Cloudflare Docs
Cloudflare Zero Trust
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Service tokens for SSH connections

You can use Cloudflare Access to create Zero Trust rules that determine which users can reach resources over HTTP, SSH, and other protocols. However, some resources also need to be available to automated systems that need to authenticate through Cloudflare’s network. You can use Cloudflare Access to generate a service token for those systems.

This walkthrough extends a previous guide that describes configuring GitLab with Cloudflare Access. In this case, an administrator needs to reach GitLab over SSH using a service token. While this tutorial uses that as an example, any deployment can use these steps to add service tokens as an option.

🗺️ This walkthrough covers how to:

  • Create a service token in Cloudflare Access
  • Add a rule to an existing Access policy to allow cloudflared to reach the resource using the service token
  • Configure the cloudflared command to connect to the protected resource

⏲️ Time to complete:

1 hour


​​ Create a service token

Navigate to the Access section of the Zero Trust dashboard and select the Service Auth page.

Click Create Service Token and name the service token. Cloudflare Access will generate a Client ID and Client Secret. You must copy the Client Secret from this page - it will not be shown again.

​​ Add the service token to an app rule

Next, find the application that should be available to services connecting with this token. This example uses a GitLab instance previously configured in another tutorial. You can also add this type of rule to an Access Group so that it can be reused or to a new application.

Select the Applications page in the Access section of the Zero Trust dashboard. Locate the application and click Edit. The rule currently shown is the identity-based rule that allows team members to connect. Click Add a Rule to allow services.

Add Rule in App

The dropdown for Rule Action defaults to Allow. To use a service token, you must select Service Auth instead.

Use Service Token

In the rule configuration card, select Service Token from the dropdown. Choose the name of one or more service tokens that can authenticate. Click Save rule.

Non ID Rule

You should now see the Service Auth rule on a new line in the next page. Click Save application to save the changes made.

Non ID Rule

​​ Connect from cloudflared

You can use the Client ID and Client Secret to connect to the resource over HTTP by using those values as HTTP headers. This example uses cloudflared to connect over SSH.

The following cloudflared command is structured to use the Service Token generated to connect over SSH to the GitLab instance previously configured. The command relies on the SSH configuration file being set to proxy the connection through cloudflared.

$ cloudflared access ssh --hostname gitlab-ssh.widgetcorp.tech --id a61c032ee4510f8b7e2749ea0896cc14.access --secret 85dcb2301975e8b8e40deb6097645995aa4bed35c2badf098028652097c69eeb