Guides
GuidesAPISupportStatusCommunitySign Up

Cloudflare Tokens

Doppler provides the ability to rotate between two Cloudflare tokens, affording a zero-downtime rotation experience

Requirements

  • Understand the Doppler rotation methodology
  • Cloudflare Account
    • Ability to create Cloudflare tokens

Overview

Setting up Cloudflare token rotation consists of creating three tokens

Managing User Key Creation

  1. Navigate to the Doppler config you would like to add the rotated secret to
  2. Click the dropdown next to Add Secret and select Add Rotated Secret
  1. In the modal, select Cloudflare in the SaaS section
  2. Name the integration
  3. In a new browser tab, navigate to the tokens section in your Cloudflare dashboard
  4. Select Create Token
  5. Next to Create Additional Tokens, select Use Template
  6. Ensure the API Tokens permission is set to Edit
  1. Select Continue to Summary.
  2. Create the token
  3. Copy the token and return to the Doppler tab. Enter the token in the Managing Key input.

🚧

Do not enter, save, or paste the token anywhere else. It should only live in Doppler

Rotated Keys

  1. Provide a descriptive Rotated Secret Name. The rotated secret name will prefix the individual secret values that are injected into your config
  2. Interval is the cadence at which the secret is rotated
  3. Create two new Cloudflare tokens with identical permissions and provide their token values. Be sure to give these tokens different names in Cloudflare to easily identify them. Doppler will rotate these accordingly to your selected interval.
  4. Select next to create the Cloudflare rotate secret

Injected Values

After creating the Cloudflare rotated secret, two individual secrets will be available in the config. Doppler ensures the active secret instance is returned when requested or synced.

  • NAME - the name Cloudflare generates for the token. Likely not used in code but useful for auditing purposes, especially when correlating activity between Cloudflare and Doppler
  • VALUE - the value of the active secret instance.

Updated about 1 year ago