diff --git a/src/go/rpk/pkg/cli/cloud/auth/use.go b/src/go/rpk/pkg/cli/cloud/auth/use.go
index 079d283ce28e2..916bd615bc437 100644
--- a/src/go/rpk/pkg/cli/cloud/auth/use.go
+++ b/src/go/rpk/pkg/cli/cloud/auth/use.go
@@ -66,7 +66,7 @@ profile is kept.
 				}
 			}
 
-			y.MakeAuthCurrent(a)
+			y.MakeAuthCurrent(&a)
 			err = y.Write(fs)
 			out.MaybeDie(err, "unable to write rpk.yaml: %v", err)
 
diff --git a/src/go/rpk/pkg/config/rpk_yaml.go b/src/go/rpk/pkg/config/rpk_yaml.go
index 820135b20cbbf..272475ffa3759 100644
--- a/src/go/rpk/pkg/config/rpk_yaml.go
+++ b/src/go/rpk/pkg/config/rpk_yaml.go
@@ -241,11 +241,12 @@ func (y *RpkYaml) PushNewAuth(a RpkCloudAuth) {
 // MakeAuthCurrent finds the given auth, moves it to the front, and updates
 // the current cloud auth fields. This pointer must exist, if it does not,
 // this function panics.
-func (y *RpkYaml) MakeAuthCurrent(a *RpkCloudAuth) {
-	reordered := []RpkCloudAuth{*a}
+// This updates *a to point to the new address of the auth.
+func (y *RpkYaml) MakeAuthCurrent(a **RpkCloudAuth) {
+	reordered := []RpkCloudAuth{**a}
 	var found bool
 	for i := range y.CloudAuths {
-		if &y.CloudAuths[i] == a {
+		if &y.CloudAuths[i] == *a {
 			found = true
 			continue
 		}
@@ -254,9 +255,10 @@ func (y *RpkYaml) MakeAuthCurrent(a *RpkCloudAuth) {
 	if !found {
 		panic("MakeAuthCurrent called with an auth that does not exist")
 	}
+	*a = &reordered[0]
 	y.CloudAuths = reordered
-	y.CurrentCloudAuthOrgID = a.OrgID
-	y.CurrentCloudAuthKind = a.Kind
+	y.CurrentCloudAuthOrgID = (*a).OrgID
+	y.CurrentCloudAuthKind = (*a).Kind
 }
 
 // DropAuth removes the given auth from the list of auths. If this was the
diff --git a/src/go/rpk/pkg/oauth/load.go b/src/go/rpk/pkg/oauth/load.go
index 4217b7fe931d9..7b9a163125928 100644
--- a/src/go/rpk/pkg/oauth/load.go
+++ b/src/go/rpk/pkg/oauth/load.go
@@ -174,7 +174,7 @@ func LoadFlow(ctx context.Context, fs afero.Fs, cfg *config.Config, cl Client, n
 		// This is case 1 or 2, the logic is identical. We start with
 		// some case 2 logic: we know the auth actually exists, so we
 		// enforce it is the current rpk.yaml auth.
-		yAct.MakeAuthCurrent(pAuthAct)
+		yAct.MakeAuthCurrent(&pAuthAct)
 
 		// Case 1 and 2: we check some invariants and then ensure the
 		// virtual rpk.yaml also has the same current auth.
@@ -185,7 +185,7 @@ func LoadFlow(ctx context.Context, fs afero.Fs, cfg *config.Config, cl Client, n
 		if !pAuthVir.Equals(pAuthAct) {
 			panic("params invariant: internal virtual auth name/org != actual name/org")
 		}
-		yVir.MakeAuthCurrent(pAuthVir)
+		yVir.MakeAuthCurrent(&pAuthVir)
 
 		// Finally, set authAct and authVir so they can be updated below.
 		authAct = pAuthAct
@@ -272,7 +272,7 @@ func LoadFlow(ctx context.Context, fs afero.Fs, cfg *config.Config, cl Client, n
 					a := &y.CloudAuths[i]
 					if a.OrgID == org.ID && a.Kind == authKind {
 						*newAuth = a
-						y.MakeAuthCurrent(*newAuth)
+						y.MakeAuthCurrent(newAuth)
 						return
 					}
 				}