Access and Tokens
Securing R2 requires a clear understanding of API tokens. Unlike AWS IAM, which uses incredibly complex policy JSONs, Cloudflare R2 simplifies access into predefined roles and scopes.
The Security Matrix
When generating an R2 token via the dashboard, you must select permissions. Always adhere to the Principle of Least Privilege.
| Permission | Can Create/Delete Buckets? | Can Read Objects? | Can Write Objects? | Use Case |
|---|---|---|---|---|
| Admin Read & Write | ✅ Yes | ✅ Yes | ✅ Yes | Administrator CLI, Terraform IaC |
| Object Read & Write | ❌ No | ✅ Yes | ✅ Yes | CI/CD Deployments, Backend Servers |
| Object Read | ❌ No | ✅ Yes | ❌ No | Backup verification scripts, Read-only replicas |
Scoping by Bucket
You can further restrict tokens to specific buckets.
Never use an Account-scoped token for a production application. If your application only needs to upload user avatars, scope the token exactly to the avatars-bucket.
Token Rotation Strategy
API tokens leak. Whether committed to a Git repo accidentally or exposed in a CI log, you must have a rotation strategy that prevents downtime.
The Zero-Downtime Rotation Process:
- Generate a new API Token in the Cloudflare Dashboard with the exact same scopes.
- Update your application secrets (e.g., GitHub Actions Secrets, Kubernetes Secrets,
.envfiles) with the new credentials. - Deploy or restart your application so it begins using the new token.
- Verify application logs to ensure uploads/downloads are succeeding.
- Go back to the Cloudflare Dashboard and delete or roll the old API Token.
Integrating with Zero Trust (Cloudflare Access)
If you are using R2 to store internal company documents, you can place the R2 bucket behind Cloudflare Access (Zero Trust) instead of managing presigned URLs.
- Connect a Custom Domain to your bucket (see Module 07).
- Go to Zero Trust -> Access -> Applications.
- Create an application protecting your custom domain (
internal-docs.yourcompany.com). - Set policies requiring users to authenticate via Google/Okta/SAML before they can view the R2 bucket contents.
This allows you to serve a private bucket securely to employees using enterprise SSO without writing any authentication code.