> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Set up a Cloudflare Zero Trust connector > C1 provides identity governance for Cloudflare Zero Trust. Integrate your Cloudflare Zero Trust instance with C1 to run user access reviews (UARs) and enable just-in-time access requests. ## Capabilities | Resource | Sync | Provision | | :------------ | :------------------------------------------------------------ | :------------------------------------------------------------ | | Accounts | | | | Access groups | | | | Roles | | | ## Gather Cloudflare Zero Trust credentials Configuring the connector requires you to pass in credentials generated in Cloudflare Zero Trust. Gather these credentials before you move on. A user with **Super Administrator** access in Cloudflare Zero Trust must perform this task. ### Locate your Cloudflare Account ID Log into your Cloudflare Super Administrator account and select **Workers** from the left nav. On the **Workers** page, find your Account ID on the right side of the page. Copy and save the Account ID. ### Create an API Token **Alternative credential option:** If you do not want to generate and use an API token for the integration, Cloudflare Zero Trust also accepts authentication via an API key and the corresponding account's email address. Find your API keys by navigating to **My Profile** > **API Tokens**. Click the user icon and select **My Profile**. Click **API Tokens** on the left side, then click **Create Token**. At the bottom of the page, in the **Custom Token** area, click **Get started**. Fill out the **Create Custom Token** page as follows: 1. Give the API token a name, such as **C1** 2. Set the appropriate permissions for the API token: If you want to use C1 to provision Cloudflare Zero Trust groups and roles, set: * Account -> Account Settings -> Read * Account -> Access: Organizations, Identity Providers, and Groups -> Edit * Account -> Access: Apps and Policies -> Read * Account -> Access: Audit Logs -> Read Otherwise, set: * Account -> Account Settings -> Read * Account -> Access: Organizations, Identity Providers, and Groups -> Read * Account -> Access: Apps and Policies -> Read * Account -> Access: Audit Logs -> Read 3. Click **Continue to summary**. Click **Create Token** and copy the token generated for you. **Done.** You should now have one of the following credentials sets: * Account ID * API token OR * Account ID * The email address associated with your Cloudflare account * Global API key Next, move on to the instructions for your chosen setup method. ## Configure the Cloudflare Zero Trust connector To complete this task, you'll need: * The **Connector Administrator** or **Super Administrator** role in C1 * Access to the set of Cloudflare Zero Trust credentials generated by following the instructions above **Follow these instructions to use a built-in, no-code connector hosted by C1.** In C1, navigate to **Integrations** > **Connectors** and click **Add connector**. Search for **Cloudflare Zero Trust** and click **Add**. Choose how to set up the new Cloudflare Zero Trust connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. Find the **Settings** area of the page and click **Edit**. Choose how you'll authenticate to Cloudflare Zero Trust: * Select **API token**, then enter the account ID into the **Account ID** field and paste the API token into the **API token** field. * Select **Email + API key**, then enter the account ID into the **Account ID** field, your email into the **Email ID** field, and your Global API key into the **API key** field. Click **Save**. The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing. **Done.** Your Cloudflare Zero Trust connector is now pulling access data into C1. **Follow these instructions to use the Cloudflare Zero Trust connector, hosted and run in your own environment.** When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests. ### Resources * [GitHub repository](https://github.com/conductorone/baton-cloudflare-zero-trust): Access the source code, report issues, or contribute to the project. ### Step 1: Set up a new Cloudflare Zero Trust connector In C1, navigate to **Integrations** > **Connectors** > **Add connector**. Search for **Baton** and click **Add**. Choose how to set up the new Cloudflare Zero Trust connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. In the **Settings** area of the page, click **Edit**. Click **Rotate** to generate a new Client ID and Secret. Carefully copy and save these credentials. We'll use them in Step 2. ### Step 2: Create Kubernetes configuration files Create two Kubernetes manifest files for your Cloudflare Zero Trust connector deployment: #### Secrets configuration ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-cloudflare-zero-trust-secrets.yaml apiVersion: v1 kind: Secret metadata: name: baton-cloudflare-zero-trust-secrets type: Opaque stringData: # C1 credentials BATON_CLIENT_ID: BATON_CLIENT_SECRET: # Cloudflare Zero Trust credentials, option 1 BATON_ACCOUNT_ID: BATON_API_TOKEN: # Cloudflare Zero Trust credentials, option 2 BATON_ACCOUNT_ID: BATON_API_KEY: BATON_EMAIL: # Optional: include if you want C1 to provision access using this connector BATON_PROVISIONING: true ``` See the connector's README or run `--help` to see all available configuration flags and environment variables. #### Deployment configuration ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-cloudflare-zero-trust.yaml apiVersion: apps/v1 kind: Deployment metadata: name: baton-cloudflare-zero-trust labels: app: baton-cloudflare-zero-trust spec: selector: matchLabels: app: baton-cloudflare-zero-trust template: metadata: labels: app: baton-cloudflare-zero-trust baton: true baton-app: cloudflare-zero-trust spec: containers: - name: baton-cloudflare-zero-trust image: ghcr.io/conductorone/baton-cloudflare-zero-trust:latest imagePullPolicy: IfNotPresent env: - name: BATON_HOST_ID value: baton-cloudflare-zero-trust envFrom: - secretRef: name: baton-cloudflare-zero-trust-secrets ``` ### Step 3: Deploy the connector Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files. Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Cloudflare Zero Trust connector to. Cloudflare Zero Trust data should be found on the **Entitlements** and **Accounts** tabs. **Done.** Your Cloudflare Zero Trust connector is now pulling access data into C1.