This document describes the environment variables required for file storage functionality using Cloudflare R2.
Required Variables
S3_BUCKET
- Description: Name of your Cloudflare R2 bucket
- Example:
tendsocial - Required: Yes
- Used by: S3 library for all upload/download operations
S3_REGION
- Description: AWS region (use
autofor Cloudflare R2) - Example:
auto - Required: Yes
- Used by: S3 client initialization
S3_ENDPOINT
- Description: Cloudflare R2 endpoint URL
- Example:
https://370e3c7ed6e50972fea1a19da4eb21c6.r2.cloudflarestorage.com - Required: Yes (for R2)
- Used by: S3 client to connect to R2 instead of AWS S3
- How to find: Available in your R2 bucket settings under "Bucket Details"
AWS_ACCESS_KEY_ID
- Description: R2 access key ID
- Example:
ad056f0bb0e13dbd9683a87936492083 - Required: Yes
- Used by: S3 client authentication
- How to get: Create in Cloudflare Dashboard → R2 → Manage R2 API Tokens
AWS_SECRET_ACCESS_KEY
- Description: R2 secret access key
- Example:
4486318247cbd52ef5b1a2b9ebef8d0c011940361a5988881520adc459680db0 - Required: Yes
- Used by: S3 client authentication
- Security: Store as a secret in production (Google Cloud Secret Manager)
Optional Variables
CDN_DOMAIN
- Description: Custom CDN domain for serving files
- Example:
cdn.tendsocial.com - Required: No (falls back to direct R2 URL)
- Used by: Generating public URLs for uploaded files
- Setup: See CDN Setup Guide
- Benefits:
- Free egress (no bandwidth charges)
- Better performance with Cloudflare CDN
- Custom branding
Environment File Examples
Development (.env.local)
bash
# Database
DATABASE_URL=postgresql://user:password@localhost:5432/tendsocial
# Auth
JWT_SECRET=your-dev-jwt-secret
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_PUBLISHABLE_KEY=your-supabase-key
# AI
GOOGLE_GENAI_API_KEY=your-gemini-api-key
# Storage (Cloudflare R2)
S3_BUCKET=tendsocial-dev
S3_REGION=auto
S3_ENDPOINT=https://your-account-id.r2.cloudflarestorage.com
AWS_ACCESS_KEY_ID=your-r2-access-key-id
AWS_SECRET_ACCESS_KEY=your-r2-secret-access-key
CDN_DOMAIN=cdn-dev.tendsocial.comProduction (Google Cloud Run Secrets)
Set these as environment variables or secrets in your Cloud Run service:
bash
# Storage (Cloudflare R2)
S3_BUCKET=tendsocial
S3_REGION=auto
S3_ENDPOINT=https://370e3c7ed6e50972fea1a19da4eb21c6.r2.cloudflarestorage.com
AWS_ACCESS_KEY_ID=<from-secret-manager>
AWS_SECRET_ACCESS_KEY=<from-secret-manager>
CDN_DOMAIN=cdn.tendsocial.comMigration from Old Variable Names
If you're migrating from the old configuration, update these:
| Old Variable | New Variable | Notes |
|---|---|---|
AWS_BUCKET_NAME | S3_BUCKET | Standardized naming |
AWS_REGION | S3_REGION | More generic (works with R2) |
AWS_ENDPOINT | S3_ENDPOINT | More generic (works with R2) |
Validation
The application will validate these variables on startup:
S3_BUCKETis required and will throw an error if missingAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYare required for authenticationCDN_DOMAINis optional; if not set, direct R2 URLs will be used
Security Best Practices
Never commit credentials to Git
- Use
.envfiles (add to.gitignore) - Use environment variables in CI/CD
- Use secret managers in production
- Use
Rotate credentials regularly
- Create new R2 API tokens every 90 days
- Update in all environments
Use least privilege
- R2 API tokens should only have permissions for the specific bucket
- Avoid using account-wide admin tokens
Monitor usage
- Set up alerts for unusual upload patterns
- Monitor R2 storage and request metrics
Troubleshooting
"S3_BUCKET environment variable is not set"
- Ensure
S3_BUCKETis set in your environment - Check that the variable is loaded (e.g., via
dotenv)
"Access Denied" errors
- Verify
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYare correct - Check that the R2 API token has permissions for the bucket
- Ensure the token hasn't expired
Files upload but URLs don't work
- Check
S3_ENDPOINTis correct - Verify
CDN_DOMAINis set and the custom domain is active - Test direct R2 URL first to isolate CDN issues
CORS errors in browser
- Ensure CORS is configured in R2 bucket settings
- See CDN Setup Guide for CORS configuration