@flowcore/cli-plugin-iam 1.6.1 → 1.8.0

package/dist/commands/assign/role.js

@@ -0,0 +1,98 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class AssignRole extends BaseCommand {
+    static args = {
+        ROLE_NAME: Args.string({
+            description: "The name of the role to assign",
+            required: true,
+        }),
+    };
+    static description = "Assign an IAM role to a user or API key. Exactly one of --user or --key must be specified";
+    static examples = [
+        `$ flowcore iam assign role data-reader --user "auth0|abc123" -t my-org`,
+        `$ flowcore iam assign role data-reader --key "550e8400-e29b-41d4-a716-446655440000" -t my-org`,
+        `$ flowcore iam assign role data-reader --user "auth0|abc123" -t my-org -j`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        key: Flags.string({
+            description: "The API key ID to assign the role to",
+            exclusive: ["user"],
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) containing the role",
+            required: true,
+        }),
+        user: Flags.string({
+            description: "The user ID to assign the role to",
+            exclusive: ["key"],
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(AssignRole);
+        if (!flags.user && !flags.key) {
+            this.logger.fatal("Exactly one of --user or --key is required");
+        }
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        const authHeaders = {
+            headers: { Authorization: `Bearer ${auth?.accessToken}` },
+        };
+        // Resolve role name to ID
+        const [rolesErr, roles] = await tryit(iamClient.getApiV1RoleAssociationsOrganizationByOrganizationId)(organization.organization.id, authHeaders);
+        if (rolesErr) {
+            this.logger.fatal(`Failed to get roles: ${rolesErr.message}`);
+        }
+        const role = roles.data.find((r) => r.name === args.ROLE_NAME);
+        if (!role) {
+            this.logger.fatal(`Role "${args.ROLE_NAME}" not found in tenant: ${flags.tenant}`);
+        }
+        let result;
+        if (flags.user) {
+            const [err, response] = await tryit(iamClient.postApiV1RoleAssociationsUserByUserId)(flags.user, { roleId: role.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to assign role to user: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        else if (flags.key) {
+            const [err, response] = await tryit(iamClient.postApiV1RoleAssociationsKeyByKeyId)(flags.key, { roleId: role.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to assign role to key: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        else {
+            const target = flags.user ? `user ${flags.user}` : `key ${flags.key}`;
+            this.logger.info(`Role "${args.ROLE_NAME}" assigned to ${target}`);
+        }
+    }
+}

package/dist/commands/create/policy.d.ts

@@ -0,0 +1,16 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class CreatePolicy extends BaseCommand<typeof CreatePolicy> {
+    static args: {
+        NAME: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        description: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        documents: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        version: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/create/policy.js

@@ -0,0 +1,110 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { readPipe } from "../../utils/read-pipe.util.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class CreatePolicy extends BaseCommand {
+    static args = {
+        NAME: Args.string({
+            description: "The name of the policy to create",
+            required: true,
+        }),
+    };
+    static description = "Create a new IAM policy with the specified name, version, and policy documents defining resource access rules";
+    static examples = [
+        `$ flowcore iam create policy read-access -t my-org --version "2024-01-01" --documents '[{"resource":"frn::my-org:data-core/*","action":["read","fetch"]}]'`,
+        `$ cat docs.json | flowcore iam create policy read-access -t my-org --version "2024-01-01" --documents -`,
+        `$ flowcore iam create policy admin-access -t my-org --version "2024-01-01" --description "Full admin access" --documents '[{"resource":"frn::my-org:*","action":"*"}]' -j`,
+    ];
+    static flags = {
+        description: Flags.string({
+            description: "A description of the policy",
+            required: false,
+        }),
+        documents: Flags.string({
+            description: 'JSON array of policy documents, each with "resource" and "action" fields. Use "-" to read from stdin',
+            required: true,
+        }),
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) to create the policy in",
+            required: true,
+        }),
+        version: Flags.string({
+            description: "The version of the policy (e.g. 2024-01-01)",
+            required: true,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(CreatePolicy);
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        let policyDocuments;
+        try {
+            if (flags.documents === "-") {
+                const stdinData = await readPipe();
+                if (!stdinData) {
+                    this.logger.fatal("No data received from stdin. Pipe JSON documents to stdin when using --documents -");
+                }
+                policyDocuments = JSON.parse(stdinData);
+            }
+            else {
+                policyDocuments = JSON.parse(flags.documents);
+            }
+        }
+        catch {
+            this.logger.fatal('Failed to parse --documents flag. Expected a valid JSON array, e.g. \'[{"resource":"frn::org:data-core/*","action":["read"]}]\'');
+        }
+        if (!Array.isArray(policyDocuments) || policyDocuments.length === 0) {
+            this.logger.fatal("--documents must be a non-empty JSON array of policy documents");
+        }
+        const [err, response] = await tryit(iamClient.postApiV1Policies)({
+            description: flags.description,
+            name: args.NAME,
+            organizationId: organization.organization.id,
+            policyDocuments,
+            version: flags.version,
+        }, {
+            headers: {
+                Authorization: `Bearer ${auth?.accessToken}`,
+            },
+        });
+        if (err) {
+            this.logger.fatal(`Failed to create policy: ${getErrorMessage(err)}`);
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(response.data, null, 2));
+        }
+        else {
+            this.ui
+                .sticker()
+                .add(`Policy ${this.ui.colors.green(args.NAME)} created`)
+                .add("")
+                .add(`ID: ${this.ui.colors.green(response.data.id ?? "unknown")}`)
+                .add(`Version: ${this.ui.colors.green(flags.version)}`)
+                .add(`Organization: ${this.ui.colors.green(flags.tenant)}`)
+                .render();
+        }
+    }
+}

package/dist/commands/create/role.d.ts

@@ -0,0 +1,14 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class CreateRole extends BaseCommand<typeof CreateRole> {
+    static args: {
+        NAME: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        description: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/create/role.js

