ConductorOne provides identity governance for Cloudflare Zero Trust. Integrate your Cloudflare Zero Trust instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.
Alternative credential option: If you do not want to generate and use an API token for the integration, Cloudflare Zero Trust also accepts authentication via an API key and the corresponding account’s email address. Find your API keys by navigating to My Profile > API Tokens.
1
Click the user icon and select My Profile.
2
Click API Tokens on the left side, then click Create Token.
3
At the bottom of the page, in the Custom Token area, click Get started.
4
Fill out the Create Custom Token page as follows:
Give the API token a name, such as ConductorOne
Set the appropriate permissions for the API token:If you want to use ConductorOne to provision Cloudflare Zero Trust groups and roles, set:
Account -> Account Settings -> Read
Account -> Access: Organizations, Identity Providers, and Groups -> Edit
Account -> Access: Apps and Policies -> Read
Account -> Access: Audit Logs -> Read
Otherwise, set:
Account -> Account Settings -> Read
Account -> Access: Organizations, Identity Providers, and Groups -> Read
Account -> Access: Apps and Policies -> Read
Account -> Access: Audit Logs -> Read
Click Continue to summary.
5
Click Create Token and copy the token generated for you.
That’s it! You should now have one of the following credentials sets:
Account ID
API token
OR
Account ID
The email address associated with your Cloudflare account
Global API key
Next, move on to the instructions for your chosen setup method.
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Cloudflare Zero Trust credentials generated by following the instructions above
Cloud-hosted
Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.
1
In ConductorOne, navigate to Admin > Connectors and click Add connector.
2
Search for Cloudflare Zero Trust and click Add.
3
Choose how to set up the new Cloudflare Zero Trust connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Choose how you’ll authenticate to Cloudflare Zero Trust:
Select API token, then enter the account ID into the Account ID field and paste the API token into the API token field.
Select Email + API key, then enter the account ID into the Account ID field, your email into the Email ID field, and your Global API key into the API key field.
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Cloudflare Zero Trust connector is now pulling access data into ConductorOne.
Follow these instructions to use the Cloudflare Zero Trust connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.
Step 1: Set up a new Cloudflare Zero Trust connector
1
In ConductorOne, navigate to Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new Cloudflare Zero Trust connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.
# baton-cloudflare-zero-trust-secrets.yamlapiVersion: v1kind: Secretmetadata: name: baton-cloudflare-zero-trust-secretstype: OpaquestringData: # ConductorOne credentials BATON_CLIENT_ID: <ConductorOne client ID> BATON_CLIENT_SECRET: <ConductorOne client secret> # Cloudflare Zero Trust credentials, option 1 BATON_ACCOUNT_ID: <Cloudflare Zero Trust account ID> BATON_API_TOKEN: <Cloudflare Zero Trust API token> # Cloudflare Zero Trust credentials, option 2 BATON_ACCOUNT_ID: <Cloudflare Zero Trust account ID> BATON_API_KEY: <Cloudflare Zero Trust global API key> BATON_EMAIL: <Email address for your Cloudflare Zero Trust account> # Optional: include if you want ConductorOne to provision access using this connector BATON_PROVISIONING: true
See the connector’s README or run --help to see all available configuration flags and environment variables.
Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Cloudflare Zero Trust connector to. Cloudflare Zero Trust data should be found on the Entitlements and Accounts tabs.
That’s it! Your Cloudflare Zero Trust connector is now pulling access data into ConductorOne.
