@flowcore/cli-plugin-iam 1.0.0 → 1.1.0

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [1.1.0](https://github.com/flowcore-io/cli-plugin-iam/compare/v1.0.0...v1.1.0) (2024-10-21)
+
+
+### Features
+
+* :sparkles: added functionality to create and delete iam policies ([0916612](https://github.com/flowcore-io/cli-plugin-iam/commit/09166128f3d1180d019b301eab5ead0af3055dbd))
+* :sparkles: added policy and role bindings to the iam api ([a1815a0](https://github.com/flowcore-io/cli-plugin-iam/commit/a1815a093ad6743b26dd3cf7a4cfd0c32a8b4326))
+
+
+### Bug Fixes
+
+* :fire: removed console log on create policy ([6289f72](https://github.com/flowcore-io/cli-plugin-iam/commit/6289f72ec7eff9b00fc6a15e928e448ca6403294))
+* :rotating_light: fixed linting errors ([b388ac6](https://github.com/flowcore-io/cli-plugin-iam/commit/b388ac6532d7d5c5c6c7fc1d401218bfbaa75b33))
+
 ## 1.0.0 (2024-09-29)
 
 

package/README.md

@@ -18,7 +18,7 @@ $ npm install -g @flowcore/cli-plugin-iam
 $ iam COMMAND
 running command...
 $ iam (--version)
-@flowcore/cli-plugin-iam/1.0.0 linux-x64 node-v20.17.0
+@flowcore/cli-plugin-iam/1.1.0 linux-x64 node-v20.18.0
 $ iam --help [COMMAND]
 USAGE
   $ iam COMMAND
@@ -51,7 +51,7 @@ DESCRIPTION
   Get a policy
 ```
 
-_See code: [src/commands/get/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.0.0/src/commands/get/policy.ts)_
+_See code: [src/commands/get/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.1.0/src/commands/get/policy.ts)_
 
 ## `iam get role [NAME]`
 
@@ -74,5 +74,5 @@ DESCRIPTION
   Get a role
 ```
 
-_See code: [src/commands/get/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.0.0/src/commands/get/role.ts)_
+_See code: [src/commands/get/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.1.0/src/commands/get/role.ts)_
 <!-- commandsstop -->

package/dist/commands/get/policy.js

@@ -37,9 +37,7 @@ export default class GetPolicy extends BaseCommand {
         const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
         const organizationService = new OrganizationService(graphqlClient);
         const organizations = await organizationService.getMyOrganizations();
-        const iamClient = new IamApi({
-            baseUrl: "https://iam.api.flowcore.io",
-        });
+        const iamClient = new IamApi();
         const config = this.cliConfiguration.getConfig();
         const login = new ValidateLogin(config.login.url);
         await login.validate(config, this.cliConfiguration, !flags.json);
@@ -83,6 +81,7 @@ export default class GetPolicy extends BaseCommand {
             return {
                 description: policy.description,
                 documents: policy.policyDocuments,
+                flowcoreManaged: policy.flowcoreManaged,
                 id: policy.id,
                 name: policy.name,
                 organization: organizationLink,

package/dist/hooks/register-apply.d.ts

@@ -0,0 +1,10 @@
+import type { CliConfiguration, Logger } from "@flowcore/cli-plugin-config";
+import type { Config } from "@oclif/core";
+import { type ApiRegistryService } from "@flowcore/cli-plugin-core";
+declare const hook: (options: {
+    apiRegistry: ApiRegistryService;
+    cliConfiguration: CliConfiguration;
+    config: Config;
+    logger: Logger;
+}) => Promise<void>;
+export default hook;

package/dist/hooks/register-apply.js

@@ -0,0 +1,9 @@
+import { ClientFactory, } from "@flowcore/cli-plugin-core";
+import { IAMApply } from "../resource-types/iam-api-version.js";
+import { OrganizationService } from "../services/organization.service.js";
+const hook = async (options) => {
+    const graphqlClient = await ClientFactory.create(options.cliConfiguration, options.logger, false);
+    const organizationService = new OrganizationService(graphqlClient);
+    options.apiRegistry.register(new IAMApply(organizationService, options.cliConfiguration, options.logger));
+};
+export default hook;

