workers-sdk
workers-sdk copied to clipboard
cloudflare
wrangler can silently override environment variables that were set elsewhere
To reproduce:
-
wrangler initto create awrangler.tomlwith only a compatibility date. -
wrangler publish --name new-workerto deploy the worker script. - Go to
dash.cloudflare.com> Workers > new-worker > settings > variables > Add Variable. Do not encrypt the variable. - Re-publish the worker script. The environment variable will disappear.
Note this does not affect secrets, although wrangler secret put will overwrite existing secrets in the dashboard.
What should the new behaviour be? Here are a few options:
- wrangler checks for previous environment variables and errors on publish if a variable was removed; asks for confirmation.
- Should there be a
--forcetoggle that you can use in CI?
- Should there be a
- wrangler no longer stores environment variables in its config, they are treated like secrets.
- In the future, we would want to handle
.envfiles though?
- In the future, we would want to handle
Found the API for retrieving bindings, we can query at runtime and compare values.
# curl -X GET
"https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/workers/scripts/<script_name>/bindings" \
-H "X-Auth-Email: [email protected]" \
-H "Authorization: Bearer <JWT API Token with read access>" \
-H "Accept: application/javascript"
There is now a metadata parameter on script upload called keep_bindings which takes an array of binding types to retain from the previous upload. Environment variables have the type plain_text so having the upload metadata look like
"main_module": "...",
"bindings": [...],
"keep_bindings": ["plain_text"],
will retain previous environment variables.
We merged a change into wrangler that will, on publish, NOT delete any vars that were previously defined, and aren't included in wrangler.toml any more. This should remove some confusion about vars that disappear on publish.
This also means devs are free to define vars with the dashboard, and edit them at any time, and they won't be blown away or updated when wrangler publish is called. Note to clarify: To be excluded from updating when the worker is published, these vars must NOT be defined in wrangler.toml. This behaviour seems more intuitive and should unblock most people.
The release including these changes should go out early next week (usually monday morning), but they can try wrangler@beta if anyone would like to try these changes out sooner.
Additionally, we've landed a feature for defining vars as CLI args. You can now do wrangler publish --var name1:value1 --var name2:value2 --var name3:$SOME_ENV_VAR to define vars. These vars behave like setting them in the dashboard; they won't be updated on wrangler publish if they're not included in wrangler.toml. See this pull request for more details https://github.com/cloudflare/wrangler2/pull/1730 (until we document this further in the main docs). This may also be useful to people.
Closing this issue.
It's still happening for us, even with the latest version of wrangler (3.1.1). Wrangler deletes all environment variables on deploy, regardless of whether they are included in the wrangler config or not
For anybody coming here from search, it's a CLI parameter now:
wrangler --keep-vars
Hello, does anyone know how to upload environment variables to worker settings env vars? Using API and Python?
I want to be able to set env vars from my shell and use some of their values as the value for some things I define now in .dev.vars.
Or let me use the secrets I define in the dashboard so I don't have to have unencrypted secrets on my drive.
