Env Vars and Secrets
Pass in environment variables and secrets to your container
Environment variables can be passed into a Container using the envVars
field
in the Container
class, or by setting manually when the Container starts.
Secrets can be passed into a Container by using Worker Secrets or the Secret Store, then passing them into the Container as environment variables.
These examples show the various ways to pass in secrets and environment variables. In each, we will be passing in:
- the variable
"ENV_VAR"
as a hard-coded environment variable - the secret
"WORKER_SECRET"
as a secret from Worker Secrets - the secret
"SECRET_STORE_SECRET"
as a secret from the Secret Store
In practice, you may just use one of the methods for storing secrets, but we will show both for completeness.
First, let's create the "WORKER_SECRET"
secret in Worker Secrets:
npx wrangler secret put WORKER_SECRET
yarn wrangler secret put WORKER_SECRET
pnpm wrangler secret put WORKER_SECRET
Then, let's create a store called "demo" in the Secret Store, and add
the "SECRET_STORE_SECRET"
secret to it:
npx wrangler secrets-store store create demo --remote
yarn wrangler secrets-store store create demo --remote
pnpm wrangler secrets-store store create demo --remote
npx wrangler secrets-store secret create demo --name SECRET_STORE_SECRET --scopes workers --remote
yarn wrangler secrets-store secret create demo --name SECRET_STORE_SECRET --scopes workers --remote
pnpm wrangler secrets-store secret create demo --name SECRET_STORE_SECRET --scopes workers --remote
For full details on how to create secrets, see the Workers Secrets documentation and the Secret Store documentation.
Next, we need to add bindings to access our secrets and environment variables in Wrangler configuration.
{ "name": "my-container-worker", "vars": { "ENV_VAR": "my-env-var" }, "secrets_store_secrets": [ { "binding": "SECRET_STORE", "store_id": "demo", "secret_name": "SECRET_STORE_SECRET" } ] // rest of the configuration...}
name = "my-container-worker"
[vars]ENV_VAR = "my-env-var"
[[secrets_store_secrets]]binding = "SECRET_STORE"store_id = "demo"secret_name = "SECRET_STORE_SECRET"
Note that "WORKER_SECRET"
does not need to be specified in the Wrangler config file, as it is automatically
added to env
.
Also note that we did not configure anything specific for environment variables or secrets in the container-related portion of the Wrangler configuration file.
Now, let's pass the env vars and secrets to our container using the envVars
field in the Container
class:
// https://developers.cloudflare.com/workers/runtime-apis/bindings/#importing-env-as-a-globalimport { env } from "cloudflare:workers";export class MyContainer extends Container { defaultPort = 8080; sleepAfter = "10s"; envVars = { WORKER_SECRET: env.WORKER_SECRET, ENV_VAR: env.ENV_VAR, // we can't set the secret store binding as a default here, as getting the secret value is asynchronous };}
Every instance of this Container
will now have these variables and secrets
set as environment variables when it launches.
But what if you want to set environment variables on a per-instance basis?
In this case, use the startAndWaitForPorts()
method to pass in environment variables for each instance.
export class MyContainer extends Container { defaultPort = 8080; sleepAfter = "10s";}
export default { async fetch(request, env) { if (new URL(request.url).pathname === "/launch-instances") { let instanceOne = env.MY_CONTAINER.getByName("foo"); let instanceTwo = env.MY_CONTAINER.getByName("bar");
// Each instance gets a different set of environment variables
await instanceOne.startAndWaitForPorts({ startOptions: { envVars: { ENV_VAR: env.ENV_VAR + "foo", WORKER_SECRET: env.WORKER_SECRET, SECRET_STORE_SECRET: await env.SECRET_STORE.get(), }, }, });
await instanceTwo.startAndWaitForPorts({ startOptions: { envVars: { ENV_VAR: env.ENV_VAR + "foo", WORKER_SECRET: env.ANOTHER_WORKER_SECRET, SECRET_STORE_SECRET: await env.OTHER_SECRET_STORE.get(), }, }, }); return new Response("Container instances launched"); }
// ... etc ... },};
Finally, you can also set build-time environment variables that are only available when building the container image via the image_vars
field in the Wrangler configuration.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-