From b58a24f7d224f7463db0b737a30d8371de11fc66 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 11 Dec 2024 08:50:30 -0800 Subject: [PATCH 01/10] Update account owned tokens 1. Update description to reflect GA status 2. Add procedural instructions --- .../fundamentals/account-owned-tokens.mdx | 138 +++++++++--------- 1 file changed, 68 insertions(+), 70 deletions(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index 7dd60f158ec011f..168b6b8271ee39f 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -4,82 +4,80 @@ --- -Account owned tokens are the first step that Cloudflare is taking to represent service principals in our service. - -Cloudflare is working to ensure that all features eventually become compatible with account owned tokens. - -If you are working with a service that is not currently supported by account owned tokens, it is recommended that you continue to use the existing user tokens. +While user tokens act on behalf of a particular user, and inherit a subset of that user's permissions, account owned tokens allow you to set up durable integrations that can act as service principals, effectively acting as themselves with their own specific set of permissions. This approach is ideal for scenarios like CI/CD, or building integrations with external services like SEIMs where it's important that the integration keeps working, even long after the user who configured the integration may have left your organization altogether. User tokens are better for ad hoc tasks like scripting, where acting as the user is ideal, and durability is less of a concern. +## Creating an account owned token :::note -User tokens will continue to work and we do not have plans to deprecate them. +Creating an account owned token requires Super Administrator permission on the account ::: -Account owned tokens are available to all customers. Super Administrators of accounts on the [Cloudflare dashboard](https://dash.cloudflare.com/) can find them via **Manage Account** > **API Tokens**. - -You can still create tokens using the Cloudflare dashboard, and it can also be accessed via the API at `/accounts//tokens`. +1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com) +2. In the sidebar, choose **Manage Account** +3. Choose **Account API Tokens** +4. Click **Create Token** +5. Navigate through the subsequent pages to set the name, permissions, and the (optional) expiration date for the token. Click **Continue to Summary** +6. Review the details, and finally click **Create Token** -Try using account owned tokens specifically in these scenarios: - -- You require business continuity when managing tokens as a team of super administrators. -- You need to restrict API access on your account and want to centralize visibility and management of these tokens. +You can alternatively create a token using the [account owned token creation API](https://developers.cloudflare.com/api-next/resources/accounts/subresources/tokens/methods/create/). ## Compatibility matrix -Account owned tokens are a new credential type that is currently in open beta. Refer to the table below for products currently supported and their compatibility status. +Account owned tokens are generally available in all accounts. Some services may not support account owned tokens yet. Please see the compatibility matrix below for the latest status. + +| Product | Compatibility | +| :---- | :---- | +| Access | ❌ | +| Account Analytics | ❌ | +| Account Management | ✅ | +| AI Gateway | ✅ | +| AMP | ✅ | +| API Shield | ✅ | +| Billing | ❌ | +| Cache | ✅ | +| Cloud Connector | ✅ | +| Configuration Rules | ✅ | +| Custom Pages | ✅ | +| Data Loss Prevention | ✅ | +| Digital Experience Monitoring | ✅ | +| Distributed Web | ❌ | +| DNS | Partial (Non-analytics) | +| Durable Objects | ❌ | +| Email Relay | ❌ | +| Gateway Filtering | ❌ | +| Healthchecks | ✅ | +| Hyperdrive | ❌ | +| Images | ✅ | +| Intel Data Platform | ❌ | +| Load Balancing | ❌ | +| Log Explorer | ❌ | +| Magic Network Monitoring | ✅ | +| Magic Transit | ❌ | +| Magic WAN | ❌ | +| Managed Rules | ❌ | +| Network Error Logging | ❌ | +| Page Shield | ✅ | +| Pages | ✅ | +| Pub/Sub | ❌ | +| R2 | ✅ | +| Radar | ✅ | +| Registrar | ❌ | +| Rulesets | ✅ | +| Spectrum | ❌ | +| Speed | ✅ | +| Stream | ✅ | +| Super Bot Fight Mode | ❌ | +| Trace | ✅ | +| Tunnels | ✅ | +| Turnstile | ❌ | +| Vectorize | ❌ | +| Waiting Room | ✅ | +| Workers | ✅ | +| Workers AI | ❌ | +| Workers KV | ✅ | +| Workers Observability | ❌ | +| Workers Queues | ✅ | +| Zaraz | ❌ | +| Zero Trust Client Platform | ❌ | +| Zero Trust Devices and Services | ✅ | +| Zone/Domain Management | ✅ | -| Product | Compatible | -| ------------------------------- | ----------------------- | -| Account Management | ✅ | -| Account Analytics | ❌ | -| Zero Trust Devices and Services | ✅ | -| Stream | ✅ | -| Pages | ✅ | -| Speed | ✅ | -| Images | ✅ | -| Zone/Domain Management | ✅ | -| Workers | ✅ | -| Workers Queues | ✅ | -| Workers KV | ✅ | -| Workers AI | ❌ | -| Workers Observability | ❌ | -| Durable Objects | ❌ | -| R2 | ✅ | -| Tunnels | ✅ | -| Cache | ✅ | -| Rulesets | ✅ | -| Custom Pages | ✅ | -| Cloud Connector | ✅ | -| Trace | ✅ | -| Configuration Rules | ✅ | -| DNS | Partial (Non-analytics) | -| Access | ❌ | -| Magic WAN | ❌ | -| Magic Transit | ❌ | -| Magic Network Monitoring | ✅ | -| Managed Rules | ❌ | -| Load Balancing | ❌ | -| Spectrum | ❌ | -| Pub/Sub | ❌ | -| Distributed Web | ❌ | -| Radar | ✅ | -| Data Loss Prevention | ✅ | -| Network Error Logging | ❌ | -| Super Bot Fight Mode | ❌ | -| Page Shield | ✅ | -| AI Gateway | ✅ | -| Turnstile | ❌ | -| AMP | ✅ | -| API Shield | ✅ | -| Billing | ❌ | -| Digital Experience Monitoring | ✅ | -| Intel Data Platform | ❌ | -| Email Relay | ❌ | -| Gateway Filtering | ❌ | -| Healthchecks | ✅ | -| Log Explorer | ❌ | -| Zero Trust Client Platform | ❌ | -| Registrar | ❌ | -| Hyperdrive | ❌ | -| Vectorize | ❌ | -| Waiting Room | ✅ | -| Zaraz | ❌ | From 5960362517e1b7eea4c68a8f95ed7df6563f491c Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 11 Dec 2024 11:24:57 -0800 Subject: [PATCH 02/10] Update src/content/partials/fundamentals/account-owned-tokens.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index 168b6b8271ee39f..931ecb4f22e89c2 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -18,7 +18,7 @@ Creating an account owned token requires Super Administrator permission on the a 5. Navigate through the subsequent pages to set the name, permissions, and the (optional) expiration date for the token. Click **Continue to Summary** 6. Review the details, and finally click **Create Token** -You can alternatively create a token using the [account owned token creation API](https://developers.cloudflare.com/api-next/resources/accounts/subresources/tokens/methods/create/). +You can alternatively create a token using the [account owned token creation API](/api-next/resources/accounts/subresources/tokens/methods/create/). ## Compatibility matrix From b58283fabcf75f8b0ed98402c3a0d6bd51b51e7b Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 11 Dec 2024 15:55:30 -0800 Subject: [PATCH 03/10] Update src/content/partials/fundamentals/account-owned-tokens.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index 931ecb4f22e89c2..b5719523dd90e9e 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -25,7 +25,7 @@ You can alternatively create a token using the [account owned token creation API Account owned tokens are generally available in all accounts. Some services may not support account owned tokens yet. Please see the compatibility matrix below for the latest status. | Product | Compatibility | -| :---- | :---- | +| --- | --- | | Access | ❌ | | Account Analytics | ❌ | | Account Management | ✅ | From 900a1aa989f945061b5e64ca356e14145c7236fb Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 11 Dec 2024 15:55:41 -0800 Subject: [PATCH 04/10] Update src/content/partials/fundamentals/account-owned-tokens.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index b5719523dd90e9e..39b8a528012e63d 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -22,7 +22,7 @@ You can alternatively create a token using the [account owned token creation API ## Compatibility matrix -Account owned tokens are generally available in all accounts. Some services may not support account owned tokens yet. Please see the compatibility matrix below for the latest status. +Account owned tokens are generally available for all accounts. Some services may not support account owned tokens yet. Refer to the compatibility matrix below for the latest status. | Product | Compatibility | | --- | --- | From 1615fea5ebd0ed76a680a70d7aa4b08c75f80d86 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 11 Dec 2024 15:56:41 -0800 Subject: [PATCH 05/10] Update src/content/partials/fundamentals/account-owned-tokens.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index 39b8a528012e63d..e58c0abe7ffda0e 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -6,7 +6,7 @@ While user tokens act on behalf of a particular user, and inherit a subset of that user's permissions, account owned tokens allow you to set up durable integrations that can act as service principals, effectively acting as themselves with their own specific set of permissions. This approach is ideal for scenarios like CI/CD, or building integrations with external services like SEIMs where it's important that the integration keeps working, even long after the user who configured the integration may have left your organization altogether. User tokens are better for ad hoc tasks like scripting, where acting as the user is ideal, and durability is less of a concern. -## Creating an account owned token +## Create an account owned token :::note Creating an account owned token requires Super Administrator permission on the account ::: From b1f0b5a901d954db71c5988325c5ed1ada031922 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 11 Dec 2024 15:57:16 -0800 Subject: [PATCH 06/10] Update src/content/partials/fundamentals/account-owned-tokens.