order: 1
---

import { TabItem, Tabs } from "~/components";
import { TabItem, Tabs, Render } from "~/components";

If you created a Cloudflare Tunnel [from the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/), the tunnel runs as a service on your OS.

Expand Down Expand Up @@ -310,4 +310,4 @@ The tunnel token is now fully rotated. The old token is no longer in use.

### Account-scoped roles

Account members with [Cloudflare Access](/cloudflare-one/roles-permissions/) and [DNS](/fundamentals/setup/manage-members/roles/) permissions will be able to create, delete, and configure all tunnels for the account.
<Render file="tunnel/account-scoped-roles" />
2 changes: 1 addition & 1 deletion src/content/docs/fundamentals/setup/manage-members/roles.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/setup/account/account-security/review-audit-logs/). |
| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations for all domains in account. |
| Billing | Can edit the account’s [billing profile](/fundamentals/subscriptions-and-billing/create-billing-profile/) and subscriptions |
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) policies. |
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) and [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). |
| Cache Purge | Can purge the edge cache. |
| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). |
| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/policies/gateway/) and read [Access](/cloudflare-one/identity/). |
Expand Down
10 changes: 10 additions & 0 deletions src/content/partials/cloudflare-one/tunnel/account-scoped-roles.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
{}

---

Minimum permissions needed to create, delete, and configure tunnels for an account:
- [Cloudflare Access](/cloudflare-one/roles-permissions/)

Additional permissions needed to [route traffic to a public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
- [DNS](/fundamentals/setup/manage-members/roles/)

0 comments on commit 8af6822

Please sign in to comment.