Cloudflare Token Rotation

Doppler provides the ability to rotate between two Cloudflare tokens, affording a zero-downtime rotation experience

Requirements

Understand the Doppler rotation methodology
Cloudflare Account
- Ability to create Cloudflare tokens

Overview

Setting up Cloudflare token rotation consists of creating three tokens

A token to facilitate rotation - the managing user key
Two identical tokens to rotate between, which ensures zero downtime

Managing User Key Creation

Navigate to the Advanced Secrets tab in the Doppler config that you'd like to add the rotated secret to
Select New Rotated Secret
In the SaaS section, select Cloudflare
Name the integration
In a new browser tab, navigate to the tokens section in your Cloudflare dashboard
Select Create Token
Next to Create Additional Tokens, select Use Template
Ensure the API Tokens permission is set to Edit

Select Continue to Summary.
Create the token
Copy the token and return to the Doppler tab. Enter the token in the Managing Key input.

🚧
Do not enter, save, or paste the token anywhere else. It should only live in Doppler

Rotated Keys

Provide a descriptive Rotated Secret Name. The rotated secret name will prefix the individual secret values that are injected into your config
Interval is the cadence at which the secret is rotated
Create two new Cloudflare tokens with identical permissions and provide their token values. Be sure to give these tokens different names in Cloudflare to easily identify them. Doppler will rotate these accordingly to your selected interval.
Select next to create the Cloudflare rotate secret

Injected Values

After creating the Cloudflare rotated secret, two individual secrets will be available in the config. Doppler ensures the active secret instance is returned when requested or synced.

NAME - the name Cloudflare generates for the token. Likely not used in code but useful for auditing purposes, especially when correlating activity between Cloudflare and Doppler
VALUE - the value of the active secret instance.