Skip to content

[Secrets Store] Clarify role, API token, and scope permissions#31724

Open
mitch292 wants to merge 1 commit into
cloudflare:productionfrom
mitch292:mitch292/clarify-secrets-store-perms
Open

[Secrets Store] Clarify role, API token, and scope permissions#31724
mitch292 wants to merge 1 commit into
cloudflare:productionfrom
mitch292:mitch292/clarify-secrets-store-perms

Conversation

@mitch292

@mitch292 mitch292 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor
  • Describe the three independent permission layers (user roles, API token permissions, secret scopes) and the fact that all three must be satisfied for actions like deploying a Worker with a Secrets Store binding.
  • Clarify that Account Secrets Store Read only allows viewing metadata, and that Account Secrets Store Edit is required to bind a secret to another Cloudflare resource (Workers, AI Gateway).
  • Add a CI/CD caution callout reproducing the error message users hit when their wrangler-action token only has Read permission (Secrets store bindings unavailable in github action workers-sdk#8964).
  • Add a Secret scopes section documenting the workers and ai-gateway scopes and how to set them via dashboard, API, or Wrangler.

Summary

Attempt to clarify the proper API token permissions required for deploying a secret and the additional level of per service authorization required on the secret scopes.

Screenshots (optional)

Overview change
Screenshot 2026-06-26 at 11 00 37 AM

API Token permission clarifications
Screenshot 2026-06-26 at 11 00 49 AM

Secret scope clarifications
Screenshot 2026-06-26 at 11 00 54 AM

Documentation checklist

@mitch292
[Secrets Store] Clarify role, API token, and scope permissions
ca0a8df 
- Describe the two independent enforcement checks (authorization
  and secret scope) and that both must pass for actions like
  deploying a Worker with a Secrets Store binding. Authorization
  for a given request comes from either a user role (dashboard)
  or an API token permission, not both.
- Clarify that Account Secrets Store Read only allows viewing
  metadata, and that Account Secrets Store Edit is required to bind
  a secret to another Cloudflare resource (Workers, AI Gateway).
- Add a CI/CD caution callout reproducing the error message users
  hit when their wrangler-action token only has Read permission
  (cloudflare/workers-sdk#8964).
- Add a Secret scopes section documenting the workers and ai-gateway
  scopes and how to set them via dashboard, API, or Wrangler.
@mitch292 mitch292 requested review from a team, baubuchon-cf and elithrar as code owners June 26, 2026 15:02
@cloudflare-docs-bot

cloudflare-docs-bot Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review

⚠️ 1 warning, 💡 3 suggestions found in commit ca0a8df. ⚠️ Part of the review could not complete and will retry on the next push.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

❌ This review could not complete this run; results may be incomplete. It will retry on the next push.

Style Guide Review

Warnings (1)
File Issue
secrets-store/access-control.mdx line 20 Numbered list used for non-sequential items — Ordered list enumerates two independent concepts, Authorization and Secret scope, rather than a sequence of steps. Fix: Use a bulleted list for these unordered permission layers.
Suggestions (3)
File Issue
secrets-store/access-control.mdx line 54 Bullet list with fewer than three items — Two-item bullet list describes Read and Edit permission levels. Fix: Consider rewriting the two permission levels as prose.
secrets-store/access-control.mdx line 67 Bullet list with fewer than three items — Two-item bullet list lists the supported scopes (workers and ai-gateway). Fix: Consider rewriting the two scopes as prose.
secrets-store/access-control.mdx line 72 Bullet list with fewer than three items — Two-item bullet list states the two deployment requirements. Fix: Consider rewriting the two requirements as prose.
Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.

@mitch292 mitch292 mentioned this pull request Jun 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baubuchon-cf baubuchon-cf Awaiting requested review from baubuchon-cf baubuchon-cf is a code owner
@elithrar elithrar Awaiting requested review from elithrar elithrar is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@elithrar elithrar

@dinasaur404 dinasaur404

@baubuchon-cf baubuchon-cf

Labels

product:secrets-store size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mitch292 @elithrar @dinasaur404 @baubuchon-cf