Skip to content

Commit

Permalink
update tunnel permissions (#18739)
Browse files Browse the repository at this point in the history
  • Loading branch information
ranbel authored Dec 17, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 8e46d4f commit eccaa15
Showing 4 changed files with 19 additions and 5 deletions.
Original file line number Diff line number Diff line change
@@ -6,6 +6,8 @@ sidebar:

---

import { Render } from "~/components";

Tunnel permissions determine who can run and manage a Cloudflare Tunnel. Two files control permissions for a locally-managed tunnel:

* **An account certificate** (`cert.pem`) is issued for a Cloudflare account when you login to `cloudflared`. Make sure you are intentional about the locations and machines you store this certificate on, as this certificate allows users to create, delete, and manage all tunnels for the account.
@@ -26,8 +28,10 @@ Refer to the table below for a comparison between the two files and the purposes
| **Valid for** | At least 10 years, and the service token it contains is valid until revoked | Does not expire |
| **Needed to** | Manage tunnels (for example, create, route, delete and list tunnels) | Run a tunnel. Create a config file. |



## Tunnel ownership

Tunnel ownership is bound to the Cloudflare account for which the `cert.pem` file was issued upon authenticating `cloudflared`. If a user in a Cloudflare account creates a tunnel, any other user in the same account who has access to the `cert.pem` file for the account can delete, list, or otherwise manage tunnels within it.

## Account-scoped roles

<Render file="tunnel/account-scoped-roles" />
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ sidebar:
order: 1
---

import { TabItem, Tabs } from "~/components";
import { TabItem, Tabs, Render } from "~/components";

If you created a Cloudflare Tunnel [from the dashboard](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/), the tunnel runs as a service on your OS.

@@ -310,4 +310,4 @@ The tunnel token is now fully rotated. The old token is no longer in use.

### Account-scoped roles

Account members with [Cloudflare Access](/cloudflare-one/roles-permissions/) and [DNS](/fundamentals/setup/manage-members/roles/) permissions will be able to create, delete, and configure all tunnels for the account.
<Render file="tunnel/account-scoped-roles" />
Original file line number Diff line number Diff line change
@@ -25,7 +25,7 @@ Account-scoped roles apply across an entire Cloudflare account, and through all
| Audit Logs Viewer | Can view [Audit Logs](/fundamentals/setup/account/account-security/review-audit-logs/). |
| Bot Management (Account-wide) | Can edit [Bot Management](/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](/bots/get-started/pro/)) configurations for all domains in account. |
| Billing | Can edit the account’s [billing profile](/fundamentals/subscriptions-and-billing/create-billing-profile/) and subscriptions |
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) policies. |
| Cloudflare Access | Can edit [Cloudflare Access](/cloudflare-one/policies/access/) and [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/). |
| Cache Purge | Can purge the edge cache. |
| Cloudflare DEX | Can edit [Cloudflare DEX](/cloudflare-one/insights/dex/). |
| Cloudflare Gateway | Can edit [Cloudflare Gateway](/cloudflare-one/policies/gateway/) and read [Access](/cloudflare-one/identity/). |
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
{}

---

Minimum permissions needed to create, delete, and configure tunnels for an account:
- [Cloudflare Access](/cloudflare-one/roles-permissions/)

Additional permissions needed to [route traffic to a public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/):
- [DNS](/fundamentals/setup/manage-members/roles/)

0 comments on commit eccaa15

Please sign in to comment.