Runbook: Docs site access (team + client)¶
There are two docs sites, both hosted on Cloudflare Pages and gated by Cloudflare Access. Authentication is Google Workspace SSO; authorization is by Google group membership.
| Site | URL | Allowed by Google group |
|---|---|---|
| Team | https://docs.evospin.evo-verse.dev | evospin-dev@evo-verse.com |
| Client | https://platform.evo-verse.dev | docs-client-guests-evospin@evo-verse.com (allows external guests) |
User and group management is in Google Admin, not Cloudflare. The Cloudflare Access policies just read group membership at login time.
Grant access — internal developer¶
- Google Admin → Directory → Groups →
evospin-dev@evo-verse.com. - Add members → the developer's
@evo-verse.comaddress. - Tell them to visit https://docs.evospin.evo-verse.dev and sign in with their work Google account. Allow ~60 seconds for group sync.
Grant access — external client (guest)¶
- Google Admin → Directory → Groups →
docs-client-guests-evospin@evo-verse.com. - Confirm the group is configured to allow external members (Group settings → Member options → "Allow members outside your organization").
- Add members → the client's email.
- They visit https://platform.evo-verse.dev, sign in with their own Google account. (If they don't have a Google account for that address, they get a one-time prompt to attach one.)
Revoke access¶
- Remove the user from the relevant Google group.
- Optional — kill active session immediately: Cloudflare Zero Trust →
Users → \
→ Revoke. Otherwise the existing session expires within the app's session TTL (8h client / 24h team).
Emergency: lock everyone out¶
If a site needs to go offline immediately:
- Disable the policy: Cloudflare Zero Trust → Access → Applications → EBIT Docs — Team (or Client) → Policies → toggle the Allow policy off. Existing sessions are revoked on next request.
- Or pause the deploy: Cloudflare → Workers & Pages → ebit-docs
(or
ebit-docs-client) → Settings → pause production deployments.
Service tokens (for monitors / CI scrapers)¶
Human SSO won't work for uptime checks. Create a per-consumer Service Token in Cloudflare Zero Trust → Access → Service Auth → Service Tokens, then add a Service Auth include rule to the relevant app's policy. Consumers send:
Rotate every 12 months and on any incident.
Common issues¶
- "Access denied" after correct Google sign-in — user isn't in the group, OR the Workspace IdP can't read groups (Admin SDK API disabled, or the OAuth consent screen is missing the right scopes). Re-check group membership in Google Admin first; if that's correct, see the IdP audit log at Cloudflare → Zero Trust → Logs → Access.
- Client login loop — usually a third-party cookie / SameSite issue. Try
incognito with cookies enabled for
*.cloudflareaccess.comand the docs domain. - Slack / Notion link previews fail — expected. Access intercepts the unfurl bot with a login page, so previews can't render. Use plain links.
Owners¶
- Primary: devops@evo-verse.com
- Backup: assign a second Workspace admin and Cloudflare admin before going live.