3.8 KiB
3.8 KiB
Configuration
Wrangler Config
Basic Binding
wrangler.jsonc:
{
"secrets_store_secrets": [
{
"binding": "API_KEY",
"store_id": "abc123",
"secret_name": "stripe_api_key"
}
]
}
wrangler.toml (alternative):
[[secrets_store_secrets]]
binding = "API_KEY"
store_id = "abc123"
secret_name = "stripe_api_key"
Fields:
binding: Variable name forenvaccessstore_id: Fromwrangler secrets-store store listsecret_name: Identifier (no spaces)
Environment-Specific
wrangler.jsonc:
{
"env": {
"production": {
"secrets_store_secrets": [
{
"binding": "API_KEY",
"store_id": "prod-store",
"secret_name": "prod_api_key"
}
]
},
"staging": {
"secrets_store_secrets": [
{
"binding": "API_KEY",
"store_id": "staging-store",
"secret_name": "staging_api_key"
}
]
}
}
}
wrangler.toml (alternative):
[env.production]
[[env.production.secrets_store_secrets]]
binding = "API_KEY"
store_id = "prod-store"
secret_name = "prod_api_key"
[env.staging]
[[env.staging.secrets_store_secrets]]
binding = "API_KEY"
store_id = "staging-store"
secret_name = "staging_api_key"
Wrangler Commands
Store Management
wrangler secrets-store store list
wrangler secrets-store store create my-store --remote
wrangler secrets-store store delete <store-id> --remote
Secret Management (Production)
# Create (interactive)
wrangler secrets-store secret create <store-id> \
--name MY_SECRET --scopes workers --remote
# Create (piped)
cat secret.txt | wrangler secrets-store secret create <store-id> \
--name MY_SECRET --scopes workers --remote
# List/get/update/delete
wrangler secrets-store secret list <store-id> --remote
wrangler secrets-store secret get <store-id> --name MY_SECRET --remote
wrangler secrets-store secret update <store-id> --name MY_SECRET --new-value "val" --remote
wrangler secrets-store secret delete <store-id> --name MY_SECRET --remote
# Duplicate
wrangler secrets-store secret duplicate <store-id> \
--name ORIG --new-name COPY --remote
Local Development
CRITICAL: Production secrets (--remote) NOT accessible in local dev.
# Create local-only (no --remote)
wrangler secrets-store secret create <store-id> --name DEV_KEY --scopes workers
wrangler dev # Uses local secrets
wrangler deploy # Uses production secrets
Best practice: Separate names for local/prod:
{
"env": {
"development": {
"secrets_store_secrets": [
{ "binding": "API_KEY", "store_id": "store", "secret_name": "dev_api_key" }
]
},
"production": {
"secrets_store_secrets": [
{ "binding": "API_KEY", "store_id": "store", "secret_name": "prod_api_key" }
]
}
}
}
Dashboard
Creating Secrets
- Secrets Store → Create secret
- Fill: Name (no spaces), Value, Scope (
Workers), Comment - Save (value hidden after)
Adding Bindings
Method 1: Worker → Settings → Bindings → Add → Secrets Store Method 2: Create secret directly from Worker settings dropdown
Deploy options:
- Deploy: Immediate 100%
- Save version: Gradual rollout
CI/CD
GitHub Actions
- name: Create secret
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CF_TOKEN }}
run: |
echo "${{ secrets.API_KEY }}" | \
npx wrangler secrets-store secret create $STORE_ID \
--name API_KEY --scopes workers --remote
- name: Deploy
run: npx wrangler deploy
GitLab CI
script:
- echo "$API_KEY_VALUE" | npx wrangler secrets-store secret create $STORE_ID --name API_KEY --scopes workers --remote
- npx wrangler deploy
See: api.md, patterns.md