Connect through Cloudflare Access using a CLI
Cloudflare's cloudflared
command-line tool allows you to interact with endpoints protected by Cloudflare Access. You can use cloudflared
to interact with a protected application's API.
These instructions are not meant for configuring a service to run against an API. The token in this example is tailored to user identity and intended only for an end user interacting with an API via a command-line tool.
This walkthrough covers how to:
- Connect to resources secured by Cloudflare Access from a CLI
Time to complete:
30 minutes
Once you have installed cloudflared
, you can use it to retrieve a Cloudflare Access application token. This walkthrough uses the domain example.com
as a stand-in for a protected API.
-
To generate a token, run the following command:
With this command,
cloudflared
launches a browser window containing the same Access login page found when attempting to access a web application. -
Select your identity provider and log in.
If the browser window does not launch, you can use the unique URL that is automatically printed to the command line.
- Once you have successfully authenticated, the browser returns the token to
cloudflared
in a cryptographic transfer and stores it.
The token is valid for the session duration configured by the Access administrator.
Once you have retrieved a token, you can access the protected API. The cloudflared
command-line tool includes a wrapper for transferring data via curl
, which uses URL syntax (for more, see the curl ↗ GitHub project). The wrapper injects the token into the curl
request as a query argument named token. You can invoke the wrapper as follows:
It is possible also to use the put
command with cloudflared
for any Unix tool to include the token in the request.
Read on for other available commands.
The login
command initiates the login flow for an application behind Access.
The curl
command invokes the client wrapper and includes the token in the request automatically.
The token
command retrieves the token scoped to that specific application for use in other command-line tools.
It is possible to save the token as an environment variable for convenience and concision in scripts that access a protected application.
Set up a token as an environment variable as follows:
-
Run the following command to export the token to the shell environment:
-
Confirm the token was saved with the following:
Once you have exported the token to your environment, use the variable with the Cloudflare Access request header in the script to access a protected endpoint, as in the following example: