Back to Details

cloudflare-access-add-user

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Add Access User Skill

Cloudflare Access用户添加Skill

Grant users access to Cloudflare Access protected services by updating authentication policies.
通过更新认证策略,为用户授予Cloudflare Access受保护服务的访问权限。

Quick Start

快速开始

To add a new user:
Add user@example.com to Cloudflare Access
The skill will:
  1. Add the email to ACCESS_ALLOWED_EMAIL in .env
  2. Update the update-access-emails.sh script with new email list
  3. Run the script to sync policies to Cloudflare
  4. Verify policies updated for all 6 protected services
  5. Provide test instructions for the new user
添加新用户的命令:
Add user@example.com to Cloudflare Access
该Skill会执行以下操作:
  1. 将邮箱添加至.env文件的ACCESS_ALLOWED_EMAIL配置项
  2. 使用新的邮箱列表更新update-access-emails.sh脚本
  3. 运行脚本将策略同步至Cloudflare
  4. 验证所有6个受保护服务的策略已更新
  5. 为新用户提供测试步骤

Table of Contents

目录

  1. When to Use This Skill
  2. What This Skill Does
  3. Instructions
  4. Supporting Files
  5. Expected Outcomes
  6. Requirements
  7. Red Flags to Avoid
  1. 何时使用本Skill
  2. 本Skill的功能
  3. 操作步骤
  4. 支持文件
  5. 预期结果
  6. 前置要求
  7. 注意事项

When to Use This Skill

何时使用本Skill

Explicit Triggers:
  • "Add [email] to Cloudflare Access"
  • "Grant access to [email]"
  • "Allow [email] to authenticate"
  • "Share service access with [email]"
  • "Update access users"
Implicit Triggers:
  • User mentions sharing network access with family/colleagues
  • User wants to grant remote access to services
  • User asks about multi-user authentication
Debugging Triggers:
  • "User [email] can't log in"
  • "Access denied for [email]"
  • "How do I add another user?"
显式触发指令:
  • "Add [email] to Cloudflare Access"
  • "Grant access to [email]"
  • "Allow [email] to authenticate"
  • "Share service access with [email]"
  • "Update access users"
隐式触发场景:
  • 用户提及与家人/同事共享网络访问权限
  • 用户希望授予服务远程访问权限
  • 用户询问多用户认证相关问题
调试触发指令:
  • "User [email] can't log in"
  • "Access denied for [email]"
  • "How do I add another user?"

What This Skill Does

本Skill的功能

  1. Validates Email - Ensures valid email format
  2. Checks Duplicates - Prevents adding existing users
  3. Updates .env - Adds email to ACCESS_ALLOWED_EMAIL
  4. Updates Script - Modifies update-access-emails.sh with new email list
  5. Syncs Policies - Runs script to update Cloudflare Access policies
  6. Verifies - Confirms all 6 services updated successfully
  7. Provides Test Steps - Instructions for new user to verify access
  1. 邮箱验证 - 确保邮箱格式有效
  2. 重复检查 - 避免添加已存在的用户
  3. 更新.env文件 - 将邮箱添加至ACCESS_ALLOWED_EMAIL配置项
  4. 更新脚本 - 修改update-access-emails.sh脚本中的邮箱列表
  5. 同步策略 - 运行脚本更新Cloudflare Access策略
  6. 验证结果 - 确认所有6个服务的策略已成功更新
  7. 提供测试步骤 - 指导新用户验证访问权限

Instructions

操作步骤

3.1 Gather Email Address

3.1 收集邮箱地址

Ask user for the email address(es) to add. Accept:
  • Single email: 
    user@example.com
  • Multiple emails: 
    user1@example.com, user2@example.com
向用户索要需要添加的邮箱地址,支持:
  • 单个邮箱:
    user@example.com
  • 多个邮箱:
    user1@example.com, user2@example.com

3.2 Validate Email Format

3.2 验证邮箱格式

python
import re
def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return bool(re.match(pattern, email.strip()))
python
import re
def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return bool(re.match(pattern, email.strip()))

3.3 Read Current Configuration

3.3 读取当前配置

Read current ACCESS_ALLOWED_EMAIL from .env:
bash
grep -E "^ACCESS_ALLOWED_EMAIL" /home/dawiddutoit/projects/network/.env
Current format: 
ACCESS_ALLOWED_EMAIL="email1,email2,email3"
从.env文件中读取当前的ACCESS_ALLOWED_EMAIL配置:
bash
grep -E "^ACCESS_ALLOWED_EMAIL" /home/dawiddutoit/projects/network/.env
当前格式:
ACCESS_ALLOWED_EMAIL="email1,email2,email3"

