- Service behind zerotrust who need to access another service behind zerostrust (services are on different devices. ex: raspberry pi)
- Cannot use Cloudflare service auth built-in functionality. Created an access group base on IP address.
- The Public IP is changing (not static) (ex: your home public IP)
The goal of this script to auto update a public IP address that you use in a Cloudflare ZeroTrust Access Group. I guess you can also do it with a Workers, but it was easier for me in bash ✌️
- curl and jq
# mac
$ brew install jq curl
# linux
$ sudo apt install jq curl- Cloudflare Account ID.
- Access Group UID (ZeroTrust section) with the authorize ip address. Find your public IP here.
- Api Token with read and edit on "Access: Identity Providers and Groups" in your Account.
- git clone
git clone https://github.com/som3canadian/cloudflare-access-group-ip-updater.git
cd cloudflare-access-group-ip-updater- change the variables at line 8-9-10-11
- make sure it works
- At line 21-30-41 there is a commented variable for testing.
- There is 3 line that you can uncommented for testing. Line: 21-30-41. At line 41 is to play with IP, making sure the IPs whitin the group is changing.
- setup a cron
# add cron
crontab -e
# crontab every hour (add at the end)
0 * * * * <your-path-to-repo>/cloudflare-access-group-ip-updater/cf-ip-updater.shNote: Script was made for a single IP. If you want to add more "hard coded IPs", you have to change the "changeIP" function"
Ex:
function changeIP() {
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/$accountID/access/groups/$groupUID" \
-H "Authorization: Bearer $apiToken" \
-H "Content-Type: application/json" \
--data "{\"name\":\"$groupName\",\"include\":[{\"ip\":{\"ip\":\"$localIP/32\"}},{\"ip\":{\"ip\":\"<your-new-ip>/32\"}}],\"exclude\":[],\"require\":[]}"
}