Cloudflare R2: Least Privilege Access Setup
Learn how to create API tokens with minimal permissions for secure Cloudflare R2 access with Cloney.
Overview
When connecting your Cloudflare R2 buckets to Cloney for data migration, it's essential to follow the principle of least privilege. This guide will walk you through creating R2 API tokens with only the permissions necessary for Cloney to read from or write to your R2 buckets, minimizing security risks.
Cloudflare R2 uses S3-compatible API tokens. Create dedicated tokens with specific bucket permissions rather than using account-wide access.
Prerequisites
- A Cloudflare account with R2 enabled
- At least one R2 bucket created
- Knowledge of whether you need read-only (source) or write (destination) access
Step 1: Access R2 API Tokens
- Sign in to your Cloudflare Dashboard
- Navigate to R2 Object Storage in the sidebar
- Click on Manage R2 API Tokens
- Click Create API token
Step 2: Configure Token Permissions
Configure your token with the appropriate permissions:
For Source Buckets (Read-Only):
- Token name:
cloney-source-token - Permissions: Object Read
- Specify bucket: Select your source bucket(s)
For Destination Buckets (Read/Write):
- Token name:
cloney-destination-token - Permissions: Object Read & Write
- Specify bucket: Select your destination bucket(s)
R2 allows you to scope tokens to specific buckets. Always limit tokens to only the buckets needed for migration.
Step 3: Generate and Save Credentials
- Review your token configuration
- Click Create API Token
- Important: Copy and securely store:
- Access Key ID: Used as the S3 access key
- Secret Access Key: Used as the S3 secret key
- Endpoint: Your R2 S3-compatible endpoint
The Secret Access Key is only shown once. Store it in a secure password manager immediately.
Step 4: Note Your R2 Details
You'll need these details to connect your R2 bucket to Cloney:
Account ID: Found in Cloudflare dashboard URL or R2 overview Endpoint: https://<ACCOUNT_ID>.r2.cloudflarestorage.com Access Key ID: From the API token you created Secret Access Key: From the API token you created Bucket Name: Your R2 bucket name
You can now use these credentials in Cloney to connect your Cloudflare R2 bucket securely.
Permission Reference
R2 API token permissions and their purposes:
| Permission | Description | Required For |
|---|---|---|
Object Read | Read objects and list bucket contents | Source buckets |
Object Read & Write | Full object operations including upload and delete | Destination buckets |
Admin Read | View bucket settings and metadata | Optional |
Admin Read & Write | Manage bucket settings | Not recommended |
Best Practices
- Use Bucket-Specific Tokens: Create separate tokens for each bucket or migration job.
- Rotate Tokens Regularly: Delete and recreate tokens periodically for security.
- Set TTL (Optional): Configure token expiration for temporary access needs.
- Monitor Usage: Use Cloudflare Analytics to track R2 API usage and detect anomalies.
Ready to Start Your Migration?
Create your Cloney account and begin migrating your data securely today.