fix: update R2 SQL response format and env variable (#10654)

laplab · web-flow · commit a4e243936744 · 2025-09-16T16:57:10.000+01:00
* fix: update response format

* fix: use different env variable for R2 SQL token

* fix: changeset
diff --git a/.changeset/easy-guests-end.md b/.changeset/easy-guests-end.md
@@ -0,0 +1,5 @@
+---
+"wrangler": minor
+---
+
+Switch to WRANGLER_R2_SQL_AUTH_TOKEN env variable for R2 SQL secret. Update the response format for R2 SQL
diff --git a/packages/wrangler/src/__tests__/r2/sql.test.ts b/packages/wrangler/src/__tests__/r2/sql.test.ts
@@ -38,7 +38,7 @@ describe("r2 sql", () => {
 		const mockToken = "test-token-123";
 
 		beforeEach(() => {
-			vi.stubEnv("CLOUDFLARE_API_TOKEN", mockToken);
+			vi.stubEnv("WRANGLER_R2_SQL_AUTH_TOKEN", mockToken);
 		});
 
 		it("should require warehouse and query arguments", async () => {
@@ -51,12 +51,15 @@ describe("r2 sql", () => {
 			);
 		});
 
-		it("should require CLOUDFLARE_API_TOKEN environment variable", async () => {
+		it("should require WRANGLER_R2_SQL_AUTH_TOKEN environment variable", async () => {
+			vi.stubEnv("WRANGLER_R2_SQL_AUTH_TOKEN", undefined);
 			vi.stubEnv("CLOUDFLARE_API_TOKEN", undefined);
 
 			await expect(
 				runWrangler(`r2 sql query ${mockWarehouse} "${mockQuery}"`)
-			).rejects.toThrow("Missing CLOUDFLARE_API_TOKEN environment variable");
+			).rejects.toThrow(
+				"Missing WRANGLER_R2_SQL_AUTH_TOKEN environment variable"
+			);
 		});
 
 		it("should validate warehouse name format", async () => {
@@ -71,19 +74,20 @@ describe("r2 sql", () => {
 				errors: [],
 				messages: [],
 				result: {
-					column_order: ["id", "name", "age"],
+					schema: [
+						{ name: "id", type: "Int64" },
+						{ name: "name", type: "Utf8" },
+						{ name: "age", type: "Int64" },
+					],
 					rows: [
 						{ id: 1, name: "Alice", age: 30 },
 						{ id: 2, name: "Bob", age: 25 },
 						{ id: 3, name: "Charlie", age: 35 },
 					],
-					stats: {
-						total_r2_requests: 5,
-						total_r2_bytes_read: 1024 * 1024,
-						total_r2_bytes_written: 0,
-						total_bytes_matched: 512,
-						total_rows_skipped: 0,
-						total_files_scanned: 2,
+					metrics: {
+						r2_requests_count: 5,
+						files_scanned: 2,
+						bytes_scanned: 1024 * 1024,
 					},
 				},
 			};
@@ -131,9 +135,14 @@ describe("r2 sql", () => {
 				errors: [],
 				messages: [],
 				result: {
-					column_order: [],
+					schema: [],
 					rows: [],
 				},
+				metrics: {
+					r2_requests_count: 0,
+					files_scanned: 0,
+					bytes_scanned: 0,
+				},
 			};
 
 			msw.use(
@@ -217,11 +226,20 @@ describe("r2 sql", () => {
 				errors: [],
 				messages: [],
 				result: {
-					column_order: ["id", "name", "email"],
+					schema: [
+						{ name: "id", type: "Int64" },
+						{ name: "name", type: "Utf8" },
+						{ name: "email", type: "Utf8" },
+					],
 					rows: [
 						{ id: 1, name: "Alice", email: null },
 						{ id: 2, name: null, email: "bob@example.com" },
 					],
+					metrics: {
+						r2_requests_count: 5,
+						files_scanned: 2,
+						bytes_scanned: 1024 * 1024,
+					},
 				},
 			};
 
diff --git a/packages/wrangler/src/environment-variables/factory.ts b/packages/wrangler/src/environment-variables/factory.ts
@@ -19,6 +19,8 @@ type VariableNames =
 	| "CLOUDFLARE_API_BASE_URL"
 	/** Set to "fedramp_high" for FedRAMP High compliance region. This will update the API/AUTH URLs used to make requests to Cloudflare. */
 	| "CLOUDFLARE_COMPLIANCE_REGION"
+	/** API token for R2 SQL service. */
+	| "WRANGLER_R2_SQL_AUTH_TOKEN"
 
 	// ## Development & Local Testing
 
diff --git a/packages/wrangler/src/r2/sql.ts b/packages/wrangler/src/r2/sql.ts
@@ -6,34 +6,35 @@ import { createCommand, createNamespace } from "../core/create-command";
 import { UserError } from "../errors";
 import { logger } from "../logger";
 import { APIError, parseJSON } from "../parse";
-import { getCloudflareAPITokenFromEnv } from "../user/auth-variables";
+import {
+	getCloudflareAPITokenFromEnv,
+	getWranglerR2SqlAuthToken,
+} from "../user/auth-variables";
 
-interface SqlQueryResult {
+interface SqlQueryResponse {
 	result?: {
-		column_order: string[];
+		request_id?: string;
+		schema: { name: string; type: string }[];
 		rows: Record<string, unknown>[];
-		stats?: {
-			total_r2_requests: number;
-			total_r2_bytes_read: number;
-			total_r2_bytes_written: number;
-			total_bytes_matched: number;
-			total_rows_skipped: number;
-			total_files_scanned: number;
+		metrics: {
+			r2_requests_count: number;
+			files_scanned: number;
+			bytes_scanned: number;
 		};
 	};
 	success: boolean;
 	errors: { code: number; message: string }[];
 	messages: string[];
 }
 