package/dist/resource-types/iam-api-version.d.ts

@@ -0,0 +1,24 @@
+import type { ApiRegistryEntry, BaseResource } from "@flowcore/cli-plugin-core";
+import { type CliConfiguration, type Logger } from "@flowcore/cli-plugin-config";
+import type { OrganizationService } from "../services/organization.service.js";
+export declare class IAMApply implements ApiRegistryEntry {
+    private readonly organizationService;
+    private readonly cliConfiguration;
+    private readonly logger;
+    name: string;
+    private iamClient;
+    private organizations;
+    private policyBindingService;
+    private policyService;
+    private roleBindingService;
+    private roleService;
+    constructor(organizationService: OrganizationService, cliConfiguration: CliConfiguration, logger: Logger);
+    apply(resource: BaseResource, skipConfirmation: boolean): Promise<boolean>;
+    calculateApplyOrder(resources: BaseResource[]): BaseResource[];
+    delete(resource: BaseResource): Promise<boolean>;
+    fetchOrganizationId(tenant: string): Promise<{
+        id: string;
+        tenant: string;
+    } | undefined>;
+    getToken(): Promise<string>;
+}

package/dist/resource-types/iam-api-version.js

@@ -0,0 +1,106 @@
+import { ValidateLogin, } from "@flowcore/cli-plugin-config";
+import { Api as IamApi } from "../utils/clients/iam/Api.js";
+import { PolicyService } from "./policy.resource.js";
+import { PolicyBindingService } from "./policy-binding.resource.js";
+import { RoleService } from "./role.resource.js";
+import { RoleBindingService } from "./role-binding.resource.js";
+const applyOrder = ["Policy", "PolicyBinding", "Role", "RoleBinding"];
+export class IAMApply {
+    organizationService;
+    cliConfiguration;
+    logger;
+    name = "iam.flowcore.io/v1";
+    iamClient;
+    organizations = [];
+    policyBindingService;
+    policyService;
+    roleBindingService;
+    roleService;
+    constructor(organizationService, cliConfiguration, logger) {
+        this.organizationService = organizationService;
+        this.cliConfiguration = cliConfiguration;
+        this.logger = logger;
+        this.getToken = this.getToken.bind(this);
+        this.iamClient = new IamApi({
+            baseUrl: "https://iam.api.flowcore.io",
+        });
+        this.policyService = new PolicyService(this.iamClient, this.logger, this.getToken);
+        this.roleService = new RoleService(this.iamClient, this.logger, this.getToken);
+        this.roleBindingService = new RoleBindingService(this.iamClient, this.logger, this.getToken);
+        this.policyBindingService = new PolicyBindingService(this.iamClient, this.logger, this.getToken);
+    }
+    async apply(resource, skipConfirmation) {
+        const organization = await this.fetchOrganizationId(resource.metadata.tenant);
+        if (!organization) {
+            this.logger.fatal(`Tenant ${resource.metadata.tenant} not found, or you don't have access to it.`);
+        }
+        switch (resource.kind) {
+            case "Policy": {
+                return this.policyService.createNewPolicy(organization.id, resource, skipConfirmation);
+            }
+            case "Role": {
+                return this.roleService.createNewRole(organization.id, resource, skipConfirmation);
+            }
+            case "RoleBinding": {
+                return this.roleBindingService.createNewRoleBinding(organization.id, resource, skipConfirmation);
+            }
+            case "PolicyBinding": {
+                return this.policyBindingService.createNewPolicyBinding(organization.id, resource, skipConfirmation);
+            }
+            default: {
+                this.logger.fatal(`Unsupported resource kind: ${resource.kind}`);
+            }
+        }
+    }
+    calculateApplyOrder(resources) {
+        return resources.sort((a, b) => {
+            if (applyOrder.indexOf(a.kind) < applyOrder.indexOf(b.kind)) {
+                return -1;
+            }
+            return 1;
+        });
+    }
+    async delete(resource) {
+        const organization = await this.fetchOrganizationId(resource.metadata.tenant);
+        if (!organization) {
+            this.logger.fatal(`Tenant ${resource.metadata.tenant} not found, or you don't have access to it.`);
+        }
+        switch (resource.kind) {
+            case "Policy": {
+                return this.policyService.deletePolicy(organization.id, resource);
+            }
+            case "Role": {
+                return this.roleService.deleteRole(organization.id, resource);
+            }
+            case "RoleBinding": {
+                return this.roleBindingService.deleteRoleBinding(organization.id, resource);
+            }
+            case "PolicyBinding": {
+                return this.policyBindingService.deletePolicyBinding(organization.id, resource);
+            }
+            default: {
+                this.logger.fatal(`Unsupported resource kind: ${resource.kind}`);
+            }
+        }
+    }
+    async fetchOrganizationId(tenant) {
+        if (this.organizations.length === 0) {
+            const organizations = await this.organizationService.getMyOrganizations();
+            this.organizations = organizations.me.organizations.map((org) => ({
+                id: org.organization.id,
+                tenant: org.organization.org,
+            }));
+        }
+        return this.organizations.find((org) => org.tenant === tenant);
+    }
+    async getToken() {
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, false);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        return auth?.accessToken;
+    }
+}