3.4 Check for Duplicates

3.4 检查重复邮箱

Before adding, verify email is not already in the list.
添加前,验证邮箱是否已在列表中。

3.5 Update .env File

3.5 更新.env文件

Edit 
/home/dawiddutoit/projects/network/.env
:
Before:
ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com"
After (adding dawidddutoit@gmail.com):
ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com,dawidddutoit@gmail.com"
编辑
/home/dawiddutoit/projects/network/.env
文件:
更新前:
ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com"
更新后(添加dawidddutoit@gmail.com):
ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com,dawidddutoit@gmail.com"

3.6 Update update-access-emails.sh Script

3.6 更新update-access-emails.sh脚本

The script at 
/home/dawiddutoit/projects/network/scripts/update-access-emails.sh
has hardcoded email addresses in the policy JSON. Update the 
include
array to match all emails:
Location in script (around line 48-52):
json
"include": [
    {"email": {"email": "dawiddutoit@temet.ai"}},
    {"email": {"email": "fifthchildd@gmail.com"}},
    {"email": {"email": "dawidddutoit@gmail.com"}},
    {"email": {"email": "NEW_EMAIL_HERE"}}
]
位于
/home/dawiddutoit/projects/network/scripts/update-access-emails.sh
的脚本中,策略JSON里有硬编码的邮箱地址。更新
include
数组使其包含所有邮箱:
脚本中的位置(约48-52行):
json
"include": [
    {"email": {"email": "dawiddutoit@temet.ai"}},
    {"email": {"email": "fifthchildd@gmail.com"}},
    {"email": {"email": "dawidddutoit@gmail.com"}},
    {"email": {"email": "NEW_EMAIL_HERE"}}
]

3.7 Run Update Script

3.7 运行更新脚本

bash
cd /home/dawiddutoit/projects/network && ./scripts/update-access-emails.sh
Expected output:
Updating policies for all services to include all three emails...

Processing app: 56de3246-c9ed-4877-8af1-dc360ac49584
  Updating policy: <policy-id>
  [checkmark] Policy updated successfully

Processing app: 9f1e8109-3f3f-456e-94f5-093bfc9e1c1e
  ...
  [checkmark] Policy updated successfully

All policies updated!
bash
cd /home/dawiddutoit/projects/network && ./scripts/update-access-emails.sh
预期输出:
Updating policies for all services to include all three emails...

Processing app: 56de3246-c9ed-4877-8af1-dc360ac49584
  Updating policy: <policy-id>
  [checkmark] Policy updated successfully

Processing app: 9f1e8109-3f3f-456e-94f5-093bfc9e1c1e
  ...
  [checkmark] Policy updated successfully

All policies updated!

3.8 Verify Policies Updated

3.8 验证策略已更新

All 6 protected services should show success:
  • Services Dashboard (temet.ai)
  • Home Assistant (ha.temet.ai)
  • Sprinkler System (sprinkler.temet.ai)
  • Langfuse Monitoring (langfuse.temet.ai)
  • Jaeger Tracing (jaeger.temet.ai)
  • Pi-hole Admin (pihole.temet.ai)
所有6个受保护服务均应显示更新成功:
  • Services Dashboard (temet.ai)
  • Home Assistant (ha.temet.ai)
  • Sprinkler System (sprinkler.temet.ai)
  • Langfuse Monitoring (langfuse.temet.ai)
  • Jaeger Tracing (jaeger.temet.ai)
  • Pi-hole Admin (pihole.temet.ai)

3.9 Provide Test Instructions

3.9 提供测试步骤

Give the new user these steps:
ACCESS GRANTED FOR: [email]

To test your access:
1. Open an incognito/private browser window
2. Navigate to: https://pihole.temet.ai
3. Click "Google" to authenticate
4. Sign in with your Google account: [email]
5. After successful authentication, you should see Pi-hole admin

All accessible services:
- https://pihole.temet.ai (Pi-hole DNS admin)
- https://jaeger.temet.ai (Jaeger tracing)
- https://langfuse.temet.ai (Langfuse monitoring)
- https://sprinkler.temet.ai (Sprinkler system)
- https://ha.temet.ai (Home Assistant)
- https://temet.ai (Services dashboard)
为新用户提供以下测试步骤:
ACCESS GRANTED FOR: [email]

To test your access:
1. Open an incognito/private browser window
2. Navigate to: https://pihole.temet.ai
3. Click "Google" to authenticate
4. Sign in with your Google account: [email]
5. After successful authentication, you should see Pi-hole admin

All accessible services:
- https://pihole.temet.ai (Pi-hole DNS admin)
- https://jaeger.temet.ai (Jaeger tracing)
- https://langfuse.temet.ai (Langfuse monitoring)
- https://sprinkler.temet.ai (Sprinkler system)
- https://ha.temet.ai (Home Assistant)
- https://temet.ai (Services dashboard)

