Allow updating secret-store secrets by name (instead of id)

[alexkli]

Describe the solution

It would be very convenient if the wrangler secrets-store secret update command would support an option --name <name> that would update the secret by name, without the need to pass the secret id.

Reason

Currently wrangler secrets-store secret update and the Patch a secret API require knowing the secret id. This makes it difficult to programmatically update a secret, e.g. for a secret rotation script.

One has to first call the command/API to list all secrets, parse the result, find the secret by name, get the id and then make the actual update command/request.

The cloudflare dashboard UI does not have this issue - I can select and edit a secret by name. From a worker developer/devops perspective, secret ids are an implementation detail that we normally don't care about at all.

Secret names have to be unique in the first place, so this should not create any issues.

[alexkli]

Related: with this in place, it would also be nice if the update --name <name> command (or a new one) would work as create-or-update, to make automated scripts easy to use if they are run in both "new" and "update" store scenarios.

[alexkli]

Here is my workaround. Tested on macOS and Linux. Depends on grep and awk. Probably a bit fragile as it depends on the formatted output of wrangler secrets-store secret list.

secret-store-update.sh

#!/bin/bash

# Update or create secrets in Cloudflare Secret Store by NAME

set -e

STORE_ID="$1"
NAME="$2"

if [ -z "$STORE_ID" ] || [ -z "$NAME" ]; then
  echo "Usage: echo <value> | secret-store-update.sh <secret-store-id> <name>"
  echo
  echo "Update or create secret in Cloudflare Secret Store by NAME."
  echo "The secret <value> is passed via stdin to avoid exposing it in logs."
  echo
  echo "  <secret-store-id>   Cloudflare secret store ID (same as in production)"
  echo
  echo "  <name>              Name of the secret to update"
  exit 1
fi

ID=$(wrangler secrets-store secret list $STORE_ID --remote 2>/dev/null | grep -F "$NAME" | awk '{print $4}')

if [ -z "$ID" ]; then
  # if not found, create
  cat /dev/stdin | wrangler secrets-store secret create $STORE_ID --remote --scopes workers --name "$NAME"
else
  # if found, update
  cat /dev/stdin | wrangler secrets-store secret update $STORE_ID --remote --scopes workers --secret-id "$ID"
fi

Example invocation:

echo "top-secret" | ./secret-store-update.sh 123456789 FOO