package/dist/resource-types/policy-binding.resource.d.ts

@@ -0,0 +1,82 @@
+import type { Logger } from "@flowcore/cli-plugin-config";
+import { z } from "zod";
+import type { Api as IamApi } from "../utils/clients/iam/Api.js";
+export declare const policyBindingDto: z.ZodObject<z.objectUtil.extendShape<{
+    apiVersion: z.ZodString;
+    kind: z.ZodString;
+    metadata: z.ZodObject<{
+        name: z.ZodString;
+        tenant: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        tenant: string;
+    }, {
+        name: string;
+        tenant: string;
+    }>;
+}, {
+    spec: z.ZodObject<{
+        policy: z.ZodString;
+        subjects: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            type: z.ZodEnum<["user", "key"]>;
+        }, "strip", z.ZodTypeAny, {
+            id: string;
+            type: "key" | "user";
+        }, {
+            id: string;
+            type: "key" | "user";
+        }>, "many">;
+    }, "strip", z.ZodTypeAny, {
+        policy: string;
+        subjects: {
+            id: string;
+            type: "key" | "user";
+        }[];
+    }, {
+        policy: string;
+        subjects: {
+            id: string;
+            type: "key" | "user";
+        }[];
+    }>;
+}>, "strip", z.ZodTypeAny, {
+    kind: string;
+    apiVersion: string;
+    metadata: {
+        name: string;
+        tenant: string;
+    };
+    spec: {
+        policy: string;
+        subjects: {
+            id: string;
+            type: "key" | "user";
+        }[];
+    };
+}, {
+    kind: string;
+    apiVersion: string;
+    metadata: {
+        name: string;
+        tenant: string;
+    };
+    spec: {
+        policy: string;
+        subjects: {
+            id: string;
+            type: "key" | "user";
+        }[];
+    };
+}>;
+export type PolicyBinding = z.infer<typeof policyBindingDto>;
+export type ApiPolicyResource = Awaited<ReturnType<IamApi["getApiV1PolicyAssociationsOrganizationByOrganizationId"]>>["data"][0];
+export type ApiPolicyAssociationResource = Awaited<ReturnType<IamApi["getApiV1PolicyAssociationsByPolicyId"]>>["data"];
+export declare class PolicyBindingService {
+    private readonly iamClient;
+    private readonly logger;
+    private readonly getToken;
+    constructor(iamClient: IamApi, logger: Logger, getToken: () => Promise<string>);
+    createNewPolicyBinding(organizationId: string, policyBinding: unknown, skipConfirmation: boolean): Promise<boolean>;
+    deletePolicyBinding(organizationId: string, policyBinding: unknown): Promise<boolean>;
+}

