Protect an R2 Bucket with Cloudflare Access
You can secure access to R2 buckets using Cloudflare Access.
Access allows you to only allow specific users, groups or applications within your organization to access objects within a bucket, or specific sub-paths, based on policies you define.
If you have an existing R2 bucket, you can skip this step.
You will need to create an R2 bucket. Follow the R2 get started guide to create a bucket before returning to this guide.
Within the Zero Trust section of the Cloudflare Dashboard, you will need to create an Access application and a policy to restrict access to your R2 bucket.
If you have not configured Cloudflare Access before, we recommend:
- Configuring an identity provider first to enable Access to use your organization's single-sign on (SSO) provider as an authentication method.
To create an Access application for your R2 bucket:
-
Go to Access ↗ and select Add an application
-
Select Self-hosted.
-
Enter an Application name.
-
Select Add a public hostname and enter the application domain. The Domain must be a domain hosted on Cloudflare, and the Subdomain part of the custom domain you will connect to your R2 bucket. For example, if you want to serve files from
behind-access.example.com
andexample.com
is a domain within your Cloudflare account, then enterbehind-access
in the subdomain field and selectexample.com
from the Domain list. -
Add Access policies to control who can connect to your application. This should be an Allow policy so that users can access objects within the bucket behind this Access application.
-
Follow the remaining self-hosted application creation steps to publish the application.
You will need to connect a custom domain to your bucket in order to configure it as an Access application. Make sure the custom domain is the same domain you entered when configuring your Access policy.
- Go to R2 and select your bucket.
- On the bucket page, select Settings.
- Under Public access > Custom Domains, select Connect Domain.
- Enter the domain name you want to connect to and select Continue.
- Review the new record that will be added to the DNS table and select Connect Domain.
Your domain is now connected. The status takes a few minutes to change from Initializing to Active, and you may need to refresh to review the status update. If the status has not changed, select the ... next to your bucket and select Retry connection.
Visit the custom domain you connected to your R2 bucket, which should present a Cloudflare Access authentication page with your selected identity provider(s) and/or authentication methods.
For example, if you connected Google and/or GitHub identity providers, you can log in with those providers. If the login is successful and you pass the Access policies configured in this guide, you will be able to access (read/download) objects within the R2 bucket.
If you cannot authenticate or receive a block page after authenticating, check that you have an Access policy configured within your Access application that explicitly allows the group your user account is associated with.
- Learn more about Access applications and how to configure them.
- Understand how to use pre-signed URLs to issue time-limited and prefix-restricted access to objects for users not within your organization.
- Review the documentation on using API tokens to authenticate against R2 buckets.