Supporting Files

支持文件

FilePurpose
references/reference.md
Technical details, API structure, troubleshooting
examples/examples.md
Common scenarios and edge cases
文件用途
references/reference.md
技术细节、API结构、故障排查
examples/examples.md
常见场景与边缘案例

Expected Outcomes

预期结果

Success:
  • Email added to ACCESS_ALLOWED_EMAIL in .env
  • Script updated with new email in include array
  • All 6 Cloudflare Access policies updated
  • New user can authenticate via Google OAuth
Partial Success:
  • .env updated but script needs manual sync
  • Some policies failed (rare - API rate limiting)
Failure Indicators:
  • "Policy update failed" in script output
  • Email validation error
  • Duplicate email detected
  • API token expired or missing permissions
成功场景:
  • 邮箱已添加至.env文件的ACCESS_ALLOWED_EMAIL配置项
  • 脚本中的include数组已更新为新邮箱
  • 所有6个Cloudflare Access策略已更新
  • 新用户可通过Google OAuth完成认证
部分成功场景:
  • .env文件已更新,但脚本需要手动同步
  • 部分策略更新失败(罕见,通常为API速率限制导致)
失败标识:
  • 脚本输出中出现"Policy update failed"
  • 邮箱验证错误
  • 检测到重复邮箱
  • API令牌过期或权限不足

Requirements

前置要求

Environment:
  • Valid 
    .env
    with CLOUDFLARE_ACCESS_API_TOKEN
  • CLOUDFLARE_ACCOUNT_ID set correctly
  • Network connectivity to Cloudflare API
For non-workspace Gmail accounts: If adding personal Gmail (not @temet.ai), Google OAuth consent screen must be set to "External":
  1. Go to: https://console.cloud.google.com/apis/credentials/consent
  2. Change User Type from "Internal" to "External"
  3. Save changes
Tools needed:
  • Read (check current .env)
  • Edit (update .env and script)
  • Bash (run update script)
  • Grep (check for duplicates)
环境要求:
  • 包含有效CLOUDFLARE_ACCESS_API_TOKEN的
    .env
    文件
  • 已正确设置CLOUDFLARE_ACCOUNT_ID
  • 与Cloudflare API的网络连接正常
对于非工作区Gmail账户: 如果添加个人Gmail(非@temet.ai),需将Google OAuth consent screen设置为"External":
  1. 访问:https://console.cloud.google.com/apis/credentials/consent
  2. 将用户类型从"Internal"更改为"External"
  3. 保存更改
所需工具:
  • 读取权限(查看当前.env文件)
  • 编辑权限(更新.env文件和脚本)
  • Bash环境(运行更新脚本)
  • Grep工具(检查重复邮箱)

Red Flags to Avoid

注意事项

  • Do not add invalid email format
  • Do not add duplicate emails (check first)
  • Do not forget to update BOTH .env AND the script
  • Do not skip running update-access-emails.sh after editing
  • Do not skip verification of all 6 services
  • Do not assume non-workspace emails will work without OAuth consent change
  • Do not modify the bypass policy for webhook.temet.ai
  • Do not run cf-access-setup.sh (that's for initial setup, not adding users)
  • 请勿添加格式无效的邮箱
  • 请勿添加重复邮箱(先检查)
  • 请勿忘记同时更新.env文件和脚本
  • 编辑后请勿跳过运行update-access-emails.sh脚本
  • 请勿跳过对所有6个服务的验证
  • 请勿假设非工作区邮箱无需修改OAuth consent即可正常使用
  • 请勿修改webhook.temet.ai的绕过策略
  • 请勿运行cf-access-setup.sh脚本(该脚本用于初始设置,而非添加用户)

Notes

备注

  • The script has hardcoded app IDs for the 6 protected services
  • Webhook (webhook.temet.ai) has bypass policy and is NOT affected
  • Session duration is 24 hours - users must re-authenticate daily
  • Access logs available at: https://one.dash.cloudflare.com -> Logs -> Access
  • Google OAuth requires the email to match exactly (case-insensitive)
  • Multiple emails are comma-separated with no spaces after commas
  • 脚本中硬编码了6个受保护服务的应用ID
  • Webhook(webhook.temet.ai)采用绕过策略,不受本操作影响
  • 会话时长为24小时 - 用户需每日重新认证
  • 访问日志可在以下位置查看:https://one.dash.cloudflare.com -> Logs -> Access
  • Google OAuth要求邮箱完全匹配(不区分大小写)
  • 多个邮箱需用逗号分隔,逗号后无空格