package/dist/resource-types/policy-binding.resource.js

@@ -0,0 +1,203 @@
+import { baseResourceDto } from "@flowcore/cli-plugin-core";
+import enquirer from "enquirer";
+import { diffString } from "json-diff";
+import { z } from "zod";
+export const policyBindingDto = baseResourceDto.extend({
+    spec: z.object({
+        policy: z.string(),
+        subjects: z.array(z.object({
+            id: z.string(),
+            type: z.enum(["user", "key"]),
+        })),
+    }),
+});
+export class PolicyBindingService {
+    iamClient;
+    logger;
+    getToken;
+    constructor(iamClient, logger, getToken) {
+        this.iamClient = iamClient;
+        this.logger = logger;
+        this.getToken = getToken;
+    }
+    async createNewPolicyBinding(organizationId, policyBinding, skipConfirmation) {
+        const parsedPolicyBinding = policyBindingDto.parse(policyBinding);
+        try {
+            const policies = await this.iamClient.getApiV1PolicyAssociationsOrganizationByOrganizationId(organizationId, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            const existingPolicy = policies.data.find((p) => p.name === parsedPolicyBinding.spec.policy);
+            if (!existingPolicy) {
+                this.logger.error(`Policy ${parsedPolicyBinding.spec.policy} not found`);
+                return false;
+            }
+            const associations = await this.iamClient.getApiV1PolicyAssociationsByPolicyId(existingPolicy.id, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            const usersToDelete = [];
+            for (const userAssociation of associations.data.users.filter((u) => u.policyId !== existingPolicy.id)) {
+                if (!parsedPolicyBinding.spec.subjects.find((s) => s.type === "user" && s.id === userAssociation.userId)) {
+                    usersToDelete.push(userAssociation.userId);
+                }
+            }
+            const keysToDelete = [];
+            for (const keyAssociation of associations.data.keys.filter((k) => k.policyId !== existingPolicy.id)) {
+                if (!parsedPolicyBinding.spec.subjects.find((s) => s.type === "key" && s.id === keyAssociation.keyId)) {
+                    keysToDelete.push(keyAssociation.keyId);
+                }
+            }
+            if (!skipConfirmation) {
+                const diffObject = {
+                    keys: associations.data.keys.filter((k) => !keysToDelete.includes(k.keyId)),
+                    users: associations.data.users.filter((u) => !usersToDelete.includes(u.userId)),
+                };
+                this.logger.info("Modifying the following:");
+                this.logger.info(`${diffString(associations.data.users.map((u) => u.userId), diffObject.users, { color: true, full: true })}`);
+                this.logger.info(`${diffString(associations.data.keys.map((k) => k.keyId), diffObject.keys, { color: true, full: true })}`);
+                const { confirm } = await enquirer.prompt([
+                    {
+                        message: `Are you sure you want to remove ${usersToDelete.length} users and ${keysToDelete.length} keys from policy ${existingPolicy.name}?`,
+                        name: "confirm",
+                        type: "confirm",
+                    },
+                ]);
+                if (!confirm) {
+                    return false;
+                }
+            }
+            let changed = keysToDelete.length > 0 || usersToDelete.length > 0;
+            for (const userId of usersToDelete) {
+                const result = await this.iamClient.deleteApiV1PolicyAssociationsUserByUserId(userId, { policyId: existingPolicy.id }, {
+                    headers: {
+                        Authorization: `Bearer ${await this.getToken()}`,
+                    },
+                });
+                if (result.status !== 200) {
+                    this.logger.error(`Failed to delete user ${userId} from policy ${existingPolicy.name}: ${result.statusText}`);
+                }
+            }
+            for (const keyId of keysToDelete) {
+                const result = await this.iamClient.deleteApiV1PolicyAssociationsKeyByKeyId(keyId, { policyId: existingPolicy.id }, {
+                    headers: {
+                        Authorization: `Bearer ${await this.getToken()}`,
+                    },
+                });
+                if (result.status !== 200) {
+                    this.logger.error(`Failed to delete key ${keyId} from policy ${existingPolicy.name}: ${result.statusText}`);
+                }
+            }
+            for (const subject of parsedPolicyBinding.spec.subjects) {
+                switch (subject.type) {
+                    case "user": {
+                        const existingAssociation = associations.data.users.find((a) => a.userId === subject.id);
+                        if (existingAssociation) {
+                            this.logger.debug(`User ${subject.id} already bound to policy ${existingPolicy.name}`);
+                            continue;
+                        }
+                        const result = await this.iamClient.postApiV1PolicyAssociationsUserByUserId(subject.id, { policyId: existingPolicy.id }, {
