Cloudflare Worker Secrets Vault

Securely store and manage secret keys, tokens, and certificates for accessing protected resources inside of a Cloudflare Worker.

Secret text:

You can upload secret text (such as password, or API keys used to access other services to the script).

Text secrets have three properties:

  • name: the name of the variable that will be used in the script to reference the secret.
  • text: the value of the text (e.g. the API key itself)
  • type: this will always be secret_text for secret text bindings.

The script will automatically have let $name = $text predefined, so you can use the variable you’ve defined throughout the script.

Below is an example of metadata payload for uploading two secrets: USERNAME and PASSWORD in metadata.json, which we will be uploading through the API.

metadata.json:

{
  "body_part": "script",
  "bindings": [
    {
      "name": "USERNAME",
      "type": "secret_text",
      "text": "thisimyusername"
    },
    {
      "name": "PASSWORD",
      "type": "secret_text",
      "text": "hunter2"
    }
  ]
}

Note that script is the name of the multi-form part that the script itself is submitted through.

An example of an API call to upload the script will look like this if you have one script:

curl -sv -X PUT "https://api.cloudflare.com/client/v4/zones/:zoneId/workers/script/" -H "X-Auth-Email:[email protected]"  -H "X-Auth-Key:$CF_API_KEY" -F '[email protected];type=application/json' -F '[email protected];type=application/javsacript'

Multi-script (enterprise only):

curl -sv -X PUT "https://api.cloudflare.com/client/v4/accounts/:accountId/workers/scripts/:scriptName" -H "X-Auth-Email:[email protected]"  -H "X-Auth-Key:$CF_API_KEY" -F '[email protected]_secret_text.json;type=application/json' -F '[email protected];type=application/javsacript'

CryptoKeys

CryptoKeys are instances of the WebCrypto API’s CryptoKey class. These can be configured such that the Worker script cannot access the secret’s content directly, but can only use it in cryptographic operations. CryptoKeys allow you to scope the permitted uses (e.g. only sign or verify) for the key.

CryptoKeys have the following properties:

  • name: the name of the variable that will be used in the script to reference the secret.
  • type: this will always be secret_key for secret key bindings.
  • format: follows the SubtleCrypto standard - an enumerated value describing the data format of the key to imported. Format can be one of the following: raw, pkcs8, spki, jwk.
  • algorithm: dictionary object defining the algorithm that was used to generate the key being imported. The dictionary will have two name for the name of the algorithm, and an optional hash object for certain algorithms.
  • usages: follows the SubtleCrypto standard - usages is an Array indicating what can be done with the key. Possible values of the array are: encrypt, decrypt, sign, verify.
  • key_jwk or key_base64 for raw keys.

metadata.json example of JWK:

{
  "body_part": "script",
  "bindings": [
            {
      "name": "gcp-key",
      "type": "secret_key",
      "format": "jwk",
      "algorithm": {"name":"RSASSA-PLCS1-v1_5", "hash": {"name": "SHA-256"}},
      "usages": ["sign"],
      "key_jwk": {
            "kty": "RSA",
            "e": "AQAB",
            "n": "value is here",
            "kid":"a",
            "d":"b",
            "alg": "RS256"
          }
   }
]}

metadata.json example of a raw key:

{
      "name": "sigkey",
      "type": "secret_key",

      "format": "raw",
      "key_base64": "key is here",
      "algorithm": {
        "name": "HMAC",
        "hash": {
          "name": "SHA-256"
        }
      },
      "usages": ["sign", "verify"]
    }