[wrangler] Add Access Service Token support for CI/non-interactive environment

[WalshyDev]

Fixes #11881.

When running wrangler dev with remote bindings (or vitest-pool-workers with remote bindings) behind a Cloudflare Access-protected domain, Wrangler spawns cloudflared access login which opens a browser for interactive authentication. This is impossible in CI/CD environments.

This PR adds support for Cloudflare Access Service Token authentication via two new environment variables:

• CLOUDFLARE_ACCESS_CLIENT_ID -- the Access Service Token Client ID
• CLOUDFLARE_ACCESS_CLIENT_SECRET -- the Access Service Token Client Secret

When both are set, Wrangler authenticates by sending CF-Access-Client-Id and CF-Access-Client-Secret headers to the Access-protected domain, extracting the CF_Authorization JWT from the response, and using it for subsequent requests -- completely bypassing the interactive cloudflared flow.

Additionally, when running in a non-interactive environment (no TTY or CI detected) without these credentials, Wrangler now throws a clear, actionable UserError instead of hanging on cloudflared access login:

The domain "example.workers.dev" is behind Cloudflare Access, but no Access Service Token
credentials were found and the current environment is non-interactive.
Set the CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET environment variables
to authenticate with an Access Service Token.
See https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/

Usage

export CLOUDFLARE_ACCESS_CLIENT_ID="<your-client-id>.access"
export CLOUDFLARE_ACCESS_CLIENT_SECRET="<your-client-secret>"
wrangler dev --remote

---

• Tests
  • Tests included/updated
  • Automated tests not possible - do not know if team has setup for this and not needed
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s): Add docs for CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET system environment variables cloudflare-docs#29256
  • Documentation not necessary because:

---

[changeset-bot]

🦋 Changeset detected

Latest commit: a6bb5a2

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[workers-devprod]

Codeowners approval required for this PR:

• @cloudflare/wrangler

Show detailed file reviewers

• packages/workers-utils/src/environment-variables/factory.ts: [@cloudflare/wrangler]
• packages/wrangler/src/tests/access.test.ts: [@cloudflare/wrangler]
• packages/wrangler/src/tests/helpers/msw/handlers/access.ts: [@cloudflare/wrangler]
• packages/wrangler/src/user/access.ts: [@cloudflare/wrangler]
• packages/wrangler/src/user/auth-variables.ts: [@cloudflare/wrangler]

[ask-bonk]

APIError: Not Found: Not found

github run

[ask-bonk]

@WalshyDev Bonk workflow failed. Check the logs for details.

View workflow run · To retry, trigger Bonk again.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13031

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13031

miniflare

npm i https://pkg.pr.new/miniflare@13031

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13031

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13031

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13031

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13031

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13031

wrangler

npm i https://pkg.pr.new/wrangler@13031

commit: a6bb5a2

[dario-piotrowicz]

Suggested change

	wrangler dev --remote
	wrangler dev

remote binding works without --remote (but I guess that the env vars still apply to --remote as well?)

[dario-piotrowicz]

this check doesn't seem correct, doesn't it mean that we show the warning even when both variables are set? (true || true) === true

[dario-piotrowicz]

What about toThrowErrorMatchingInlineSnapshot to include the whole error message instead of just non-interactive? 🙂

[dario-piotrowicz]

This applies to all the other rejects.toThrow below, also I think the rejects.toEquals could be updated to just be toThrowErrorMatchingInlineSnapshot calls

[dario-piotrowicz]

this and the following test, are saying should warn but then are not actually testing the warning message 😅