Add Access User Skill

Quick Start

Add user@example.com to Cloudflare Access

1. Add the email to ACCESS_ALLOWED_EMAIL in .env
2. Update the update-access-emails.sh script with new email list
3. Run the script to sync policies to Cloudflare
4. Verify policies updated for all 6 protected services
5. Provide test instructions for the new user

Table of Contents

1. When to Use This Skill
2. What This Skill Does
3. Instructions
4. Supporting Files
5. Expected Outcomes
6. Requirements
7. Red Flags to Avoid

When to Use This Skill

• "Add [email] to Cloudflare Access"
• "Grant access to [email]"
• "Allow [email] to authenticate"
• "Share service access with [email]"
• "Update access users"

• User mentions sharing network access with family/colleagues
• User wants to grant remote access to services
• User asks about multi-user authentication

• "User [email] can't log in"
• "Access denied for [email]"
• "How do I add another user?"

What This Skill Does

1. Validates Email - Ensures valid email format
2. Checks Duplicates - Prevents adding existing users
3. Updates .env - Adds email to ACCESS_ALLOWED_EMAIL
4. Updates Script - Modifies update-access-emails.sh with new email list
5. Syncs Policies - Runs script to update Cloudflare Access policies
6. Verifies - Confirms all 6 services updated successfully
7. Provides Test Steps - Instructions for new user to verify access

Instructions

3.1 Gather Email Address

• Single email:

  user@example.com

• Multiple emails:

  user1@example.com, user2@example.com

3.2 Validate Email Format

import re
def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return bool(re.match(pattern, email.strip()))

3.3 Read Current Configuration

grep -E "^ACCESS_ALLOWED_EMAIL" /home/dawiddutoit/projects/network/.env

ACCESS_ALLOWED_EMAIL="email1,email2,email3"

3.4 Check for Duplicates

3.5 Update .env File

/home/dawiddutoit/projects/network/.env

ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com"

ACCESS_ALLOWED_EMAIL="dawiddutoit@temet.ai,fifthchildd@gmail.com,dawidddutoit@gmail.com"

3.6 Update update-access-emails.sh Script

/home/dawiddutoit/projects/network/scripts/update-access-emails.sh

include

"include": [
    {"email": {"email": "dawiddutoit@temet.ai"}},
    {"email": {"email": "fifthchildd@gmail.com"}},
    {"email": {"email": "dawidddutoit@gmail.com"}},
    {"email": {"email": "NEW_EMAIL_HERE"}}
]

3.7 Run Update Script

cd /home/dawiddutoit/projects/network && ./scripts/update-access-emails.sh

Updating policies for all services to include all three emails...

Processing app: 56de3246-c9ed-4877-8af1-dc360ac49584
  Updating policy: <policy-id>
  [checkmark] Policy updated successfully

Processing app: 9f1e8109-3f3f-456e-94f5-093bfc9e1c1e
  ...
  [checkmark] Policy updated successfully

All policies updated!

3.8 Verify Policies Updated

• Services Dashboard (temet.ai)
• Home Assistant (ha.temet.ai)
• Sprinkler System (sprinkler.temet.ai)
• Langfuse Monitoring (langfuse.temet.ai)
• Jaeger Tracing (jaeger.temet.ai)
• Pi-hole Admin (pihole.temet.ai)

3.9 Provide Test Instructions

ACCESS GRANTED FOR: [email]

To test your access:
1. Open an incognito/private browser window
2. Navigate to: https://pihole.temet.ai
3. Click "Google" to authenticate
4. Sign in with your Google account: [email]
5. After successful authentication, you should see Pi-hole admin

All accessible services:
- https://pihole.temet.ai (Pi-hole DNS admin)
- https://jaeger.temet.ai (Jaeger tracing)
- https://langfuse.temet.ai (Langfuse monitoring)
- https://sprinkler.temet.ai (Sprinkler system)
- https://ha.temet.ai (Home Assistant)
- https://temet.ai (Services dashboard)

Supporting Files

references/reference.md

examples/examples.md

Expected Outcomes

• Email added to ACCESS_ALLOWED_EMAIL in .env
• Script updated with new email in include array
• All 6 Cloudflare Access policies updated
• New user can authenticate via Google OAuth

• .env updated but script needs manual sync
• Some policies failed (rare - API rate limiting)

• "Policy update failed" in script output
• Email validation error
• Duplicate email detected
• API token expired or missing permissions

Requirements

• Valid

  .env

  with CLOUDFLARE_ACCESS_API_TOKEN
• CLOUDFLARE_ACCOUNT_ID set correctly
• Network connectivity to Cloudflare API

1. Go to: https://console.cloud.google.com/apis/credentials/consent
2. Change User Type from "Internal" to "External"
3. Save changes

• Read (check current .env)
• Edit (update .env and script)
• Bash (run update script)
• Grep (check for duplicates)

Red Flags to Avoid

• Do not add invalid email format
• Do not add duplicate emails (check first)
• Do not forget to update BOTH .env AND the script
• Do not skip running update-access-emails.sh after editing
• Do not skip verification of all 6 services
• Do not assume non-workspace emails will work without OAuth consent change
• Do not modify the bypass policy for webhook.temet.ai
• Do not run cf-access-setup.sh (that's for initial setup, not adding users)

Notes

• The script has hardcoded app IDs for the 6 protected services
• Webhook (webhook.temet.ai) has bypass policy and is NOT affected
• Session duration is 24 hours - users must re-authenticate daily
• Access logs available at: https://one.dash.cloudflare.com -> Logs -> Access
• Google OAuth requires the email to match exactly (case-insensitive)
• Multiple emails are comma-separated with no spaces after commas