Creating R2 Buckets & Read Only Credentials via Worker


I’d like to do the following:

  1. Create R2 buckets on demand via my worker, and bind to them.
  2. Generate a read only access/secret key for the bucket on demand.


  1. I can currently make buckets via the dashboard, and can probably do so via the AWS SDK as well. However, I’d like a solution using a binding to access my buckets so I can drop the AWS SDK entirely. It seems the docs have a per-bucket binding, I’d love a per-account binding, is this possible? I currently use a separate bucket for each users data, and it gives a nice security mechanism to ensure users can only read their own data.

  2. I have a bunch of untrusted clients, currently I have generated a read only keypair for their R2 access, they log in with their credentials and the client gets the read only keypair. When it want to write, each request is signed by the worker first. I’d like to automatically generate this keypair on account creation and store it in keyvault. I’m not sure how to do the first part of that, or if it’s possible.


Looks like 2 is possible via the Cloudflare API Documentation

Didn’t find a solution to 1 yet.

Dynamic bindings are not supported. If you create a new bucket and want to attach it, you need to update the worker and deploy a new one.

1 Like