Skip to content

AccountMember

Source: src/Cloudflare/Account/Member.ts

A member of a Cloudflare account — an invitation for a user (by email) to join the account with a set of roles or scoped policies.

The membership’s identity is its email: there is no API to change the address, so updating email triggers a replacement (a fresh invite). The assigned roles/policies are mutable in place. New invites stay pending until the invitee accepts; deleting the resource cancels a pending invite or removes an accepted member.

Safety: memberships carry no ownership markers. When there is no prior state, read scans the account for an existing membership with the same email and reports it as Unowned, so the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Inviting a member

Section titled “Inviting a member”
const role = yield* Cloudflare.findAccountRoleByName(
  accountId,
  "Administrator Read Only",
);


yield* Cloudflare.AccountMember("Auditor", {
  email: "auditor@example.com",
  roles: [role!.id],
});

Changing roles

Section titled “Changing roles”
// Same email — the membership is updated, not replaced.
yield* Cloudflare.AccountMember("Auditor", {
  email: "auditor@example.com",
  roles: [adminRole.id],
});

Scoped policies (Enterprise)

Section titled “Scoped policies (Enterprise)”
yield* Cloudflare.AccountMember("ScopedOperator", {
  email: "operator@example.com",
  policies: [{
    access: "allow",
    permissionGroups: [{ id: permissionGroupId }],
    resourceGroups: [{ id: resourceGroupId }],
  }],
});