|
| 1 | +--- |
| 2 | +updated: 2021-03-16 |
| 3 | +category: 🔐 Zero Trust |
| 4 | +difficulty: Advanced |
| 5 | +--- |
| 6 | + |
| 7 | +# Output an app's token to a variable with one command |
| 8 | + |
| 9 | +You can use [Argo Tunnel](/connections/connect-apps) to connect applications and servers to Cloudflare's network. Argo Tunnel relies on a piece of software, `cloudflared`, to create those connections. |
| 10 | + |
| 11 | +You can also secure those applications with [Cloudflare Access](/applications/self-hosted-apps). With Cloudflare Access, you can build Zero Trust rules which restrict who can reach your application based on signals like identity, multifactor method, device posture, and geography. |
| 12 | + |
| 13 | +When users authenticate to the applications secured by Cloudflare Access, Cloudflare generates a JSON Web Token (JWT) that contains the user's information and permits the user to reach the application. In web-based use cases, the browser stores the JWT as a cookie. |
| 14 | + |
| 15 | +You can also use `cloudflared` to quickly gather the JWT from an application and use it from the command line or for programmatic use cases like scripts. |
| 16 | + |
| 17 | +**🗺️ This tutorial covers how to:** |
| 18 | + |
| 19 | +* Login to an application secured by Cloudflare Access from the command line using `cloudflared` |
| 20 | +* Use Z Shell or Bash to create a time-saving command to store the JWT as an environment variable |
| 21 | + |
| 22 | +**⏲️Time to complete: 5 minutes** |
| 23 | + |
| 24 | +## Install `cloudflared` |
| 25 | + |
| 26 | +Start by [downloading and installing](/connections/connect-apps/install-and-setup/installation) the Argo Tunnel daemon, `cloudflared`. On Mac, you can do so by running the following `brew` command. If you do not have Homebrew, follow the [documentation](https://docs.brew.sh/Installation) to install it. |
| 27 | + |
| 28 | +`$ brew install cloudflare/cloudflare/cloudflared` |
| 29 | + |
| 30 | +## Login to an app from the command line |
| 31 | + |
| 32 | +Once installed, you can use the `access login` command in `cloudflared` to generate the JWT for a given application. |
| 33 | + |
| 34 | +```sh |
| 35 | +$ cloudflare access login https://jira.company.com |
| 36 | +``` |
| 37 | + |
| 38 | +`cloudflared` will print a URL that you can visit in a browser to authenticate to Cloudflare Access. If you are using a headless system, you can visit the URL in a different machine with a browser and the login will still return the JWT to `cloudflared`. |
| 39 | + |
| 40 | +```sh |
| 41 | +Please open the following URL and log in with your Cloudflare account: |
| 42 | + |
| 43 | +<URL> |
| 44 | + |
| 45 | +Leave cloudflared running to download the token automatically. |
| 46 | +``` |
| 47 | + |
| 48 | +`cloudflared` will print the token and you can begin using it. |
| 49 | + |
| 50 | +## Set as environment variable |
| 51 | + |
| 52 | +If you have an application where you frequently need to request a token, you can save time and reduce steps by adding a command to your shell. |
| 53 | + |
| 54 | +### Z shell |
| 55 | + |
| 56 | +If you are using the Z shell, edit your existing `~/.zshrc` file or create one for the first time. |
| 57 | + |
| 58 | +```sh |
| 59 | +vim ~/.zshrc |
| 60 | +``` |
| 61 | + |
| 62 | +You can add the following function to your file, replacing `https://jira.company.com` with the application you need. You can also rename the function to something shorter or more applicable to your application. |
| 63 | + |
| 64 | +```sh |
| 65 | +function login-jira() { |
| 66 | + export JIRA_TOKEN=$(cloudflared access login https://jira.cfops.it/ | sed '/^[[:space:]]*$/d' | tail -n 1) |
| 67 | + echo $JIRA_TOKEN |
| 68 | +} |
| 69 | +``` |
| 70 | + |
| 71 | +Next, run the following command in your shell to update your profile. |
| 72 | + |
| 73 | +```sh |
| 74 | +$ source ~/.zshrc |
| 75 | +``` |
| 76 | + |
| 77 | +### Bash |
| 78 | + |
| 79 | +If you are using Bash, edit your existing `~/.bashrc` file or create one for the first time. |
| 80 | + |
| 81 | +```sh |
| 82 | +vim ~/.bashrc |
| 83 | +``` |
| 84 | + |
| 85 | +You can add the following function to your file, replacing `https://jira.company.com` with the application you need. You can also rename the function to something shorter or more applicable to your application. |
| 86 | + |
| 87 | +```sh |
| 88 | +function login-jira() { |
| 89 | + export JIRA_TOKEN=$(cloudflared access login https://jira.cfops.it/ | sed '/^[[:space:]]*$/d' | tail -n 1) |
| 90 | + echo $JIRA_TOKEN |
| 91 | +} |
| 92 | +``` |
| 93 | + |
| 94 | +Next, run the following command in your shell to update your profile. |
| 95 | + |
| 96 | +```sh |
| 97 | +$ source ~/.bashrc |
| 98 | +``` |
| 99 | + |
| 100 | +### Run command |
| 101 | + |
| 102 | +Now, you can run the following command to login to Cloudflare Access. Instead of printing the token, the shell will store it as an environment variable that you can use. |
| 103 | + |
| 104 | +```sh |
| 105 | +$ login-jira |
| 106 | +``` |
0 commit comments