Env Vars and Secrets

Pass in environment variables and secrets to your container

Environment variables can be passed into a Container using the envVars field in the Container class, or by setting manually when the Container starts.

Secrets can be passed into a Container by using Worker Secrets or the Secret Store, then passing them into the Container as environment variables.

These examples show the various ways to pass in secrets and environment variables. In each, we will be passing in:

the variable "ENV_VAR" as a hard-coded environment variable
the secret "WORKER_SECRET" as a secret from Worker Secrets
the secret "SECRET_STORE_SECRET" as a secret from the Secret Store

In practice, you may just use one of the methods for storing secrets, but we will show both for completeness.

Creating secrets

First, let's create the "WORKER_SECRET" secret in Worker Secrets:

npx wrangler secret put WORKER_SECRET

yarn wrangler secret put WORKER_SECRET

pnpm wrangler secret put WORKER_SECRET

Then, let's create a store called "demo" in the Secret Store, and add the "SECRET_STORE_SECRET" secret to it:

npx wrangler secrets-store store create demo --remote

yarn wrangler secrets-store store create demo --remote

pnpm wrangler secrets-store store create demo --remote

npx wrangler secrets-store secret create demo --name SECRET_STORE_SECRET --scopes workers --remote

yarn wrangler secrets-store secret create demo --name SECRET_STORE_SECRET --scopes workers --remote

pnpm wrangler secrets-store secret create demo --name SECRET_STORE_SECRET --scopes workers --remote

For full details on how to create secrets, see the Workers Secrets documentation and the Secret Store documentation.

Adding a secrets binding

Next, we need to add bindings to access our secrets and environment variables in Wrangler configuration.

wrangler.jsonc
wrangler.toml

{
  "name": "my-container-worker",
  "vars": {
    "ENV_VAR": "my-env-var"
  },
  "secrets_store_secrets": [
    {
      "binding": "SECRET_STORE",
      "store_id": "demo",
      "secret_name": "SECRET_STORE_SECRET"
    }
  ]
  // rest of the configuration...
}

name = "my-container-worker"

[vars]
ENV_VAR = "my-env-var"

[[secrets_store_secrets]]
binding = "SECRET_STORE"
store_id = "demo"
secret_name = "SECRET_STORE_SECRET"

Note that "WORKER_SECRET" does not need to be specified in the Wrangler config file, as it is automatically added to env.

Also note that we did not configure anything specific for environment variables or secrets in the container-related portion of the Wrangler configuration file.

Using `envVars` on the Container class

Now, let's pass the env vars and secrets to our container using the envVars field in the Container class:

// https://developers.cloudflare.com/workers/runtime-apis/bindings/#importing-env-as-a-global
import { env } from "cloudflare:workers";
export class MyContainer extends Container {
  defaultPort = 8080;
  sleepAfter = "10s";
  envVars = {
    WORKER_SECRET: env.WORKER_SECRET,
    ENV_VAR: env.ENV_VAR,
    // we can't set the secret store binding as a default here, as getting the secret value is asynchronous
  };
}

Every instance of this Container will now have these variables and secrets set as environment variables when it launches.

Setting environment variables per-instance

But what if you want to set environment variables on a per-instance basis?

In this case, use the startAndWaitForPorts() method to pass in environment variables for each instance.

export class MyContainer extends Container {
  defaultPort = 8080;
  sleepAfter = "10s";
}

export default {
  async fetch(request, env) {
    if (new URL(request.url).pathname === "/launch-instances") {
      let instanceOne = env.MY_CONTAINER.getByName("foo");
      let instanceTwo = env.MY_CONTAINER.getByName("bar");

      // Each instance gets a different set of environment variables

      await instanceOne.startAndWaitForPorts({
        startOptions: {
          envVars: {
            ENV_VAR: env.ENV_VAR + "foo",
            WORKER_SECRET: env.WORKER_SECRET,
            SECRET_STORE_SECRET: await env.SECRET_STORE.get(),
          },
        },
      });

      await instanceTwo.startAndWaitForPorts({
        startOptions: {
          envVars: {
            ENV_VAR: env.ENV_VAR + "foo",
            WORKER_SECRET: env.ANOTHER_WORKER_SECRET,
            SECRET_STORE_SECRET: await env.OTHER_SECRET_STORE.get(),
          },
        },
      });
      return new Response("Container instances launched");
    }

    // ... etc ...
  },
};

Build-time environment variables

Finally, you can also set build-time environment variables that are only available when building the container image via the image_vars field in the Wrangler configuration.

Was this helpful?

Community
X
Discord
YouTube
GitHub