Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Set up a Cloudflare Zero Trust connector

ConductorOne provides identity governance for Cloudflare Zero Trust. Integrate your Cloudflare Zero Trust instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Capabilities

ResourceSyncProvision
Accounts
Access groups
Roles

Available hosting methods

Choose the hosting method that best suits your needs:

MethodAvailabilityNotes
Cloud hostedA built-in, no-code connector hosted by ConductorOne.
Self-hostedThe Cloudflare Zero Trust connector, hosted and run in your own environment.

Gather Cloudflare Zero Trust credentials

Each setup method requires you to pass in credentials generated in Cloudflare Zero Trust. Gather these credentials before you move on.

A user with Super Administrator access in Cloudflare Zero Trust must perform this task.

Locate your Cloudflare Account ID

  1. Log into your Cloudflare Super Administrator account and select Workers from the left nav.

  2. On the Workers page, find your Account ID on the right side of the page.

  3. Copy and save the Account ID.

Create an API Token

Alternative credential option: If you do not want to generate and use an API token for the integration, Cloudflare Zero Trust also accepts authentication via an API key and the corresponding account’s email address. Find your API keys by navigating to My Profile > API Tokens.

  1. Click the user icon and select My Profile.

  2. Click API Tokens on the left side, then click Create Token.

  3. At the bottom of the page, in the Custom Token area, click Get started.

  4. Fill out the Create Custom Token page as follows:

    1. Give the API token a name, such as ConductorOne

    2. Set the appropriate permissions for the API token:

      If you want to use ConductorOne to provision Cloudflare Zero Trust groups and roles, set:

      • Account -> Account Settings -> Read
      • Account -> Access: Organizations, Identity Providers, and Groups -> Edit
      • Account -> Access: Apps and Policies -> Read
      • Account -> Access: Audit Logs -> Read

      Otherwise, set:

      • Account -> Account Settings -> Read
      • Account -> Access: Organizations, Identity Providers, and Groups -> Read
      • Account -> Access: Apps and Policies -> Read
      • Account -> Access: Audit Logs -> Read

    3. Click Continue to summary.

  5. Click Create Token and copy the token generated for you.

That’s it! You should now have one of the following credentials sets:

  • Account ID
  • API token

OR

  • Account ID
  • The email address associated with your Cloudflare account
  • Global API key

Next, move on to the instructions for your chosen setup method.

Set up a Cloudflare Zero Trust cloud-hosted connector

To complete this task, you’ll need:

  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Cloudflare Zero Trust credentials generated by following the instructions above

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Cloudflare Zero Trust and click Add.

  3. Choose how to set up the new Cloudflare Zero Trust connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. Find the Settings area of the page and click Edit.

  7. Choose how you’ll authenticate to Cloudflare Zero Trust:

    • Select API token, then enter the account ID into the Account ID field and paste the API token into the API token field.

    • Select Email + API key, then enter the account ID into the Account ID field, your email into the Email ID field, and your Global API key into the API key field.

  8. Click Save.

  9. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Cloudflare Zero Trust connector is now pulling access data into ConductorOne.

Set up a Cloudflare Zero Trust cloud-hosted connector using Terraform

As an alternative to the cloud-hosted setup process described above, you can use Terraform to configure the integration between Cloudflare Zero Trust and ConductorOne.

See the ConductorOne Cloudflare Zero Trust integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.

Set up a Cloudflare Zero Trust self-hosted connector

To complete this task, you’ll need:

  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Cloudflare Zero Trust credentials generated by following the instructions above

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Why use Kubernetes? Kubernetes provides automated deployment, scaling, and management of your connectors. It ensures high availability and reliable operation of your connector services.

Step 1: Configure the Cloudflare Zero Trust connector

  1. In ConductorOne, navigate to Connectors > Add connector.

  2. Search for Baton and click Add.

  3. Choose how to set up the new Cloudflare Zero Trust connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. In the Settings area of the page, click Edit.

  7. Click Rotate to generate a new Client ID and Secret.

    Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Cloudflare Zero Trust connector deployment:

Secrets configuration

# baton-cloudflare-zero-trust-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-cloudflare-zero-trust-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # Cloudflare Zero Trust credentials, option 1
  BATON_ACCOUNT_ID: <Cloudflare Zero Trust account ID>
  BATON_API_TOKEN: <Cloudflare Zero Trust API token>

  # Cloudflare Zero Trust credentials, option 2
  BATON_ACCOUNT_ID: <Cloudflare Zero Trust account ID>
  BATON_API_KEY: <Cloudflare Zero Trust global API key>
  BATON_EMAIL: <Email address for your Cloudflare Zero Trust account>

  # Optional: include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-cloudflare-zero-trust.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-cloudflare-zero-trust
  labels:
    app: baton-cloudflare-zero-trust
spec:
  selector:
    matchLabels:
      app: baton-cloudflare-zero-trust
  template:
    metadata:
      labels:
        app: baton-cloudflare-zero-trust
        baton: true
        baton-app: cloudflare-zero-trust
    spec:
      containers:
      - name: baton-cloudflare-zero-trust
        image: ghcr.io/conductorone/baton-cloudflare-zero-trust:latest
        args: ["service"]
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-cloudflare-zero-trust-secrets

Step 3: Deploy the connector

  1. Create a namespace in which to run ConductorOne connectors (if desired):

    kubectl create namespace baton-cloudflare-zero-trust

  2. Apply the secret configuration:

    kubectl -n baton-cloudflare-zero-trust apply -f baton-cloudflare-zero-trust-secrets.yaml

  3. Apply the deployment:

    kubectl -n baton-cloudflare-zero-trust apply -f baton-cloudflare-zero-trust.yaml

Step 4: Verify the deployment

  1. Check that the deployment is running:

    kubectl -n c1 get pods

  2. View the connector logs:

    kubectl -n c1 logs -l app=baton-${baton-cloudflare-zero-trust}

  3. Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Cloudflare Zero Trust connector to. Cloudflare Zero Trust data should be found on the Entitlements and Accounts tabs.

That’s it! Your Cloudflare Zero Trust connector is now pulling access data into ConductorOne.