陌讯skills聚合平台

cloudflare-access-add-user

📁 dawiddutoit/custom-claude 📅 Jan 26, 2026
4
总安装量
4
周安装量
#47786
全站排名
安装命令
npx skills add https://github.com/dawiddutoit/custom-claude --skill cloudflare-access-add-user

Agent 安装分布

mcpjam 4
neovate 4
gemini-cli 4
antigravity 4
windsurf 4
zencoder 4

Skill 文档

Add Access User Skill

Grant users access to Cloudflare Access protected services by updating authentication policies.

Quick Start

To add a new user:

Add user@example.com to Cloudflare Access

The skill will:

  1. Add the email to ACCESS_ALLOWED_EMAIL in .env
  2. Update the update-access-emails.sh script with new email list
  3. Run the script to sync policies to Cloudflare
  4. Verify policies updated for all 6 protected services
  5. Provide test instructions for the new user

Table of Contents

  1. When to Use This Skill
  2. What This Skill Does
  3. Instructions
  4. Supporting Files
  5. Expected Outcomes
  6. Requirements
  7. Red Flags to Avoid

When to Use This Skill

Explicit Triggers:

  • “Add [email] to Cloudflare Access”
  • “Grant access to [email]”
  • “Allow [email] to authenticate”
  • “Share service access with [email]”
  • “Update access users”

Implicit Triggers:

  • User mentions sharing network access with family/colleagues
  • User wants to grant remote access to services
  • User asks about multi-user authentication

Debugging Triggers:

  • “User [email] can’t log in”
  • “Access denied for [email]”
  • “How do I add another user?”

What This Skill Does

  1. Validates Email – Ensures valid email format
  2. Checks Duplicates – Prevents adding existing users
  3. Updates .env – Adds email to ACCESS_ALLOWED_EMAIL
  4. Updates Script – Modifies update-access-emails.sh with new email list
  5. Syncs Policies – Runs script to update Cloudflare Access policies
  6. Verifies – Confirms all 6 services updated successfully
  7. Provides Test Steps – Instructions for new user to verify access

Instructions

3.1 Gather Email Address

Ask user for the email address(es) to add. Accept:

  • Single email: user@example.com
  • Multiple emails: user1@example.com, user2@example.com

3.2 Validate Email Format

import re
def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return bool(re.match(pattern, email.strip()))

3.3 Read Current Configuration

Read current ACCESS_ALLOWED_EMAIL from .env:

grep -E "^ACCESS_ALLOWED_EMAIL" /home/dawiddutoit/projects/network/.env

Current format: ACCESS_ALLOWED_EMAIL="email1,email2,email3"

3.4 Check for Duplicates

Before adding, verify email is not already in the list.

3.5 Update .env File

Edit /home/dawiddutoit/projects/network/.env:

Before:

ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com"

After (adding dawidddutoit@gmail.com):

ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com,dawidddutoit@gmail.com"

3.6 Update update-access-emails.sh Script

The script at /home/dawiddutoit/projects/network/scripts/update-access-emails.sh has hardcoded email addresses in the policy JSON. Update the include array to match all emails:

Location in script (around line 48-52):

"include": [
    {"email": {"email": "dawiddutoit@temet.ai"}},
    {"email": {"email": "fifthchildd@gmail.com"}},
    {"email": {"email": "dawidddutoit@gmail.com"}},
    {"email": {"email": "NEW_EMAIL_HERE"}}
]

3.7 Run Update Script

cd /home/dawiddutoit/projects/network && ./scripts/update-access-emails.sh

Expected output:

Updating policies for all services to include all three emails...

Processing app: 56de3246-c9ed-4877-8af1-dc360ac49584
  Updating policy: <policy-id>
  [checkmark] Policy updated successfully

Processing app: 9f1e8109-3f3f-456e-94f5-093bfc9e1c1e
  ...
  [checkmark] Policy updated successfully

All policies updated!

3.8 Verify Policies Updated

All 6 protected services should show success:

  • Services Dashboard (temet.ai)
  • Home Assistant (ha.temet.ai)
  • Sprinkler System (sprinkler.temet.ai)
  • Langfuse Monitoring (langfuse.temet.ai)
  • Jaeger Tracing (jaeger.temet.ai)
  • Pi-hole Admin (pihole.temet.ai)

3.9 Provide Test Instructions

Give the new user these steps:

ACCESS GRANTED FOR: [email]

To test your access:
1. Open an incognito/private browser window
2. Navigate to: https://pihole.temet.ai
3. Click "Google" to authenticate
4. Sign in with your Google account: [email]
5. After successful authentication, you should see Pi-hole admin

All accessible services:
- https://pihole.temet.ai (Pi-hole DNS admin)
- https://jaeger.temet.ai (Jaeger tracing)
- https://langfuse.temet.ai (Langfuse monitoring)
- https://sprinkler.temet.ai (Sprinkler system)
- https://ha.temet.ai (Home Assistant)
- https://temet.ai (Services dashboard)

Supporting Files

File Purpose
references/reference.md Technical details, API structure, troubleshooting
examples/examples.md Common scenarios and edge cases

Expected Outcomes

Success:

  • Email added to ACCESS_ALLOWED_EMAIL in .env
  • Script updated with new email in include array
  • All 6 Cloudflare Access policies updated
  • New user can authenticate via Google OAuth

Partial Success:

  • .env updated but script needs manual sync
  • Some policies failed (rare – API rate limiting)

Failure Indicators:

  • “Policy update failed” in script output
  • Email validation error
  • Duplicate email detected
  • API token expired or missing permissions

Requirements

Environment:

  • Valid .env with CLOUDFLARE_ACCESS_API_TOKEN
  • CLOUDFLARE_ACCOUNT_ID set correctly
  • Network connectivity to Cloudflare API

For non-workspace Gmail accounts: If adding personal Gmail (not @temet.ai), Google OAuth consent screen must be set to “External”:

  1. Go to: https://console.cloud.google.com/apis/credentials/consent
  2. Change User Type from “Internal” to “External”
  3. Save changes

Tools needed:

  • Read (check current .env)
  • Edit (update .env and script)
  • Bash (run update script)
  • Grep (check for duplicates)

Red Flags to Avoid

  • Do not add invalid email format
  • Do not add duplicate emails (check first)
  • Do not forget to update BOTH .env AND the script
  • Do not skip running update-access-emails.sh after editing
  • Do not skip verification of all 6 services
  • Do not assume non-workspace emails will work without OAuth consent change
  • Do not modify the bypass policy for webhook.temet.ai
  • Do not run cf-access-setup.sh (that’s for initial setup, not adding users)

Notes

  • The script has hardcoded app IDs for the 6 protected services
  • Webhook (webhook.temet.ai) has bypass policy and is NOT affected
  • Session duration is 24 hours – users must re-authenticate daily
  • Access logs available at: https://one.dash.cloudflare.com -> Logs -> Access
  • Google OAuth requires the email to match exactly (case-insensitive)
  • Multiple emails are comma-separated with no spaces after commas
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。