A secrets engine for creating Cloudflare API tokens seems like a shoe-in for Vault. The engine would work in a way identical to other secrets engine whereby Vault is provided with a highly-privileged API token and accepts requests to create and hand out additional API tokens, given a set of parameters.
Desirable features would correspond to what Cloudflare lets you do when creating an API token:
Client IP address filtering (control which IP address is allowed to use a Cloudflare API token) (doc)
TTL (this is probably redundant with Vault's TTL functionality already found in other secrets engines, so using Cloudflare's built-in TTL feature may not be needed, but I thought I'd mention it) (doc)
A secrets engine for creating Cloudflare API tokens seems like a shoe-in for Vault. The engine would work in a way identical to other secrets engine whereby Vault is provided with a highly-privileged API token and accepts requests to create and hand out additional API tokens, given a set of parameters.
Desirable features would correspond to what Cloudflare lets you do when creating an API token:
See also: