Skip to content
Cloudflare Docs

Env Vars and Secrets

Pass in environment variables and secrets to your container

Environment variables can be passed into a Container using the envVars field in the Container class, or by setting manually when the Container starts.

Secrets can be passed into a Container by using Worker Secrets or the Secret Store, then passing them into the Container as environment variables.

These examples show the various ways to pass in secrets and environment variables. In each, we will be passing in:

  • the variable "ACCOUNT_NAME" as a hard-coded environment variable
  • the secret "CONTAINER_SECRET_KEY" as a secret from Worker Secrets
  • the secret "ACCOUNT_API_KEY" as a secret from the Secret Store

In practice, you may just use one of the methods for storing secrets, but we will show both for completeness.

Creating secrets

First, let's create the "CONTAINER_SECRET_KEY" secret in Worker Secrets:

Terminal window
npx wrangler secret put CONTAINER_SECRET_KEY

Then, let's create a store called "demo" in the Secret Store, and add the "ACCOUNT_API_KEY" secret to it:

Terminal window
npx wrangler secrets-store store create demo --remote
Terminal window
npx wrangler secrets-store secret create demo --name ACCOUNT_API_KEY --scopes workers --remote

For full details on how to create secrets, see the Workers Secrets documentation and the Secret Store documentation.

Adding a secrets binding

Next, we need to add bindings to access our secrets and environment variables in Wrangler configuration.

{
  "name": "my-container-worker",
  "vars": {
    "ACCOUNT_NAME": "my-account"
  },
  "secrets_store_secrets": [
    {
      "binding": "SECRET_STORE",
      "store_id": "demo",
      "secret_name": "ACCOUNT_API_KEY"
    }
  ]
  // rest of the configuration...
}

Note that "CONTAINER_SECRET_KEY" does not need to be set, at it is automatically added to env.

Also note that we did not configure anything specific for environment variables or secrets in the container-related portion of wrangler configuration.

Using envVars on the Container class

Now, let's define a Container using the envVars field in the Container class:

export class MyContainer extends Container {
  defaultPort = 8080;
  sleepAfter = '10s';
  envVars = {
    ACCOUNT_NAME: env.ACCOUNT_NAME,
    ACCOUNT_API_KEY: env.SECRET_STORE.ACCOUNT_API_KEY,
    CONTAINER_SECRET_KEY: env.CONTAINER_SECRET_KEY,
  };
}

Every instance of this Container will now have these variables and secrets set as environment variables when it launches.

Setting environment variables per-instance

But what if you want to set environment variables on a per-instance basis?

In this case, set manualStart then use the start method to pass in environment variables for each instance. We'll assume that we've set additional secrets in the Secret Store.

export class MyContainer extends Container {
  defaultPort = 8080;
  sleepAfter = '10s';
  manualStart = true;
}


export default {
  async fetch(request, env) {
    if (new URL(request.url).pathname === '/launch-instances') {
      let idOne = env.MY_CONTAINER.idFromName('foo');
      let instanceOne = env.MY_CONTAINER.get(idOne);


      let idTwo = env.MY_CONTAINER.idFromName('foo');
      let instanceTwo = env.MY_CONTAINER.get(idTwo);


      // Each instance gets a different set of environment variables


      await instanceOne.start({
        envVars: {
          ACCOUNT_NAME: env.ACCOUNT_NAME + "-1",
          ACCOUNT_API_KEY: env.SECRET_STORE.ACCOUNT_API_KEY_ONE,
          CONTAINER_SECRET_KEY: env.CONTAINER_SECRET_KEY_TWO,
        }
      )


      await instanceTwo.start({
        envVars: {
          ACCOUNT_NAME: env.ACCOUNT_NAME + "-2",
          ACCOUNT_API_KEY: env.SECRET_STORE.ACCOUNT_API_KEY_TWO,
          CONTAINER_SECRET_KEY: env.CONTAINER_SECRET_KEY_TWO,
        }
      )
      return new Response('Container instances launched');
    }


    // ... etc ...
  }
}