Cloudflare SE Lab
Lab 7

R2 object storage behind a Worker

Lab 7 demonstrates how Cloudflare R2 can store private objects while a Worker acts as the controlled access layer in front of those objects.

Scenario

A customer wants S3-like object storage without exposing the bucket publicly. They want edge logic to control access, validate requests, return the object, and manage response behavior.

Objective

Use Cloudflare R2 as private object storage and a Worker as the access layer. The goal is to keep the bucket private while exposing only governed access patterns through a controlled route such as /assets/test.txt.

Outcomes

  • Created an R2 bucket for lab assets.
  • Uploaded a test object named test.txt.
  • Bound the R2 bucket to Worker logic.
  • Exposed object access through the Worker route /assets/test.txt.
  • Kept the bucket private instead of making it publicly accessible.
  • Added simple header-based access control using x-lab-token.
  • Validated both forbidden and authorized access paths with curl.

Environment / Build

  • Zone: ybarra-cflab.com
  • Protected hostname: www.ybarra-cflab.com
  • R2 bucket: cf-lab-assets
  • Test object: test.txt
  • Worker binding: LAB_BUCKET
  • Worker route: /assets/
  • Protected object URL: https://www.ybarra-cflab.com/assets/test.txt
  • Required demo header: x-lab-token: demo123

Demonstrable Content

Create the R2 bucket:

npx wrangler r2 bucket create cf-lab-assets

Upload a test object:

echo "private lab asset" > test.txt

npx wrangler r2 object put cf-lab-assets/test.txt --file ./test.txt

Validate blocked access without the required header:

curl -i https://www.ybarra-cflab.com/assets/test.txt

Validate authorized access with the required header:

curl -i -H "x-lab-token: demo123" https://www.ybarra-cflab.com/assets/test.txt

What Was Completed

  • Created the R2 bucket cf-lab-assets.
  • Uploaded test.txt as a private object.
  • Configured a Worker/R2 binding named LAB_BUCKET.
  • Added Worker logic to read objects from R2 when the request path starts with /assets/.
  • Added a simple header check using x-lab-token.
  • Returned 403 Forbidden when the token was missing or incorrect.
  • Returned the private object when the correct token was provided.
  • Validated the full request flow with curl.

Lab 7 Technical Summary

Lab 7 implemented private object delivery using Cloudflare R2 and Worker-based access control. R2 stores the object, but the Worker controls how requests are evaluated, how the object key is derived from the URL path, whether access is allowed, and what response is returned. Requests to /assets/test.txt are denied unless the required x-lab-token header is present. When authorized, the Worker retrieves the object from the R2 bucket through the LAB_BUCKET binding and returns it to the client. This demonstrates how Cloudflare can keep object storage private while exposing governed access through programmable edge logic.

Lab 7 Customer-Facing Summary

We stored a private file in Cloudflare R2 and used a Worker to control who can access it. Instead of making the storage bucket public, the Worker checks the request first and only returns the file when the expected access header is present. This gives the customer a safer and more flexible way to expose private objects, because access rules, headers, response behavior, and caching can all be controlled at Cloudflare's edge.