Cloudflare Token Taxonomy
Status: Phase 2 in progress — new names live in code, vault write pending Owner: operator / sre-agent Last updated: 2026-05-01 UTC Tracking: #754 (CF token rename), refs #81 (Epic: SDLC, Tooling, and Security Hardening)
This document is the canonical name-mapping reference for the Cloudflare token rename
executed in #754. It maps old names to new names, explains the CF_<FUNCTION>_<SCOPE>
pattern, and lists the actions still needed to complete the migration.
See docs/ops/vault-token-taxonomy.md Section 1 for the full naming convention that
applies to all vendors.
Mapping table
| Old name | New name | Function | Vault path |
|---|---|---|---|
CLOUDFLARE_RAXX_AUTOMATION_API_TOKEN |
CF_PAGES_DEPLOY |
CF Pages deploy + Access app read | /MooseQuest/cloudflare/ |
CLOUDFLARE_ACCESS_MGMT_TOKEN |
CF_ACCESS_MGMT |
CF Access app/policy management | /MooseQuest/cloudflare/ |
CLOUDFLARE_PAGES_READ_TOKEN |
CF_PAGES_READ |
CF Pages project read-only (status probe) | /MooseQuest/cloudflare/ |
CF_ACCESS_SERVICE_TOKEN_CONSOLE |
CF_ACCESS_SVC_CONSOLE |
CF Access service token — console.raxx.app bypass | /MooseQuest/cloudflare/ |
CF_ACCESS_SERVICE_TOKEN_VAULT_PROBE |
CF_ACCESS_SVC_VAULT |
CF Access service token — vault.raxx.app bypass | /MooseQuest/cloudflare/ |
CLOUDFLARE_ACCOUNT_ID |
CF_ACCOUNT_ID |
Cloudflare account identifier (config value, not secret) | /MooseQuest/cloudflare/ |
CLOUDFLARE_EDIT_DNS |
CF_DNS_EDIT |
DNS record write — raxx.app zone | /MooseQuest/cloudflare/ |
Names that already followed the pattern (no change)
These were already correct and are left unchanged:
| Name | Function |
|---|---|
CF_ACCESS_CLIENT_ID |
CF Access service token client ID for vault bypass |
CF_ACCESS_CLIENT_SECRET |
CF Access service token client secret for vault bypass |
Migration state (as of 2026-05-01)
Done
- [x]
CF_<FUNCTION>_<SCOPE>naming convention locked indocs/ops/vault-token-taxonomy.md(2026-04-30) - [x] All Python consumers updated with new-name-first resolution + legacy-name fallback (this PR, #754)
- [x] Shell scripts updated to accept both new and old names (this PR, #754)
- [x] Runbooks updated to show new names as primary (this PR, #754)
- [x] Rotation matrix INDEX.md updated (this PR, #754)
Pending operator actions (post-merge)
-
Write new-taxonomy secrets to Infisical at
/MooseQuest/cloudflare/: -CF_PAGES_DEPLOY= same value asCLOUDFLARE_RAXX_AUTOMATION_API_TOKEN-CF_ACCESS_MGMT= same value asCLOUDFLARE_ACCESS_MGMT_TOKEN-CF_PAGES_READ= same value asCLOUDFLARE_PAGES_READ_TOKEN-CF_ACCESS_SVC_CONSOLE= same value asCF_ACCESS_SERVICE_TOKEN_CONSOLE-CF_ACCESS_SVC_VAULT= same value asCF_ACCESS_SERVICE_TOKEN_VAULT_PROBE-CF_ACCOUNT_ID= same value asCLOUDFLARE_ACCOUNT_ID-CF_DNS_EDIT= same value asCLOUDFLARE_EDIT_DNS -
Add new GH secrets (repo-level Actions secrets): - For each CI workflow that uses
CLOUDFLARE_*— add the new-named secret alongside the old one. - CI currently uses:CLOUDFLARE_PAGES_READ_TOKEN,CLOUDFLARE_ACCOUNT_ID(in deploy workflows). -
Update Heroku config vars for each app: -
raxx-console-prod: addCF_PAGES_READ,CF_ACCOUNT_ID,CF_ACCESS_SVC_CONSOLE,CF_ACCESS_MGMT-raxx-console-staging: addCF_ACCESS_SVC_CONSOLE(staging variant) -raxx-api-prod/raxx-api-staging: addCF_PAGES_DEPLOYif referenced -
Smoke test after each Heroku config set to confirm probes stay green.
-
File cleanup card to delete old names from vault + Heroku config vars + GH secrets after one full deploy cycle confirms new names work. Target: one sprint after this PR merges.
Rationale for each name choice
| New name | Rationale |
|---|---|
CF_PAGES_DEPLOY |
The automation token's primary function is deploying CF Pages projects. "automation" in the old name was vague; "pages-deploy" is self-describing. |
CF_ACCESS_MGMT |
Manages CF Access apps and policies. _MGMT follows the <FUNCTION> convention without a scope suffix (one CF account). |
CF_PAGES_READ |
Read-only status probe for CF Pages deployments. _READ suffix distinguishes from CF_PAGES_DEPLOY. |
CF_ACCESS_SVC_CONSOLE |
Service token for the console CF Access gate. _SVC prefix distinguishes service tokens from user API tokens. _CONSOLE is the scope (which surface it unlocks). |
CF_ACCESS_SVC_VAULT |
Service token for the vault CF Access gate. _VAULT is the scope. |
CF_ACCOUNT_ID |
Short, unambiguous. This is a config value, not a secret — short name reduces friction. |
CF_DNS_EDIT |
DNS record write permission. _EDIT follows the verb-noun <FUNCTION> convention. |
Backward compatibility
During the migration window (between this PR and the cleanup card being resolved):
- All Python consumers resolve new name first, then legacy name as fallback:
python token = os.environ.get("CF_PAGES_READ") or os.environ.get("CLOUDFLARE_PAGES_READ_TOKEN") - Shell scripts accept either name (new name takes precedence where both are set).
- No running service will break when the new names are added, because they are additive.
- Old names will continue to work until explicitly deleted in the cleanup step.
Follow-up cleanup card
After one full deploy cycle confirms new names are live and services are healthy, file a card to:
- Delete old-named secrets from Infisical vault.
- Remove old-named GH Actions secrets.
- Remove old-named Heroku config vars.
- Remove legacy-fallback code from Python consumers (the
or os.environ.get("OLD_NAME")lines). - Remove legacy entries from
vault.pydicts (ROTATION_MODE,SOP_PATH,_CREDENTIAL_CADENCE_KEY,AFFECTED_SITES,_VENDOR_URL_CATALOG). - Remove legacy entries from
handler_validator.pyHANDLER_REGISTRY. - Update
rotation/INDEX.mdto mark legacy rows as[archived].