go/lego
go/lego
1
0
Fork 0
mirror of https://github.com/go-acme/lego.git synced 2024-11-21 13:25:48 +02:00
Code Issues Releases Activity

docs: update least privilege instructions for Cloudflare (#2339)

Browse Source
This commit is contained in:
Josh McKinney 2024-11-10 16:12:07 -08:00 committed by GitHub
parent 06dfe51e17
commit faf1e0d56a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/content/dns/zz_gen_cloudflare.md
View File

@ -98,12 +98,13 @@ Then pass the API token as `CF_DNS_API_TOKEN` to Lego.
**Alternatively,** if you prefer a more strict set of privileges,
you can split the access tokens:
* Create one with *Zone / Zone / Read* permissions and scope it to all your zones.
* Create one with *Zone / Zone / Read* permissions and scope it to all your zones or just the individual zone you need to edit.
This is needed to resolve domain names to Zone IDs and can be shared among multiple Lego installations.
Pass this API token as `CF_ZONE_API_TOKEN` to Lego.
* Create another API token with *Zone / DNS / Edit* permissions and set the scope to the domains you want to manage with a single Lego installation.
Pass this token as `CF_DNS_API_TOKEN` to Lego.
* Repeat the previous step for each host you want to run Lego on.
* It is possible to use the same api token for both variables if it is given `Zone:Read` and `DNS:Edit` permission for the zone.
This "paranoid" setup is mainly interesting for users who manage many zones/domains with a single Cloudflare account.
It follows the principle of least privilege and limits the possible damage, should one of the hosts become compromised.

3
providers/dns/cloudflare/cloudflare.toml
View File

@ -46,12 +46,13 @@ Then pass the API token as `CF_DNS_API_TOKEN` to Lego.
**Alternatively,** if you prefer a more strict set of privileges,
you can split the access tokens:
* Create one with *Zone / Zone / Read* permissions and scope it to all your zones.
* Create one with *Zone / Zone / Read* permissions and scope it to all your zones or just the individual zone you need to edit.
This is needed to resolve domain names to Zone IDs and can be shared among multiple Lego installations.
Pass this API token as `CF_ZONE_API_TOKEN` to Lego.
* Create another API token with *Zone / DNS / Edit* permissions and set the scope to the domains you want to manage with a single Lego installation.
Pass this token as `CF_DNS_API_TOKEN` to Lego.
* Repeat the previous step for each host you want to run Lego on.
* It is possible to use the same api token for both variables if it is given `Zone:Read` and `DNS:Edit` permission for the zone.
This "paranoid" setup is mainly interesting for users who manage many zones/domains with a single Cloudflare account.
It follows the principle of least privilege and limits the possible damage, should one of the hosts become compromised.