This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Preview URL: https://6f715c5c.preview.developers.cloudflare.com
Preview Branch URL: https://mikenomitch-containers-docs-tweaks.preview.developers.cloudflare.com

Files with changes (up to 15)

This means that you can't get a secret from the store

ok so this means a config like this would not have worked as of July 17 2025

[[env.production.secrets_store_secrets]]
binding = "MY_SECRET"
store_id = "mystoreid"
secret_name = "some-secret-readable-name"

My issue was that env.MY_SECRET binding comes through (as configured in toml and .ts), but then is just some [object Fetcher] when it arrives in the .ts worker and console.logs as literally [object Fetcher])

The FAQ says:

You can use Worker Secrets or the Secrets Store to define secrets for your Workers.

If the Secrets Store implementation is not working today, it should not be mentioned at all, or labeled as coming later.

^ this is what I've been trying to get to work, want to know if this is essentially a burned strategy

I'm at the stage where I'm nuking my worker on the GUI to start over.

In env-vars-and-secrets, this doesn't make sense to me:

I'm confused why the config mentions the secret, but sets it to an obviously fake value.

name = "my-container-worker"

[vars]
ACCOUNT_API_KEY = "abcdef12345"

Shouldn't abcdef12345 not be typed in at all, because the value comes from the Worker secrets?

CONTAINER_SECRET_KEY literal string is mentioned on the page, I don't see any other refs to it, what is this value - is this some magical string that is special, or is this some value that is just being shown as an example? In any case, it's a dangling reference?

Later:

  envVars = {
    ACCOUNT_NAME: env.ACCOUNT_NAME,
    ACCOUNT_API_KEY: env.ACCOUNT_API_KEY,
  };

all I see so far is you typed in ACCOUNT_API_KEY = "abcdef12345" litearlly in the config, I still don't make the connection how this value is read from a place that's not literally in the file.

Everywhere resources are being added, but can be inherited into an environment, I think it's worth mentioning that setting --env envname is SIGNIFICANT.

I'll circle back on Monday. Have a great weekend.

I have to state this though: Kubernetes would have been easier.

I forked the uv maintainer's cloudflare container example repo and made some alterations:
https://github.com/anthonywu/uv-cloudflare-containers-example/tree/demo-env-port-changes

The few changes I made:

1. use a diff port than 8080, prove we can deviate from this
2. use a 0.0.0.0 binding interface, deviate from 10.0.0.1
3. sets a secret via "wrangler secret put" and also via ".dev.vars" for "wrangler dev" mode
4. set a plaintext config

I think this template (after a few more bells and whistles) should be offered on the "Get Started" -> "Select a template" menu.