Thank you for the step-by-step guide, it was really good.
I followed your steps.
I tested the lambda function as explained, and it worked (my Alexa devices were exposed during the test).
The issue seems to occur when I try to open the skill using the Alexa app. I receive a “forbidden” error from Zero Trust.
So, I temporarily removed Zero Trust and was able to activate the skill. Then, I reactivated Zero Trust, and everything kept working… until I needed to restart Home Assistant. After restarting, everything stops working.
Hi @danirivas i just followed your very clear instructions but when i test it the curl returns my home assistant instance but when i try to link my alexa skill i get “Unable to link the skill at this time” after login into home assistant.
Also tried the payload in aws test and it worked, it looks like the policies is not working properly to accept Service auth
As @LiQuid_cOOled mentions, do you have bot protection enabled? I remember having to disable every single protection measure other than the CF service token or requests wouldn’t go through. Not saying it’s not possible, but I never figured it out. AFAIK, as long as that token is kept secure (I only use it for the Alexa Skill passed as an env var), this is already secure enough for the purpose (happy to be proven wrong here).
@cru5h3r sorry for the late response but the same applies, maybe you could try disabling every security measure except for the token. For what you mention, you may have had a DNS record and the tunnel both pointing to the same hostname, and IIRC when this happens Cloudflare prioritizes the tunnel so disabling it just got your requests routed through the DNS entry, which isn’t blocking them.
Nonetheless, I was just reviewing my configuration because out of pure chance I tried to access the hostname I use in the tunnel from my browser (i.e., w/o sending the CF token) and it took me to my HA’s login page. I don’t know if I made a mistake in my previous guide or CF has changed something and I wasn’t aware.
Now, if I follow step 4 and go to Access -> Applications, select my HA app, click Configure -> Policies I see that the policy I created back when I wrote the guide has a big gray LEGACY next to the policy name. Maybe they deprecated it since then.
To secure the tunnel again with the CF service token, just go edit your tunnel, then go to Public hostnames, edit the one you use for HA, click on Additional application settings -> Access, enable Protect with Access and select the service token you created and the Alexa Skill is using.