Allow passing tunnel token via the file system.

[Cyb3r-Jak3]

Describe the feature you'd like
I currently use named tunnels and run in docker containers. I would like to be able to use docker secrets with the containers. This is currently not possible because docker secrets are passed as a file and there is no way to read the file. It would be nice to be able to have --secret-file option, i.e. cloudflared tunnel run --token --secret-file or cloudflared tunnel run --token </path/to/token/file>.

Describe alternatives you've considered
Typically, you use cat in containers to read the files, but the rootless container does not have the cat executable so unable to use secrets that way

Additional context
Similar to #232.

I would be happy to work on this if it is something that is worth implementing.

[nmldiegues]

You can see in:

→ cloudflared tunnel run --help | grep token
  --token value                                The Tunnel token. When provided along with credentials, this will take precedence. [$TUNNEL_TOKEN]

that it is also possible to pass the token as an environment variable. Those should be manageable as secrets in docker (compose, k8s, etc...) easily.

If you really want a file, then you can:

cloudflared tunnel token --cred-file /tmp/mysecret.json <TUNNEL>

And then you have /tmp/mysecret.json to put in your secret storage and to use.

All in all, I think there are enough ways to do this, and I would skip yet another way. Free free to open back and discuss further.

[Cyb3r-Jak3]

The purpose of docker secrets is to avoid putting secrets as environment variables. From my understanding of token --cred-file /tmp/mysecret.json <TUNNEL> is that I need to have to still have an origin cert (#603) which defeats remote managed tunnels.

I admit that this is an edge case, but the goal is to be able to use remote managed tunnels via docker secrets.

[nmldiegues]

The purpose of docker secrets is to avoid putting secrets as environment variables.
I admit that this is an edge case, but the goal is to be able to use remote managed tunnels via docker secrets.

But that's my whole point: docker secrets can be injected into the container via both files as well as environment variables. The values still come from the secret storage. The way they are made available to the container is what differs.

[Cyb3r-Jak3]

How do you inject secrets as environment variables? From the documentation I have seen, it is only possible as a file

As an example, I have this compose file with a file called token.secret in the same directory that contains a remote tunnel token.

version: "3.9"

secrets:
  cloudflare_token:
    file: "token.secret"

services:
  cloudflared:
    image: cloudflare/cloudflared:2022.5.1
    command: tunnel run
    secrets:
      - cloudflare_token
    environment:
      - TUNNEL_TOKEN=/run/secrets/cloudflare_token

Running docker-compose up gets

F:\git\cloudflare-secrets> docker-compose.exe up
[+] Running 1/1
 - Container cloudflare-secrets-cloudflared-1  Recreated                                                                                                                                                         1.4s 
Attaching to cloudflare-secrets-cloudflared-1
cloudflare-secrets-cloudflared-1  | Provided Tunnel token is not valid.
cloudflare-secrets-cloudflared-1  | See 'cloudflared tunnel run --help'.
cloudflare-secrets-cloudflared-1 exited with code 255

If I replace with

version: "3.9"

secrets:
  cloudflare_token:
    file: "token.secret"

services:
  cloudflared:
    image: cloudflare/cloudflared:2022.5.1
    command: tunnel run --token /run/secrets/cloudflare_token
    secrets:
      - cloudflare_token

I get the same output

[nmldiegues]

The problem is that you are setting the TUNNEL_TOKEN To the file path, not to the token itself.
The env var needs to have the actual string contents of the token.

Maybe you want to use something like https://builtin.com/software-engineering-perspectives/docker-compose-environment-variables instead?

[Cyb3r-Jak3]

The env var needs to have the actual string contents of the token.

The way that docker secrets work is that the secret info, in this case, the token, is passed to the container via a file.

In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code
When you grant a newly-created or running service access to a secret, the decrypted secret is mounted into the container in an in-memory filesystem. The location of the mount point within the container defaults to /run/secrets/<secret_name>

Other images typically use an environment variable that ends in _FILE ie with mysql MYSQL_ROOT_PASSWORD_FILE instead of MYSQL_ROOT_PASSWORD_FILE

[beefstew809]

To reiterate, docker secrets allows us to have encrypted secrets at transit and at rest and makes it easier to keep tokens out of version control since it is not in the .env file. To the best of my (limited) knowledge, environment variables do not give us the same benefits of encryption at transit and rest. In my opinion, unless there is a more secure way to pass the token to a docker container, this should not be closed and should be worked on as a security enhancement.

[nmldiegues]

In my opinion, unless there is a more secure way to pass the token to a docker container, this should not be closed and should be worked on as a security enhancement.

I want to reiterate on my comment in #645 (comment) above, where I said:

If you really want a file, then you can:

cloudflared tunnel token --cred-file /tmp/mysecret.json <TUNNEL>

And then you have /tmp/mysecret.json to put in your secret storage and to use

So there's a way to rely on a file, which is why I closed the issue, regardless of the discussion around the environment variables.

[Cyb3r-Jak3]

If you really want a file, then you can:

cloudflared tunnel token --cred-file /tmp/mysecret.json <TUNNEL>

And then you have /tmp/mysecret.json to put in your secret storage and to use.

Doesn't this require having a cert.pem and a tunnel credentials file in the docker container?

With a docker-compose of

version: "3.9"

secrets:
  tunnel_file:
    file: "tunnel_info"

services:
  cloudflared:
    image: cloudflare/cloudflared:2022.5.1
    command: tunnel token --cred-file /run/secrets/tunnel_file 8be772befd147a8df540aae0fa15c047
    secrets:
      - tunnel_file
    volumes:
      - ./cloudflared:/etc/cloudflared/:ro

With ./cloudflared having a config.yml, cert.pem and tunnel credentials file. I can get it to work

Right now to get a connector online you run docker run cloudflare/cloudflared:2022.5.1 tunnel --no-autoupdate run --token <token id> where the token appears to be a base64 encoded JSON string that has a tunnel credential file information. The desired behavior is to be able to pass that same connector token is as a file.

[nmldiegues]

Doesn't this require having a cert.pem and a tunnel credentials file in the docker container?

This would be done once per tunnel only, as part of your setup that would generate/handle/manage the secret so that it would be available in the future for your container to use.

Right now to get a connector online you run docker run cloudflare/cloudflared:2022.5.1 tunnel --no-autoupdate run --token where the token appears to be a base64 encoded JSON string that has a tunnel credential file information. The desired behavior is to be able to pass that same connector token is as a file.

Let me make it extra clear:

1. you create the Tunnel in the UI
2. you run cloudflared tunnel token --cred-file /some/path/tunnel.json <TUNNEL>
3. now you make /some/path/tunnel.json available to your container via whatever volume
4. the container command should be: tunnel --credentials-file /volume/path/tunnel.json run <TUNNEL>

Steps 1/2 can be skipped if you create the Tunnel via the CLI and manage it that way.

No need for the cert.pem.