add auth profiles to wrangler #13975
Open
emily-shen wants to merge 14 commits into
Open
Conversation
🦋 Changeset detectedLatest commit: a699560 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
emily-shen
force-pushed
the
emily/profiles
branch
from
2c9d214 to
1363e78
Compare
workers-devprod
requested review from
a team and
petebacondarwin
and removed request for
a team
Contributor
|
Codeowners approval required for this PR:
Show detailed file reviewers
|
Contributor
|
✅ All changesets look good |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
Contributor
|
@emily-shen - looks like the Ci is not happy and there are some suggestions from Devin. |
petebacondarwin
force-pushed
the
emily/profiles
branch
from
9800b0c to
d13436f
Compare
workers-devprod
requested review from
a team and
penalosa
and removed request for
a team
Allow users to be logged into multiple Cloudflare accounts simultaneously via named profiles stored as separate TOML files. - Add `wrangler profile list|use|delete` subcommands - Add `--profile` global flag and WRANGLER_PROFILE env var - Support `wrangler login --profile <name>` to store credentials - Namespace account cache per profile to prevent cross-contamination - Display active profile in `wrangler whoami` output Profile resolution priority: --profile flag > WRANGLER_PROFILE env > profiles.toml > "default" Profiles stored under ~/.wrangler/config/profiles/<name>.toml. Default profile path unchanged for full backward compatibility. Refs: #8956, #11513
Unify login handler to a single code path so the profile success message and metrics event fire regardless of --scopes usage. Fix profileExists, deleteProfile, and listProfiles to use environment-aware paths via getAuthConfigFilePath, so profiles created in staging are correctly found, listed, and deleted.
Validate WRANGLER_PROFILE and profiles.toml active_profile with validateProfileName() to prevent invalid profile names from being used in auth config file path construction. Also reinitialise auth tokens in clearProfileOverride() to keep cached credentials in sync when the active profile changes.
deleteProfile() previously used getActiveProfile() to check whether the deleted profile was active, but getActiveProfile() respects --profile and WRANGLER_PROFILE overrides. This meant profiles.toml could be left pointing at a deleted profile when a different override was active. Extract getActiveProfileFromConfig() to read profiles.toml directly, ignoring runtime overrides, and use it in deleteProfile().
- Add profile field to whoami --json test expectation - Update inline snapshots for experimental-commands-api and functions-build
- Add WRANGLER_PROFILE to VariableNames type in workers-utils - Fix "open-beta" -> "open beta" status enum in profile commands - Use expect from test context in profile.test.ts (lint rule)
emily-shen
force-pushed
the
emily/profiles
branch
2 times, most recently
from
28a3ff7 to
206d263
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
emily-shen
force-pushed
the
emily/profiles
branch
from
206d263 to
d856697
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
emily-shen
commented
May 21, 2026
| import type { ExpectStatic } from "vitest"; | ||
|
|
||
| describe("containers registries --help", () => { | ||
| runInTempDir(); |
Contributor
Author
There was a problem hiding this comment.
have had to do this to a bunch of test files to make sure that running tests locally while you have a profile active doesn't contaminate the snapshots
emily-shen
force-pushed
the
emily/profiles
branch
from
d856697 to
ae58fb1
Compare
emily-shen
force-pushed
the
emily/profiles
branch
2 times, most recently
from
3fbaf9d to
bef712f
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
emily-shen
force-pushed
the
emily/profiles
branch
from
bef712f to
d674d6a
Compare
emily-shen
force-pushed
the
emily/profiles
branch
from
d674d6a to
a699560
Compare
Comment on lines
+46
to
+48
| const message = getProfileForDirectory() | ||
| ? `This directory is bound to the auth profile "${currentProfile}"\n` | ||
| : `You are currently using the auth profile "${currentProfile}".\n`; |
Contributor
There was a problem hiding this comment.
🟡 Login error message attributes wrong profile name to directory binding when WRANGLER_PROFILE overrides it
When both WRANGLER_PROFILE and a directory binding are set to different profiles, the error message is factually incorrect. getActiveProfileName() returns the env-var profile (highest priority), but the message checks getProfileForDirectory() to decide the message template and then substitutes currentProfile (from the env var). For example, if WRANGLER_PROFILE=env-profile and the directory is bound to dir-profile, the message says "This directory is bound to the auth profile 'env-profile'" — but the directory is actually bound to dir-profile.
Triggering scenario
- Set
WRANGLER_PROFILE=env-profile - Bind cwd to a different profile:
wrangler profiles set dir-profile --dir . - Run
wrangler login - Message incorrectly states: "This directory is bound to the auth profile 'env-profile'"
The fix is to use the return value of getProfileForDirectory() in the directory-binding message branch instead of currentProfile.
Suggested change
| const message = getProfileForDirectory() | |
| ? `This directory is bound to the auth profile "${currentProfile}"\n` | |
| : `You are currently using the auth profile "${currentProfile}".\n`; | |
| const dirProfile = getProfileForDirectory(); | |
| const message = dirProfile | |
| ? `This directory is bound to the auth profile "${dirProfile}"\n` | |
| : `You are currently using the auth profile "${currentProfile}".\n`; |
Was this helpful? React with 👍 or 👎 to provide feedback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #11780
'Profiles' are essentially just Oauth tokens that you can switch between without re-authing. The main change compared to the earlier PR is that you can now bind a profile to a particular directory. This is similar to account_id in wrangler config, except set at the global context to keep it out of the hands of agents scoped to a particular directory. You can use profiles as an agent guardrail by banning agents from using wrangler login/profiles commands, but setting a profile in the working directory. This will let the agent run commands attached to that account without requiring interactive login, but they shouldn't be able to switch accounts.
New commands
npx wrangler profiles create/delete- basically login/logout. intentionally keeping profiles separate from login/out, so if you run wrangler login/out with an active profile, they will error.npx wrangler profiles set <name> —dir, where you can pass in a path or it defaults to cwd. Whenever you’re in that directory, wrangler will default to that profile. You can override this with the env var WRANGLER_PROFILE. (removed the --profile global flag for simplicity, we can it back in a followup if we really want)npx wrangler profiles set <name>(without dir) sets a globally active profile. This applies to any unbound directories. This is useful if you deploy something to multiple accounts.npx wrangler profiles unset (—dir)does the reversenpx wrangler profiles listTODO in follow up:
A picture of a cute animal (not mandatory, but encouraged)