For Workers & Pages, what is the name of the domain?
aill-polling-worker.ailiteracylabs.workers.dev
What is the error message?
Invalid PKCS8 input.
What is the issue or error you’re encountering
Persistent “Invalid PKCS8 input” Error with Worker Secrets
What steps have you taken to resolve the issue?
Hello, we’re hoping to get some guidance on a persistent runtime error. Our worker fails with an “Invalid PKCS8 input” error when trying to use a GCP private key that is stored as a secret.
To help with the investigation, here is a summary of the steps we’ve already taken to try and solve this:
-
Input Method: We have tried setting the secret by both pasting it directly into the
wranglerprompt and by piping it from a clean text file (cat key.txt | wrangler secret put ...). The runtime error is the same in both cases. -
Key Validity: We have confirmed the GCP private key is valid and freshly generated.
-
Code Validity: We have confirmed the worker code is correct by temporarily hardcoding the private key string directly into the deployed code. When hardcoded, the key is parsed correctly and the function works. The error only occurs when the key is read from the
envsecrets. -
Secret Naming: We have tried using different, unique secret names to rule out any potential caching issues.
-
Secret Value: We have tried using both complex, randomly-generated tokens and very simple strings as secrets. The error only occurs with the formatted PKCS8 private key.
What are the steps to reproduce the issue?
- Create a standard Google Cloud (GCP) service account key in JSON format.
- Attempt to store the
private_keystring value from that JSON file as a secret using the command:npx wrangler secret put GCP_KEY. - Deploy a worker that reads this secret (
env.GCP_KEY) and attempts to parse it using the Web Crypto API:crypto.subtle.importKey("pkcs8", keyBuffer, ...). - The worker will fail at runtime with a
DataError: Invalid PKCS8 input.