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index e58c0abe7ffda0e..5375d5ce60bff79 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -4,7 +4,7 @@ --- -While user tokens act on behalf of a particular user, and inherit a subset of that user's permissions, account owned tokens allow you to set up durable integrations that can act as service principals, effectively acting as themselves with their own specific set of permissions. This approach is ideal for scenarios like CI/CD, or building integrations with external services like SEIMs where it's important that the integration keeps working, even long after the user who configured the integration may have left your organization altogether. User tokens are better for ad hoc tasks like scripting, where acting as the user is ideal, and durability is less of a concern. +While user tokens act on behalf of a particular user and inherit a subset of that user's permissions, account owned tokens allow you to set up durable integrations that can act as service principals with their own specific set of permissions. This approach is ideal for scenarios like CI/CD, or building integrations with external services like SEIMs where it is important that the integration continues working, even long after the user who configured the integration may have left your organization altogether. User tokens are better for ad hoc tasks like scripting, where acting as the user is ideal and durability is less of a concern. ## Create an account owned token :::note From adc3c3b801605c66777d5b6f08ddd05f9cfbed6a Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Thu, 12 Dec 2024 13:24:12 -0800 Subject: [PATCH 07/10] Apply suggestions from code review --- .../partials/fundamentals/account-owned-tokens.mdx | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index 5375d5ce60bff79..f33f487f3a23a65 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -11,14 +11,13 @@ While user tokens act on behalf of a particular user and inherit a subset of tha Creating an account owned token requires Super Administrator permission on the account ::: -1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com) -2. In the sidebar, choose **Manage Account** -3. Choose **Account API Tokens** -4. Click **Create Token** -5. Navigate through the subsequent pages to set the name, permissions, and the (optional) expiration date for the token. Click **Continue to Summary** -6. Review the details, and finally click **Create Token** +1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com). +2. Go to **Manage Account** > **Account API Tokens**. +4. Select **Create Token** and fill in the token name, permissions, and the optional expiration date for the token. +5. Select **Continue to summary** and review the details. +6. Select **Create Token**. -You can alternatively create a token using the [account owned token creation API](/api-next/resources/accounts/subresources/tokens/methods/create/). +Alternatively, you can create a token using the [account owned token creation API](/api-next/resources/accounts/subresources/tokens/methods/create/). ## Compatibility matrix From b369372c0aa49da0a50662a275d0314f75bb45e6 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:16:59 -0800 Subject: [PATCH 08/10] Update src/content/partials/fundamentals/account-owned-tokens.mdx --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index f33f487f3a23a65..f1ef10fc1e79fe0 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -17,7 +17,7 @@ Creating an account owned token requires Super Administrator permission on the a 5. Select **Continue to summary** and review the details. 6. Select **Create Token**. -Alternatively, you can create a token using the [account owned token creation API](/api-next/resources/accounts/subresources/tokens/methods/create/). +Alternatively, you can create a token using the [account owned token creation API](/api/resources/accounts/subresources/tokens/methods/create/). ## Compatibility matrix From 9d77e7b7413e7354c05b4888811910a8360b03f1 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Tue, 17 Dec 2024 08:59:15 -0800 Subject: [PATCH 09/10] Add Argo --- src/content/partials/fundamentals/account-owned-tokens.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index f1ef10fc1e79fe0..b6a1612e8e407a7 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -31,6 +31,7 @@ Account owned tokens are generally available for all accounts. Some services may | AI Gateway | ✅ | | AMP | ✅ | | API Shield | ✅ | +| Argo | ✅ | | Billing | ❌ | | Cache | ✅ | | Cloud Connector | ✅ | From 3a2707ad9e826d2ffa62f3e915bed8f7e93421b1 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Tue, 17 Dec 2024 09:00:54 -0800 Subject: [PATCH 10/10] Add managed rules test result --- src/content/partials/fundamentals/account-owned-tokens.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/account-owned-tokens.mdx b/src/content/partials/fundamentals/account-owned-tokens.mdx index b6a1612e8e407a7..fc26076d41c406c 100644 --- a/src/content/partials/fundamentals/account-owned-tokens.mdx +++ b/src/content/partials/fundamentals/account-owned-tokens.mdx @@ -53,7 +53,7 @@ Account owned tokens are generally available for all accounts. Some services may | Magic Network Monitoring | ✅ | | Magic Transit | ❌ | | Magic WAN | ❌ | -| Managed Rules | ❌ | +| Managed Rules | ✅ | | Network Error Logging | ❌ | | Page Shield | ✅ | | Pages | ✅ |