service_tokens
Creates, updates, deletes, gets or lists a service_tokens resource.
Overview
| Name | service_tokens |
| Type | Resource |
| Id | cloudflare.zero_trust.service_tokens |
Fields
The following fields are returned by SELECT queries:
- get_by_account
- get_by_zone
- list_by_account
- list_by_zone
Get a service token response
| Name | Datatype | Description |
|---|---|---|
id | string | UUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the service token. (example: CI/CD token) |
client_id | string | The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header. (example: 88bf3b6d86161464f6509f7219099e57.access.example.com) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
duration | string | The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). (default: 8760h, example: 60m) |
expires_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
last_seen_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
Get a service token response
| Name | Datatype | Description |
|---|---|---|
id | string | UUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the service token. (example: CI/CD token) |
client_id | string | The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header. (example: 88bf3b6d86161464f6509f7219099e57.access.example.com) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
duration | string | The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). (default: 8760h, example: 60m) |
expires_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
last_seen_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
List service tokens response
| Name | Datatype | Description |
|---|---|---|
id | string | UUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the service token. (example: CI/CD token) |
client_id | string | The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header. (example: 88bf3b6d86161464f6509f7219099e57.access.example.com) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
duration | string | The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). (default: 8760h, example: 60m) |
expires_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
last_seen_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
List service tokens response
| Name | Datatype | Description |
|---|---|---|
id | string | UUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the service token. (example: CI/CD token) |
client_id | string | The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header. (example: 88bf3b6d86161464f6509f7219099e57.access.example.com) |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
duration | string | The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). (default: 8760h, example: 60m) |
expires_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
last_seen_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get_by_account | select | service_token_id, account_id | Fetches a single service token. | |
get_by_zone | select | service_token_id, zone_id | Fetches a single service token. | |
list_by_account | select | account_id | name, search, page, per_page | Lists all service tokens. |
list_by_zone | select | zone_id | name, search, page, per_page | Lists all service tokens. |
create_by_account | insert | account_id, name | Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token. | |
create_by_zone | insert | zone_id, name | Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token. | |
update_by_account | replace | service_token_id, account_id | Updates a configured service token. | |
update_by_zone | replace | service_token_id, zone_id | Updates a configured service token. | |
delete_by_account | delete | service_token_id, account_id | Deletes a service token. | |
delete_by_zone | delete | service_token_id, zone_id | Deletes a service token. | |
refresh | exec | service_token_id, account_id | Refreshes the expiration of a service token. | |
rotate | exec | service_token_id, account_id | Generates a new Client Secret for a service token and revokes the old one. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
service_token_id | string | |
zone_id | string | The Cloudflare zone ID. |
name | string | |
page | integer | |
per_page | integer | |
search | string |
SELECT examples
- get_by_account
- get_by_zone
- list_by_account
- list_by_zone
Fetches a single service token.
SELECT
id,
name,
client_id,
created_at,
duration,
expires_at,
last_seen_at,
updated_at
FROM cloudflare.zero_trust.service_tokens
WHERE service_token_id = '{{ service_token_id }}' -- required
AND account_id = '{{ account_id }}' -- required
;
Fetches a single service token.
SELECT
id,
name,
client_id,
created_at,
duration,
expires_at,
last_seen_at,
updated_at
FROM cloudflare.zero_trust.service_tokens
WHERE service_token_id = '{{ service_token_id }}' -- required
AND zone_id = '{{ zone_id }}' -- required
;
Lists all service tokens.
SELECT
id,
name,
client_id,
created_at,
duration,
expires_at,
last_seen_at,
updated_at
FROM cloudflare.zero_trust.service_tokens
WHERE account_id = '{{ account_id }}' -- required
AND name = '{{ name }}'
AND search = '{{ search }}'
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
;
Lists all service tokens.
SELECT
id,
name,
client_id,
created_at,
duration,
expires_at,
last_seen_at,
updated_at
FROM cloudflare.zero_trust.service_tokens
WHERE zone_id = '{{ zone_id }}' -- required
AND name = '{{ name }}'
AND search = '{{ search }}'
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
;
INSERT examples
- create_by_account
- create_by_zone
- Manifest
Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
INSERT INTO cloudflare.zero_trust.service_tokens (
client_secret_version,
duration,
name,
previous_client_secret_expires_at,
account_id
)
SELECT
{{ client_secret_version }},
'{{ duration }}',
'{{ name }}' /* required */,
'{{ previous_client_secret_expires_at }}',
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;
Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
INSERT INTO cloudflare.zero_trust.service_tokens (
client_secret_version,
duration,
name,
previous_client_secret_expires_at,
zone_id
)
SELECT
{{ client_secret_version }},
'{{ duration }}',
'{{ name }}' /* required */,
'{{ previous_client_secret_expires_at }}',
'{{ zone_id }}'
RETURNING
errors,
messages,
result,
success
;
# Description fields are for documentation purposes
- name: service_tokens
props:
- name: account_id
value: "{{ account_id }}"
description: Required parameter for the service_tokens resource.
- name: zone_id
value: "{{ zone_id }}"
description: Required parameter for the service_tokens resource.
- name: client_secret_version
value: {{ client_secret_version }}
description: |
A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`.
default: 1
- name: duration
value: "{{ duration }}"
description: |
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
default: 8760h
- name: name
value: "{{ name }}"
description: |
The name of the service token.
- name: previous_client_secret_expires_at
value: "{{ previous_client_secret_expires_at }}"
description: |
The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.
REPLACE examples
- update_by_account
- update_by_zone
Updates a configured service token.
REPLACE cloudflare.zero_trust.service_tokens
SET
client_secret_version = {{ client_secret_version }},
duration = '{{ duration }}',
name = '{{ name }}',
previous_client_secret_expires_at = '{{ previous_client_secret_expires_at }}'
WHERE
service_token_id = '{{ service_token_id }}' --required
AND account_id = '{{ account_id }}' --required
RETURNING
errors,
messages,
result,
success;
Updates a configured service token.
REPLACE cloudflare.zero_trust.service_tokens
SET
client_secret_version = {{ client_secret_version }},
duration = '{{ duration }}',
name = '{{ name }}',
previous_client_secret_expires_at = '{{ previous_client_secret_expires_at }}'
WHERE
service_token_id = '{{ service_token_id }}' --required
AND zone_id = '{{ zone_id }}' --required
RETURNING
errors,
messages,
result,
success;
DELETE examples
- delete_by_account
- delete_by_zone
Deletes a service token.
DELETE FROM cloudflare.zero_trust.service_tokens
WHERE service_token_id = '{{ service_token_id }}' --required
AND account_id = '{{ account_id }}' --required
;
Deletes a service token.
DELETE FROM cloudflare.zero_trust.service_tokens
WHERE service_token_id = '{{ service_token_id }}' --required
AND zone_id = '{{ zone_id }}' --required
;
Lifecycle Methods
- refresh
- rotate
Refreshes the expiration of a service token.
EXEC cloudflare.zero_trust.service_tokens.refresh
@service_token_id='{{ service_token_id }}' --required,
@account_id='{{ account_id }}' --required
;
Generates a new Client Secret for a service token and revokes the old one.
EXEC cloudflare.zero_trust.service_tokens.rotate
@service_token_id='{{ service_token_id }}' --required,
@account_id='{{ account_id }}' --required
@@json=
'{
"previous_client_secret_expires_at": "{{ previous_client_secret_expires_at }}"
}'
;