-function formatSqlResults(data: SqlQueryResult, duration: number): void {
+function formatSqlResults(data: SqlQueryResponse, duration: number): void {
 	if (!data?.result?.rows || data.result.rows.length === 0) {
 		logger.log("Query executed successfully with no results");
 		return;
 	}
 
-	const { column_order, rows, stats } = data.result;
-
+	const { schema, rows, metrics } = data.result;
+	const column_order = schema.map((field) => field.name);
 	logger.table(
 		rows.map((row) =>
 			Object.fromEntries(
@@ -43,15 +44,12 @@ function formatSqlResults(data: SqlQueryResult, duration: number): void {
 		{ wordWrap: true, head: column_order }
 	);
 
-	// Print stats if available.
-	if (stats) {
-		logger.log(
-			`Read ${prettyBytes(stats.total_r2_bytes_read)} across ${stats.total_files_scanned} files from R2`
-		);
-		if (duration > 0) {
-			const bytesPerSecond = (stats.total_r2_bytes_read / duration) * 1000;
-			logger.log(`On average, ${prettyBytes(bytesPerSecond)} / s`);
-		}
+	logger.log(
+		`Read ${prettyBytes(metrics.bytes_scanned)} across ${metrics.files_scanned} files from R2`
+	);
+	if (duration > 0) {
+		const bytesPerSecond = (metrics.bytes_scanned / duration) * 1000;
+		logger.log(`On average, ${prettyBytes(bytesPerSecond)} / s`);
 	}
 }
 
@@ -83,14 +81,22 @@ export const r2SqlQueryCommand = createCommand({
 		},
 	},
 	async handler({ warehouse, query }) {
-		const token = getCloudflareAPITokenFromEnv();
+		let token = getWranglerR2SqlAuthToken();
 		if (!token) {
-			throw new UserError(
-				"Missing CLOUDFLARE_API_TOKEN environment variable. " +
-					"Please follow instructions in https://developers.cloudflare.com/r2/sql/platform/troubleshooting/ to create a token. " +
-					"Once done, you can prefix the command with the variable definition like so: `CLOUDFLARE_API_TOKEN=... wrangler r2 sql query ...`. " +
-					"There also other ways to provide the value of this variable, see https://developers.cloudflare.com/workers/wrangler/system-environment-variables/ for more details."
-			);
+			token = getCloudflareAPITokenFromEnv();
+			if (!token) {
+				throw new UserError(
+					"Missing WRANGLER_R2_SQL_AUTH_TOKEN environment variable. " +
+						"Tried to fallback to CLOUDFLARE_API_TOKEN, didn't find it either. " +
+						"Please follow instructions in https://developers.cloudflare.com/r2/sql/platform/troubleshooting/ to create a token. " +
+						"Once done, you can prefix the command with the variable definition like so: `WRANGLER_R2_SQL_AUTH_TOKEN=... wrangler r2 sql query ...`. " +
+						"There also other ways to provide the value of this variable, see https://developers.cloudflare.com/workers/wrangler/system-environment-variables/ for more details."
+				);
+			} else {
+				logger.warn(
+					"Missing WRANGLER_R2_SQL_AUTH_TOKEN environment variable, falling back to CLOUDFLARE_API_TOKEN"
+				);
+			}
 		}
 
 		const splitIndex = warehouse.indexOf("_");
@@ -132,9 +138,16 @@ export const r2SqlQueryCommand = createCommand({
 			});
 		}
 
+		if (responseStatus === 403) {
+			logger.error(
+				"Please check that token in WRANGLER_R2_SQL_AUTH_TOKEN or CLOUDFLARE_API_TOKEN has the correct permissions. " +
+					"See https://developers.cloudflare.com/r2/sql/platform/troubleshooting/ for more details."
+			);
+		}
+
 		let parsed = null;
 		try {
-			parsed = parseJSON(text) as SqlQueryResult;
+			parsed = parseJSON(text) as SqlQueryResponse;
 		} catch {
 			throw new APIError({
 				text: "Received a malformed response from the API",
diff --git a/packages/wrangler/src/user/auth-variables.ts b/packages/wrangler/src/user/auth-variables.ts
@@ -95,6 +95,10 @@ export const getRevokeUrlFromEnv = getEnvironmentVariableFactory({
 	defaultValue: () => `https://${getAuthDomainFromEnv()}/oauth2/revoke`,
 });
 
+export const getWranglerR2SqlAuthToken = getEnvironmentVariableFactory({
+	variableName: "WRANGLER_R2_SQL_AUTH_TOKEN",
+});
+
 /**
  * Set the `WRANGLER_CF_AUTHORIZATION_TOKEN` to the CF_Authorization token found at https://dash.staging.cloudflare.com/bypass-limits
  * if you want to access the staging environment, triggered by `WRANGLER_API_ENVIRONMENT=staging`.
diff --git a/packages/wrangler/turbo.json b/packages/wrangler/turbo.json
@@ -52,7 +52,8 @@
 				"WRANGLER_SEND_METRICS",
 				"WRANGLER_WORKER_REGISTRY_PORT",
 				"DOCKER_HOST",
-				"WRANGLER_DOCKER_HOST"
+				"WRANGLER_DOCKER_HOST",
+				"WRANGLER_R2_SQL_AUTH_TOKEN"
 			]
 		},
 		"test:ci": {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"wrangler": minor
 +---
++
 +Switch to WRANGLER_R2_SQL_AUTH_TOKEN env variable for R2 SQL secret. Update the response format for R2 SQL