Table: cloudflare_api_token - Query Cloudflare API Tokens using SQL
Cloudflare API Tokens are a resource within Cloudflare that allows you to manage and control access to your Cloudflare accounts. They provide granular permissions and security for your Cloudflare operations. API Tokens are an essential part of managing access to Cloudflare resources and ensuring the security of your account.
Table Usage Guide
The cloudflare_api_token
table provides insights into the API Tokens within Cloudflare. As a DevOps engineer, explore token-specific details through this table, including permissions, associated policies, and metadata. Utilize it to uncover information about tokens, such as those with extensive permissions, the specific resources they can access, and the verification of associated policies.
Important Notes
- This table is only available when using
email
andapi_key
for authentication credentials. It does not work when usingapi_token
for access.
Examples
Query all API tokens for this user
Explore all API tokens linked to a user's account to assess their validity and security. This can be beneficial in identifying any potential risks or outdated tokens that need to be updated or removed.
select *from cloudflare_api_token;
select *from cloudflare_api_token;
List API tokens by age, oldest first
Analyze the age of your API tokens to understand which ones have been in use the longest. This can help in managing token lifecycle and ensuring that older, potentially exposed tokens are refreshed or retired.
select id, name, status, issued_on, date_part('day', now() - issued_on) as agefrom cloudflare_api_tokenorder by issued_on desc;
select id, name, status, issued_on, julianday('now') - julianday(issued_on) as agefrom cloudflare_api_tokenorder by issued_on desc;
List API tokens expiring with the next 14 days
Explore active API tokens that are due to expire within the next two weeks. This can be useful for maintaining security and ensuring continuous service by renewing or replacing the tokens before they expire.
select id, name, status, expires_onfrom cloudflare_api_tokenwhere status is active and expires_on < current_date + interval '14 days';
select id, name, status, expires_onfrom cloudflare_api_tokenwhere status = 'active' and expires_on < date('now', '+14 days');
List all permissions granted to each API token
Explore the permissions associated with each API token to gain insights into their access levels and control mechanisms. This can be beneficial in maintaining security standards and ensuring appropriate access rights are granted.
select name, policy ->> 'effect', policy -> 'resources', perm_group ->> 'name'from cloudflare_api_token, jsonb_array_elements(policies) as policy, jsonb_array_elements(policy -> 'permission_groups') as perm_group;
select name, json_extract(policy.value, '$.effect'), policy.value, json_extract(perm_group.value, '$.name')from cloudflare_api_token, json_each(policies) as policy, json_each(json_extract(policy.value, '$.permission_groups')) as perm_group;
Schema for cloudflare_api_token
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
condition | jsonb | Conditions (e.g. client IP ranges) associated with the API token. | |
expires_on | timestamp with time zone | When the API token expires. | |
id | text | ID of the API token. | |
issued_on | timestamp with time zone | When the API token was issued. | |
modified_on | timestamp with time zone | When the API token was last modified. | |
name | text | Name of the API token. | |
not_before | timestamp with time zone | When the API token becomes valid. | |
policies | jsonb | Policies associated with this API token. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | Status of the API token. | |
user_id | text | =, !=, ~~, ~~*, !~~, !~~* | ID of the current user. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflare
You can pass the configuration to the command with the --config
argument:
steampipe_export_cloudflare --config '<your_config>' cloudflare_api_token