Documentation does not mention, are account_id and zone_id secret or not

[revelt]

https://developers.cloudflare.com/workers/cli-wrangler/authentication page doesn't mention, do account_id and zone_id need to be kept secret or not.

I assumed they all should be kept secret and encountered some problems. Sourcehut CI can secretly write an arbitrary file to an arbitrary location during the CI bootstrap, so I thought let's recreate .wrangler/config/default.toml with all the secrets, then wrangler will detect them. Apparently, not.

.wrangler/config/default.toml:

api_token = "<redacted>"
account_id = "<redacted>"
zone_id = "<redacted>"

and wrangler.toml:

# name of your Worker script
name = "<redacted>"

# api_token (env var CF_API_TOKEN) - set by Sourcehut CI writing .wrangler/config/default.toml
# account_id (env var CF_ACCOUNT_ID) - same
# zone_id (env var CF_ZONE_ID) - same

# Specifies how wrangler build will build your project
# webpack|javascript|rust
type = "webpack"

#worker will be deployed to your workers.dev
workers_dev = true
route = "<redacted>.com/*"

[site]
bucket = "./build"
entry-point = "workers-site"

The build failed because wrangler complained:

Error: field `account_id` is required to deploy to workers.dev

I'm wary to commit account_id and zone_id in a publicly-facing wrangler.toml. It would be nice to add some reassurance to the documentation, especially, https://developers.cloudflare.com/workers/cli-wrangler/authentication page — are these two variables, account_id and zone_id public or secret.

Also, Sourcehut CI doesn't allow to programmatically set an arbitrary global secret env vars (like Gitlab does); we can't do:

CF_ACCOUNT_ID=accountID CF_API_TOKEN=veryLongAPIToken wrangler publish

Please consider updating https://developers.cloudflare.com/workers/cli-wrangler/authentication page to mention account_id and zone_id privacy.

[revelt]

This seems to be clarified in the community board, https://community.cloudflare.com/t/is-it-safe-to-publish-wrangler-toml-with-account-id-zone-id/116785 — documentation should mention anyway

[revelt]

cloudflare/wrangler-legacy#209 (comment) confirmed account_id and zone_id are safe to be public

[KimJ15]

This issue appears to be resolved. I'm going to close it now, but feel free to open a new issue or ask any questions.

[shearichard]

@KimJ15 it seems really weird that the most definitive statement on this issue appears not within Cloudflare Workers documentation but as a comment on Github by someone who (at least according to their Github profile) doesn't actually work for Cloudflare ? Surely it's written on a Cloudflare page somewhere ?