diff --git a/src/content/docs/ai-gateway/configuration/bring-your-own-keys.mdx b/src/content/docs/ai-gateway/configuration/bring-your-own-keys.mdx index d590441937f78ea..90291b9a969d032 100644 --- a/src/content/docs/ai-gateway/configuration/bring-your-own-keys.mdx +++ b/src/content/docs/ai-gateway/configuration/bring-your-own-keys.mdx @@ -12,7 +12,7 @@ import { CardGrid, LinkTitleCard } from "~/components"; Bring your own keys (BYOK) is a feature in Cloudflare AI Gateway that allows you to securely store your AI provider API keys directly in the Cloudflare dashboard. Instead of including API keys in every request to your AI models, you can configure them once in the dashboard, and reference them in your gateway configuration. -The keys are stored securely with [Secret Store](/secrets-store/) and allows for: +The keys are stored securely with [Secrets Store](/secrets-store/) and allows for: - Secure storage and limit exposure - Easier key rotation @@ -23,7 +23,7 @@ The keys are stored securely with [Secret Store](/secrets-store/) and allows for ### Prerequisites - Ensure your gateway is [authenticated](/ai-gateway/configuration/authentication/). -- Ensure you have appropriate permissions to create and deploy secrets on Secret Store. +- Ensure you have appropriate [permissions](/secrets-store/access-control/) to create and deploy secrets on Secrets Store. ### Configure API keys diff --git a/src/content/docs/secrets-store/access-control.mdx b/src/content/docs/secrets-store/access-control.mdx index 3e9a7c36910181e..adc76c86d263d40 100644 --- a/src/content/docs/secrets-store/access-control.mdx +++ b/src/content/docs/secrets-store/access-control.mdx @@ -13,14 +13,30 @@ Secrets Store allows security administrators to have more control by implementin While all Cloudflare accounts will have access to the Secrets Store section on the dashboard, only users with the necessary permissions will be able to interact with it, as described below. ::: -## Relevant roles for Secrets Store +## Relevant roles Refer to the list below for default role definitions. -- **Super Administrator**: Can create, edit, duplicate, delete, and view secrets metadata. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). -- **Secrets Store Admin**: Can create, edit, duplicate, delete, and view secrets metadata. -- **Secrets Store Deployer**: Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. Can also [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). -- **Secrets Store Reporter**: Can view secrets metadata. Cannot perform any actions (create, edit, duplicate, delete secrets), nor add a Secrets Store binding to a Worker. +#### Super Administrator + +- Can create, edit, duplicate, delete, and view secrets metadata. +- Can [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). +- Can [create an association between a secret and an AI gateway](/ai-gateway/configuration/bring-your-own-keys/). + +#### Secrets Store Admin + +- Can create, edit, duplicate, delete, and view secrets metadata. + +#### Secrets Store Deployer + +- Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. +- Can [add a Secrets Store binding to a Worker](/secrets-store/integrations/workers/). +- Can [create an association between a secret and an AI gateway](/ai-gateway/configuration/bring-your-own-keys/). + +#### Secrets Store Reporter + +- Can view secrets metadata. +- Cannot perform any actions (create, edit, duplicate, delete secrets), nor use Secrets Store integrations with other Cloudflare products. ## API token permissions diff --git a/src/content/docs/secrets-store/index.mdx b/src/content/docs/secrets-store/index.mdx index 2881f2684dc6d7b..885411fbe658ccf 100644 --- a/src/content/docs/secrets-store/index.mdx +++ b/src/content/docs/secrets-store/index.mdx @@ -21,7 +21,7 @@ Encrypt and store sensitive information as secrets that are securely reusable ac Cloudflare Secrets Store is a secure, centralized location in which account-level secrets are stored and managed. The secrets are securely encrypted and stored across all [Cloudflare data centers](https://www.cloudflare.com/network/). -Secrets Store is currently [compatible with Cloudflare Workers](/secrets-store/integrations/workers/). Integrations with other products will be added in the future. +Secrets Store is currently compatible with [Cloudflare Workers](/secrets-store/integrations/workers/) and [AI Gateway](/ai-gateway/configuration/bring-your-own-keys/). Integrations with other products will be added in the future. :::note[China availability] Secrets Store is unavailable in the [Cloudflare China Network](/china-network/), operated by Cloudflare's partner JD Cloud. diff --git a/src/content/docs/secrets-store/integrations/ai-gateway.mdx b/src/content/docs/secrets-store/integrations/ai-gateway.mdx new file mode 100644 index 000000000000000..7fd246f41faf873 --- /dev/null +++ b/src/content/docs/secrets-store/integrations/ai-gateway.mdx @@ -0,0 +1,8 @@ +--- +pcx_content_type: navigation +title: AI Gateway integration +external_link: /ai-gateway/configuration/bring-your-own-keys/ +sidebar: + order: 3 + label: AI Gateway +--- \ No newline at end of file diff --git a/src/content/docs/secrets-store/integrations/workers.mdx b/src/content/docs/secrets-store/integrations/workers.mdx index 0e4dfb61fe3699a..f0f72b78e2a3a33 100644 --- a/src/content/docs/secrets-store/integrations/workers.mdx +++ b/src/content/docs/secrets-store/integrations/workers.mdx @@ -1,12 +1,12 @@ --- -title: Use Secrets Store with Workers +title: Workers integration pcx_content_type: tutorial sidebar: order: 1 - label: Use with Workers + label: Workers --- -import { WranglerConfig, Tabs, TabItem, APIRequest } from "~/components"; +import { WranglerConfig, Tabs, TabItem, APIRequest, DashButton } from "~/components"; [Cloudflare Secrets Store](/secrets-store/) is a secure, centralized location in which account-level secrets are stored and managed. The secrets are securely encrypted and stored across all Cloudflare data centers. @@ -56,8 +56,11 @@ npx wrangler secrets-store secret create --name MY_SECRET_NAME --scop -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to **Secrets Store** and select **Create secret**. +1. In the Cloudflare dashboard, go to the **Secrets Store** page. + + + +2. Select **Create secret**. 3. Fill in the required fields, choosing _Workers_ as the **Permission scope**. Once the secret is saved, the secret value will no longer be available for viewing. 4. (Optional) Select **Add additional secret** to create more than one secret at a time. 5. Select **Save** to confirm. @@ -120,8 +123,11 @@ secrets_store_secrets = [ ### Via Dashboard -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to **Workers & Pages** and select a Workers application. +1. In the Cloudflare dashboard, go to **Workers & Pages**. + + + +2. Select a Workers application. 3. Go to **Settings** > **Bindings** and select **Add**. 4. On the **Add a resource binding** side panel, choose **Secrets Store**. 5. Fill in the required fields: diff --git a/src/content/docs/secrets-store/manage-secrets/how-to.mdx b/src/content/docs/secrets-store/manage-secrets/how-to.mdx index a9def5404d02e44..532c79bdb5e15f1 100644 --- a/src/content/docs/secrets-store/manage-secrets/how-to.mdx +++ b/src/content/docs/secrets-store/manage-secrets/how-to.mdx @@ -5,7 +5,7 @@ sidebar: order: 2 --- -import { Tabs, TabItem, APIRequest } from "~/components"; +import { Tabs, TabItem, APIRequest, DashButton } from "~/components"; Refer to the sections below to learn about common actions you might want to take when managing your data in Secrets Store. @@ -19,8 +19,11 @@ You must have a [Super Administrator or Secrets Store Admin role](/secrets-store -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to **Secrets Store** and select **Create secret**. +1. In the Cloudflare dashboard, go to the **Secrets Store** page. + + + +2. Select **Create secret**. 3. Fill in the required fields. Note that, once the secret is saved, the secret value will no longer be available for viewing. 4. (Optional) Select **Add additional secret** to create more than one secret at a time. 5. Select **Save** to confirm. @@ -58,12 +61,14 @@ Duplicate a secret to keep the same secret value but change name, scope, or comm -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to **Secrets Store**. -3. Search for the secret you would like to duplicate within the existing secrets list. -4. Select the three dots next to the secret and choose **Duplicate**. -5. Edit the **Secret name**, **Permission scope**, or **Comment**, according to your needs. -6. Select **Save** to confirm. +1. In the Cloudflare dashboard, go to the **Secrets Store** page. + + + +2. Search for the secret you would like to duplicate within the existing secrets list. +3. Select the three dots next to the secret and choose **Duplicate**. +4. Edit the **Secret name**, **Permission scope**, or **Comment**, according to your needs. +5. Select **Save** to confirm. @@ -96,11 +101,13 @@ You can also edit the secret **Permission scope** and **Comment**. -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to **Secrets Store**. -3. Search for the secret you would like to edit within the existing secrets list. -4. Select the three dots next to the secret and choose **Edit**. -5. Edit the available fields according to your needs and select **Save** to confirm. +1. In the Cloudflare dashboard, go to the **Secrets Store** page. + + + +2. Search for the secret you would like to edit within the existing secrets list. +3. Select the three dots next to the secret and choose **Edit**. +4. Edit the available fields according to your needs and select **Save** to confirm. @@ -123,16 +130,18 @@ https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$ ## Delete a secret :::caution -Before deleting a secret, make sure it is not deployed. Secrets Store secrets in use are listed in the respective [Workers application](https://dash.cloudflare.com/?to=/:account/workers-and-pages/) under **Settings** > **Bindings**. +Before deleting a secret, make sure it is not deployed in your [Workers applications](https://dash.cloudflare.com/?to=/:account/workers-and-pages/) or [AI gateways](https://dash.cloudflare.com/?to=/:account/ai/ai-gateway). ::: -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to **Secrets Store**. -3. Search for the secret you would like to delete within the existing secrets list. -4. Select the three dots next to the secret and choose **Delete**. -5. Type in the secret name and select **Delete** to confirm. +1. In the Cloudflare dashboard, go to the **Secrets Store** page. + + + +2. Search for the secret you would like to delete within the existing secrets list. +3. Select the three dots next to the secret and choose **Delete**. +4. Type in the secret name and select **Delete** to confirm.