+                            headers: {
+                                Authorization: `Bearer ${await this.getToken()}`,
+                            },
+                        });
+                        if (result.status !== 200) {
+                            this.logger.error(`Failed to bind user ${subject.id} to policy ${existingPolicy.name}: ${result.statusText}`);
+                        }
+                        changed = true;
+                        break;
+                    }
+                    case "key": {
+                        const existingAssociation = associations.data.keys.find((a) => a.keyId === subject.id);
+                        if (existingAssociation) {
+                            this.logger.debug(`Key ${subject.id} already bound to policy ${existingPolicy.name}`);
+                            continue;
+                        }
+                        const result = await this.iamClient.postApiV1PolicyAssociationsKeyByKeyId(subject.id, { policyId: existingPolicy.id }, {
+                            headers: {
+                                Authorization: `Bearer ${await this.getToken()}`,
+                            },
+                        });
+                        if (result.status !== 200) {
+                            this.logger.error(`Failed to bind key ${subject.id} to policy ${existingPolicy.name}: ${result.statusText}`);
+                        }
+                        changed = true;
+                        break;
+                    }
+                }
+            }
+            return changed;
+        }
+        catch (error) {
+            if (typeof error === "object" && error !== null && "error" in error) {
+                const err = error;
+                this.logger.fatal(`Failed to create policy binding with error(${err.error.status} - ${err.error.code}): ${err.error.message}`);
+            }
+            else {
+                this.logger.fatal(`Failed to create policy binding with unknown error: ${error}`);
+            }
+        }
+    }
+    async deletePolicyBinding(organizationId, policyBinding) {
+        const parsedPolicyBinding = policyBindingDto.parse(policyBinding);
+        try {
+            const policies = await this.iamClient.getApiV1PolicyAssociationsOrganizationByOrganizationId(organizationId, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            const targetPolicy = policies.data.find((p) => p.name === parsedPolicyBinding.spec.policy);
+            if (!targetPolicy) {
+                this.logger.fatal(`Policy ${parsedPolicyBinding.spec.policy} not found`);
+            }
+            const associations = await this.iamClient.getApiV1PolicyAssociationsByPolicyId(targetPolicy.id, {
+                headers: {
+                    Authorization: `Bearer ${await this.getToken()}`,
+                },
+            });
+            for (const subject of parsedPolicyBinding.spec.subjects) {
+                switch (subject.type) {
+                    case "user": {
+                        const existingAssociation = associations.data.users.find((a) => a.userId === subject.id);
+                        if (!existingAssociation) {
+                            this.logger.error(`User ${subject.id} not bound to policy ${targetPolicy.id}`);
+                            continue;
+                        }
+                        const result = await this.iamClient.deleteApiV1PolicyAssociationsUserByUserId(subject.id, { policyId: targetPolicy.id }, {
+                            headers: {
+                                Authorization: `Bearer ${await this.getToken()}`,
+                            },
+                        });
+                        if (result.status !== 200) {
+                            this.logger.error(`Failed to delete policy binding for user ${subject.id}: ${result.statusText}`);
+                        }
+                        break;
+                    }
+                    case "key": {
+                        const result = await this.iamClient.deleteApiV1PolicyAssociationsKeyByKeyId(subject.id, { policyId: targetPolicy.id }, {
+                            headers: {
+                                Authorization: `Bearer ${await this.getToken()}`,
+                            },
+                        });
+                        if (result.status !== 200) {
+                            this.logger.error(`Failed to delete policy binding for key ${subject.id}: ${result.statusText}`);
+                        }
+                        break;
+                    }
+                }
+            }
+            return true;
+        }
+        catch (error) {
+            if (typeof error === "object" && error !== null && "error" in error) {
+                const err = error;
+                this.logger.fatal(`Failed to delete policy with error(${err.error.status} - ${err.error.code}): ${err.error.message}`);
+            }
+            else {
+                this.logger.fatal(`Failed to delete policy with unknown error: ${error}`);
+            }
+        }
+    }
+}

