Protect an R2 Bucket with Cloudflare Access
You can secure access to R2 buckets using Cloudflare Access.
Access allows you to only allow specific users, groups or applications within your organization to access objects within a bucket, or specific sub-paths, based on policies you define.
1. Create a bucket
If you have an existing R2 bucket, you can skip this step.
You will need to create an R2 bucket. Follow the R2 get started guide to create a bucket before returning to this guide.
2. Create an Access application
Within the Zero Trust section of the Cloudflare Dashboard, you will need to create an Access application and a policy to restrict access to your R2 bucket.
If you have not configured Cloudflare Access before, we recommend:
- Configuring an identity provider first to enable Access to use your organization’s single-sign on (SSO) provider as an authentication method.
- Creating an Access group that defines which users or groups within your organization can access specific resources.
To create an Access application for your R2 bucket:
- Go to Access ↗ and select Add an application
- Select Self-hosted
- Enter an Application name
- Enter the Application domain. The Domain must be a domain hosted on Cloudflare, and the Subdomain part of the custom domain you will connect to your R2 bucket. For example, if you want to serve files from
behind-access.example.com
andexample.com
is a domain within your Cloudflare account, then enterbehind-access
in the subdomain field and selectexample.com
from the Domain list. - (Optional) Configure the block page policy. This can be changed later.
- Configure the Identity providers that will be used to protect this domain using Access.
- Click Next
- Enter a Policy name and an Action. This should be Allow, and will enable the group(s) you select to access objects within the bucket behind this Access application.
- To Assign a group (or groups) and allow access to your bucket, select one or more groups. If you have not created any groups, you will need to do this first. You should ensure that this group only contains the users within your organization that need access to this R2 bucket.
- Click Next and then Add an application.
Review the Cloudflare Access documentation to understand how to configure additional Access application options.
3. Connect a custom domain
You will need to connect a custom domain to your bucket in order to configure it as an Access application. Make sure the custom domain is the same domain you entered when configuring your Access policy.
- Go to R2 and select your bucket.
- On the bucket page, select Settings.
- Under Public access > Custom Domains, select Connect Domain.
- Enter the domain name you want to connect to and select Continue.
- Review the new record that will be added to the DNS table and select Connect Domain.
Your domain is now connected. The status takes a few minutes to change from Initializing to Active, and you may need to refresh to review the status update. If the status has not changed, select the … next to your bucket and select Retry connection.
4. Test your Access policy
Visit the custom domain you connected to your R2 bucket, which should present a Cloudflare Access authentication page with your selected identity provider(s) and/or authentication methods.
For example, if you connected Google and/or GitHub identity providers, you can log in with those providers. If the login is successful and your account is a member of the Access group you associated with the Access application you created in this guide, you will be able to access (read/download) objects within the R2 bucket.
If you cannot authenticate or receive a block page after authenticating, check that you have an Access policy configured within your Access application that explicitly allows the group your user account is associated with.
Next steps
- Learn more about Access applications and how to configure them.
- Understand how to use pre-signed URLs to issue time-limited and prefix-restricted access to objects for users not within your organization.
- Review the documentation on using API tokens to authenticate against R2 buckets.