turbot/cloudflare
steampipe plugin install cloudflare

Table: cloudflare_api_token - Query Cloudflare API Tokens using SQL

Cloudflare API Tokens are a resource within Cloudflare that allows you to manage and control access to your Cloudflare accounts. They provide granular permissions and security for your Cloudflare operations. API Tokens are an essential part of managing access to Cloudflare resources and ensuring the security of your account.

Table Usage Guide

The cloudflare_api_token table provides insights into the API Tokens within Cloudflare. As a DevOps engineer, explore token-specific details through this table, including permissions, associated policies, and metadata. Utilize it to uncover information about tokens, such as those with extensive permissions, the specific resources they can access, and the verification of associated policies.

Important Notes

  • This table is only available when using email and api_key for authentication credentials. It does not work when using api_token for access.

Examples

Query all API tokens for this user

Explore all API tokens linked to a user's account to assess their validity and security. This can be beneficial in identifying any potential risks or outdated tokens that need to be updated or removed.

select
*
from
cloudflare_api_token;
select
*
from
cloudflare_api_token;

List API tokens by age, oldest first

Analyze the age of your API tokens to understand which ones have been in use the longest. This can help in managing token lifecycle and ensuring that older, potentially exposed tokens are refreshed or retired.

select
id,
name,
status,
issued_on,
date_part('day', now() - issued_on) as age
from
cloudflare_api_token
order by
issued_on desc;
select
id,
name,
status,
issued_on,
julianday('now') - julianday(issued_on) as age
from
cloudflare_api_token
order by
issued_on desc;

List API tokens expiring with the next 14 days

Explore active API tokens that are due to expire within the next two weeks. This can be useful for maintaining security and ensuring continuous service by renewing or replacing the tokens before they expire.

select
id,
name,
status,
expires_on
from
cloudflare_api_token
where
status is active
and expires_on < current_date + interval '14 days';
select
id,
name,
status,
expires_on
from
cloudflare_api_token
where
status = 'active'
and expires_on < date('now', '+14 days');

List all permissions granted to each API token

Explore the permissions associated with each API token to gain insights into their access levels and control mechanisms. This can be beneficial in maintaining security standards and ensuring appropriate access rights are granted.

select
name,
policy ->> 'effect',
policy -> 'resources',
perm_group ->> 'name'
from
cloudflare_api_token,
jsonb_array_elements(policies) as policy,
jsonb_array_elements(policy -> 'permission_groups') as perm_group;
select
name,
json_extract(policy.value, '$.effect'),
policy.value,
json_extract(perm_group.value, '$.name')
from
cloudflare_api_token,
json_each(policies) as policy,
json_each(json_extract(policy.value, '$.permission_groups')) as perm_group;

Schema for cloudflare_api_token

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
conditionjsonbConditions (e.g. client IP ranges) associated with the API token.
expires_ontimestamp with time zoneWhen the API token expires.
idtextID of the API token.
issued_ontimestamp with time zoneWhen the API token was issued.
modified_ontimestamp with time zoneWhen the API token was last modified.
nametextName of the API token.
not_beforetimestamp with time zoneWhen the API token becomes valid.
policiesjsonbPolicies associated with this API token.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextStatus of the API token.
user_idtext=, !=, ~~, ~~*, !~~, !~~*ID of the current user.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflare

You can pass the configuration to the command with the --config argument:

steampipe_export_cloudflare --config '<your_config>' cloudflare_api_token