Skip to content
This repository has been archived by the owner on Aug 3, 2023. It is now read-only.

Environment variable for global API key #209

Closed
DrDaveD opened this issue Jun 4, 2019 · 11 comments
Closed

Environment variable for global API key #209

DrDaveD opened this issue Jun 4, 2019 · 11 comments
Labels
docs
Milestone
1.1.1

Comments

@DrDaveD
Copy link

DrDaveD commented Jun 4, 2019

The bottom of the API keys documentation page says to use environment variables if possible for the important key but doesn't explain how to do it. Checking the code, I don't see any way to do it. Is there a way? If not, could you please make a way or at a minimum remove the suggestion from the documentation?
@xtuc
Copy link
Member

xtuc commented Jun 4, 2019

Might be wrong but I don't think it's actually implemented.

@ashleygwilliams
Copy link
Contributor

it is possible but you are right to indicate that it is not documented! https://github.com/cloudflare/wrangler/blob/master/src/settings/global_user.rs#L28

it is also untested- we should document and test this to make it better/possible to use.

@AaronO
Copy link
Contributor

AaronO commented Jun 6, 2019

@DrDaveD @ashleygwilliams I just submitted a PR (#225) to remove the hard-requirements for a global config file, so wrangler is more CI-friendly.

@DrDaveD The correct envs are CF_API_KEY and CF_EMAIL.

The code comments in master hinted to CF_ACCOUNT_AUTH_KEY which I think is used by other Cloudflare CLIs, so we might want to standardize that to be consistent.

@DrDaveD
Copy link
Author

DrDaveD commented Jun 7, 2019

Thanks! I confirm that not setting api_key in the config file and instead exporting CF_API_KEY works.

@paulbhartzog-holo
Copy link

paulbhartzog-holo commented Aug 7, 2019
edited
Loading

Thanks! I confirm that not setting api_key in the config file and instead exporting CF_API_KEY works.

Example of how to use env vars like CF_API_KEY inside wrangler.toml ? Thx.

@ashleygwilliams
Copy link
Contributor

hi @paulbhartzog-holo ! I'm curious why you'd want to use the environment variables inside the wrangler.toml. A wrangler.toml file should only contain information that you'd want to commit to source control, which means that it should not be potentially accessible to the public. As a result, we don't allow anyone to configure their global API key in the configuration file because your API key is not something that should every be publicly shared. An environment variable is an key value pair available in your environment- storing an env variable in a config file is possible in a few systems (with an encryption CLI feature) but we prefer to ask folks to configure it using wrangler config or env variables which prevents mishaps that could leak the secret. Many CI systems offer ways to set env variables:

Would any of the above solutions help or could you share more about why you'd like to have this data in your wrangler.toml? Would love to help!

@paulbhartzog-holo
Copy link

Would any of the above solutions help or could you share more about why you'd like to have this data in your wrangler.toml? Would love to help!

Didn't end up needing ENV vars in toml. We are integrating CircleCI, and their env-vars worked great. :-)

@ashleymichal ashleymichal added this to the 1.1.1 milestone Aug 9, 2019
@ashleymichal
Copy link
Contributor

ashleymichal commented Aug 9, 2019
edited
Loading

closed by #379. Also opened an issue in the docs repo (cloudflare/cloudflare-docs#327) for updating the quick start. good catch!

@ashleymichal ashleymichal mentioned this issue Aug 9, 2019
Closed
@wuservices
Copy link

@ashleygwilliams is the implicit assumption here that only the global API key is a secret and that account IDs and zone IDs are OK to be public?

A wrangler.toml file should only contain information that you'd want to commit to source control, which means that it should not be potentially accessible to the public. As a result, we don't allow anyone to configure their global API key in the configuration file because your API key is not something that should every be publicly shared.

@ashleygwilliams
Copy link
Contributor

ashleygwilliams commented Oct 14, 2019
edited
Loading

@wuservices correct! as per our security team, it's completely Fine to have your zone_id and account_id public, the Global API key and associated email address should be kept secret.

everything in a wrangler.toml is committable to publicly accessible version control :)

@revelt revelt mentioned this issue Dec 10, 2020
Closed
HirotaZX added a commit to HirotaZX/Simplified-Chinese-for-light-gg that referenced this issue Jul 1, 2021
@HirotaZX
wrangler.toml is safe to commit
749c566 
cloudflare/wrangler-legacy#209 (comment)
@ngshiheng
Copy link

@wuservices correct! as per our security team, it's completely Fine to have your zone_id and account_id public, the Global API key and associated email address should be kept secret.

everything in a wrangler.toml is committable to publicly accessible version control :)

How about kv_namespaces? Is it safe for me to publish my namespace id to a public git repo?

Accurate0 added a commit to Accurate0/infrastructure that referenced this issue Aug 2, 2022
@Accurate0
zone id is not secret
c8f51ec 
cloudflare/wrangler-legacy#209 (comment)
@YumNumm YumNumm mentioned this issue Sep 25, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
docs
Projects
None yet
Milestone
1.1.1
Development

No branches or pull requests
9 participants
@wuservices @AaronO @ashleygwilliams @xtuc @DrDaveD @ashleymichal @EverlastingBugstopper @paulbhartzog-holo @ngshiheng