package/dist/resource-types/policy.resource.d.ts

@@ -0,0 +1,110 @@
+import type { Logger } from "@flowcore/cli-plugin-config";
+import { z } from "zod";
+import type { Api as IamApi } from "../utils/clients/iam/Api.js";
+export declare enum PolicyDocumentAction {
+    ALL = "*",
+    FETCH = "FETCH",
+    INGEST = "INGEST",
+    READ = "READ",
+    WRITE = "WRITE"
+}
+export declare const policyDto: z.ZodObject<z.objectUtil.extendShape<{
+    apiVersion: z.ZodString;
+    kind: z.ZodString;
+    metadata: z.ZodObject<{
+        name: z.ZodString;
+        tenant: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        tenant: string;
+    }, {
+        name: string;
+        tenant: string;
+    }>;
+}, {
+    spec: z.ZodObject<{
+        description: z.ZodOptional<z.ZodString>;
+        flowcoreManaged: z.ZodOptional<z.ZodBoolean>;
+        policyDocuments: z.ZodArray<z.ZodObject<{
+            action: z.ZodUnion<[z.ZodArray<z.ZodNativeEnum<typeof PolicyDocumentAction>, "many">, z.ZodNativeEnum<typeof PolicyDocumentAction>]>;
+            resource: z.ZodString;
+            statementId: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            action: PolicyDocumentAction | PolicyDocumentAction[];
+            resource: string;
+            statementId?: string | undefined;
+        }, {
+            action: PolicyDocumentAction | PolicyDocumentAction[];
+            resource: string;
+            statementId?: string | undefined;
+        }>, "many">;
+        principal: z.ZodOptional<z.ZodString>;
+        version: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        version: string;
+        policyDocuments: {
+            action: PolicyDocumentAction | PolicyDocumentAction[];
+            resource: string;
+            statementId?: string | undefined;
+        }[];
+        description?: string | undefined;
+        flowcoreManaged?: boolean | undefined;
+        principal?: string | undefined;
+    }, {
+        version: string;
+        policyDocuments: {
+            action: PolicyDocumentAction | PolicyDocumentAction[];
+            resource: string;
+            statementId?: string | undefined;
+        }[];
+        description?: string | undefined;
+        flowcoreManaged?: boolean | undefined;
+        principal?: string | undefined;
+    }>;
+}>, "strip", z.ZodTypeAny, {
+    kind: string;
+    apiVersion: string;
+    metadata: {
+        name: string;
+        tenant: string;
+    };
+    spec: {
+        version: string;
+        policyDocuments: {
+            action: PolicyDocumentAction | PolicyDocumentAction[];
+            resource: string;
+            statementId?: string | undefined;
+        }[];
+        description?: string | undefined;
+        flowcoreManaged?: boolean | undefined;
+        principal?: string | undefined;
+    };
+}, {
+    kind: string;
+    apiVersion: string;
+    metadata: {
+        name: string;
+        tenant: string;
+    };
+    spec: {
+        version: string;
+        policyDocuments: {
+            action: PolicyDocumentAction | PolicyDocumentAction[];
+            resource: string;
+            statementId?: string | undefined;
+        }[];
+        description?: string | undefined;
+        flowcoreManaged?: boolean | undefined;
+        principal?: string | undefined;
+    };
+}>;
+export type Policy = z.infer<typeof policyDto>;
+export type ApiPolicyResource = Awaited<ReturnType<IamApi["getApiV1PolicyAssociationsOrganizationByOrganizationId"]>>["data"][0];
+export declare class PolicyService {
+    private readonly iamClient;
+    private readonly logger;
+    private readonly getToken;
+    constructor(iamClient: IamApi, logger: Logger, getToken: () => Promise<string>);
+    createNewPolicy(organizationId: string, policy: unknown, skipConfirmation: boolean): Promise<boolean>;
+    deletePolicy(organizationId: string, policy: unknown): Promise<boolean>;
+}