Not possible to cloudflared access login on CI

[AndreasMadsen]

What versions & operating system are you using?

  System:
    OS: macOS 26.2
    CPU: (8) arm64 Apple M3
    Memory: 1.01 GB / 24.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 24.12.0 - /opt/homebrew/opt/node@24/bin/node
    npm: 11.6.2 - /opt/homebrew/opt/node@24/bin/npm
  npmPackages:
    @cloudflare/vitest-pool-workers: ^0.12.1 => 0.12.1
    wrangler: ^4.58.0 => 4.58.0

Please provide a link to a minimal reproduction

https://github.com/guidelabs/cloudflared-ci-bug-report/tree/920fde661b1ded82ac1f782f9a87910e3ac467db

Describe the Bug

cloudflared access login runs if remoteBindings are used in vitest (e.g. for vectorize). This happens on this line:

workers-sdk/packages/wrangler/src/user/access.ts

Line 58 in beb96af

const output = spawnSync("cloudflared", ["access", "login", domain]);

This work on a local machine, but doesn't work in a CI system as it starts a browser and expects us to login. Something we cannot do in a headless CI system. It's unclear how to prevent this. We are already setting the CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN. And there is no documentation to be found on what else to do.

In addition to the provided reproduction code the *.{domain}.workers.dev should be behind a Zero Trust access gateway.

I spent some time understanding why cloudflared access login is needed in the first place. In a previous version of wrangler it wasn't required (wrangler 4.33.1 and @cloudflare/vitest-pool-workers ^0.8.69, perhaps related to #10938). But I wasn't able to fully understand it. The RemoteRuntimeController is part of the start. This does the createPreviewSession which then runs getAccessToken (see code links).

We consider not being able to run CI tests a bug. But apologizes if we missed something.

Please provide any relevant error logs

There is no error in the provided example. The issue is that the browser is opened. How can we prevent this via e.g. an environment variable? A more complex example does produce an error.

[dario-piotrowicz]

Hi @AndreasMadsen, thank you very much for the issue 🙂

Unfortunately I don't think that what you are trying to do is possible. If your domain is under Zero Trust then you won't be able to access its remote bindings in the workers CI. But I will doable check this with the Zero Trust team and see if there is a potential workaround or solution.

Regarding this working with older versions of the vitest-pool-workers package, I suspect that those were simply working by not recognizing the "remote" field and using local simulations for the bindings.

Have you by any chance seen this sort of warning in your CI logs?

So as I mentioned above, I think that we won't be able to support the access to remote bindings behind Access in CI, but again, I will double check to make sure that that's actually the case. In such case I'll try to see if we can document this issue and/or provide helpful warning messages.

Besides the above, the only workaround/solution I can give you for now would be to disable remote bindings in CI, you can do that by using the remoteBindings vitest-pool-workers configuration like so:

Or just disable remoteBindings in vitest-pool-workers outright if you are not relying on remote bindings for your tests.

If you do have some tests that do rely on remote bindings then you'll have to add to them some skipIf or similar logic so that they also get skipped in CI.

I hope any of this is helpful, please do let me know what you think 🙂

[AndreasMadsen]

@dario-piotrowicz Thanks for looking into this. There are no simulations for Vectorize (we use in our case) and Worker AI. So I doubt that is the case. I also haven't seen the message you show previously. The example I provided is what should work for a recent version of wrangler. To get it to work with an older version of wrangler, a different configuration is needed. In that case you get this message:

Regarding feasibility. In Zero Trust, it's possible to create service token and setup a policy such this token is allowed. The documentation is here: https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/

We already use this feature to test our Worker backend in deployment which is behind Zero Trust. We would be happy to use this service token here too. However, the problem is that current implementation assumes a cookie is set via spawnSync("cloudflared", ["access", "login", domain]), while service tokens are set via specific headers and use don't use cloudflared to connect.

[dario-piotrowicz]

@AndreasMadsen Thank you very much for the very useful response! 🙏

Regarding the older version of wrangler, can you actually then use the remote bindings from the Access domain?

In any case thank you very much, sorry I wasn't really aware of the service token (I'm no ZT expert 😓), I guess we could then easily solve the issue by allowing you to specify the service token via an environment variable and then use that instead of the one from cloudflared, right? 🤔

[AndreasMadsen]

@dario-piotrowicz I will ask the person responsible for that code, to make sure. But as far as I can see from my debugging, it does work.

AFAIK, querying Vectorize doesn't require accessing anything under a (ZT) domain (e.g. {domain}.workers.dev). It is a standalone database that can be queried using the standard Cloudflare API (https://developers.cloudflare.com/api/resources/vectorize/subresources/indexes/methods/query/) using just the CLOUDFLARE_API_TOKEN which we do provide. So given that, I don't understand why a ZT auth token (cloudflared or service token) is now required for the remote binding.

In any case thank you very much, sorry I wasn't really aware of the service token (I'm no ZT expert 😓), I guess we could then easily solve the issue by allowing you to specify the service token via an environment variable and then use that instead of the one from cloudflared, right? 🤔

Haha, no worries. It took us a while to learn about the service tokens too. I think it should just work with the right auth headers.

It's technically possible to have multiple policies for different subdomains, each with different service tokens. Having inspected the wrangler logs, I have noticed that it tries to access multiple different subdomains, so I could imagine a scenario where someone would need to set multiple service tokens, one for each subdomain. However, it's always possible to create a global ZT policy with a service token (what we have done), so this complexity isn't something we personally need addressed.

[AndreasMadsen]

@dario-piotrowicz Just following up. I checked with the person responsible for doing the vectorized testing. It does use remote bindings (as the warning indicates) even though Zero Trust is enabled for everything. I assume remote bindings use the Cloudflare API, for which CLOUDFLARE_API_TOKEN is enough, but I haven't checked that.

[penalosa]

@AndreasMadsen the reason this has changed from a previous version is that we used to support Vectorize & AI bindings by querying the API (using CLOUDFLARE_API_TOKEN). However, we recently stabilised support for a more general remote bindings implementation, which actually deploys a draft worker to your account in order to query Vectorize/AI etc... This has a number of benefits, including supporting things like JSRPC bindings that can't be expressed over the HTTP-based Cloudflare API, but it does mean that if your workers.dev domain is behind access then we need to run cloudflared to get an Access token.

I think to solve this for headless systems allowing a ZT token to be provided via an env var should be enough? However, I think we'd need to design it to work with multiple domains, since as you say Wrangler can in theory query multiple domains.

Would something like this work?

# Use for all requests
CLOUDFLARE_ACCESS_CLIENT_ID="eurbvoen" CLOUDFLARE_ACCESS_CLIENT_SECRET="ofbvoi" wrangler dev
# Use for a subsection of access requests
CLOUDFLARE_ACCESS_CLIENT_ID="*.example.com:eurbvoen" CLOUDFLARE_ACCESS_CLIENT_SECRET="*.example.com:ofbvoi" wrangler dev