@@ -0,0 +1,78 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class CreateRole extends BaseCommand {
+    static args = {
+        NAME: Args.string({
+            description: "The name of the role to create",
+            required: true,
+        }),
+    };
+    static description = "Create a new IAM role with the specified name and optional description";
+    static examples = [
+        `$ flowcore iam create role data-reader -t my-org --description "Read-only data access"`,
+        "$ flowcore iam create role admin -t my-org -j",
+    ];
+    static flags = {
+        description: Flags.string({
+            description: "A description of the role",
+            required: false,
+        }),
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) to create the role in",
+            required: true,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(CreateRole);
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        const [err, response] = await tryit(iamClient.postApiV1Roles)({
+            description: flags.description,
+            name: args.NAME,
+            organizationId: organization.organization.id,
+        }, {
+            headers: {
+                Authorization: `Bearer ${auth?.accessToken}`,
+            },
+        });
+        if (err) {
+            this.logger.fatal(`Failed to create role: ${getErrorMessage(err)}`);
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(response.data, null, 2));
+        }
+        else {
+            this.ui
+                .sticker()
+                .add(`Role ${this.ui.colors.green(args.NAME)} created`)
+                .add("")
+                .add(`ID: ${this.ui.colors.green(response.data.id ?? "unknown")}`)
+                .add(`Organization: ${this.ui.colors.green(flags.tenant)}`)
+                .render();
+        }
+    }
+}

package/dist/commands/edit/policy.js

@@ -1,10 +1,10 @@
-import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
-import { ClientFactory } from "@flowcore/cli-plugin-core";
-import { Args, Flags } from "@oclif/core";
 import { spawn } from "node:child_process";
 import { unlink, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
 import { tryit } from "radash";
 import { v4 as uuidv4 } from "uuid";
 import { OrganizationService } from "../../services/organization.service.js";

package/dist/commands/edit/role.js

@@ -1,10 +1,10 @@
-import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
-import { ClientFactory } from "@flowcore/cli-plugin-core";
-import { Args, Flags } from "@oclif/core";
 import { spawn } from "node:child_process";
 import { unlink, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
 import { tryit } from "radash";
 import { v4 as uuidv4 } from "uuid";
 import { OrganizationService } from "../../services/organization.service.js";

package/dist/commands/get/key-policies.d.ts

@@ -0,0 +1,13 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class GetKeyPolicies extends BaseCommand<typeof GetKeyPolicies> {
+    static args: {
+        KEY_ID: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        wide: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/get/key-policies.js

@@ -0,0 +1,79 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class GetKeyPolicies extends BaseCommand {
+    static args = {
+        KEY_ID: Args.string({
+            description: "The API key ID to get policies for",
+            required: true,
+        }),
+    };
+    static description = "List all IAM policies assigned to a specific API key";
+    static examples = [
+        `$ flowcore iam get key-policies "550e8400-e29b-41d4-a716-446655440000"`,
+        `$ flowcore iam get key-policies "550e8400-e29b-41d4-a716-446655440000" -j`,
+        `$ flowcore iam get key-policies "550e8400-e29b-41d4-a716-446655440000" -w`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        wide: Flags.boolean({
+            char: "w",
+            description: "Show additional columns in table output",
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(GetKeyPolicies);
+        await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const [err, response] = await tryit(iamClient.getApiV1PolicyAssociationsKeyByKeyId)(args.KEY_ID, {
+            headers: {
+                Authorization: `Bearer ${auth?.accessToken}`,
+            },
+        });
+        if (err) {
+            this.logger.fatal(`Failed to get key policies: ${getErrorMessage(err)}`);
+        }
+        const policies = response.data;
+        if (flags.json) {
+            console.log(JSON.stringify(policies, null, 2));
+        }
+        else {
+            const headers = [
+                "Policy ID",
+                "Name",
+                "Version",
+                "Description",
+                "Documents",
+                ...(flags.wide ? ["Organization ID"] : []),
+            ];
+            let table = this.ui.table().head(headers);
+            for (const policy of policies) {
+                const row = [
+                    policy.id,
+                    policy.name,
+                    policy.version,
+                    policy.description ?? "",
+                    String(policy.policyDocuments.length),
+                    ...(flags.wide ? [policy.organizationId] : []),
+                ];
+                table = table.row(row);
+            }
+            table.render();
+        }
+    }
+}

package/dist/commands/get/key-roles.d.ts

@@ -0,0 +1,13 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class GetKeyRoles extends BaseCommand<typeof GetKeyRoles> {
+    static args: {
+        KEY_ID: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        wide: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/get/key-roles.js

@@ -0,0 +1,75 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class GetKeyRoles extends BaseCommand {
+    static args = {
+        KEY_ID: Args.string({
+            description: "The API key ID to get roles for",
+            required: true,
+        }),
+    };
+    static description = "List all IAM roles assigned to a specific API key";
+    static examples = [
+        `$ flowcore iam get key-roles "550e8400-e29b-41d4-a716-446655440000"`,
+        `$ flowcore iam get key-roles "550e8400-e29b-41d4-a716-446655440000" -j`,
+        `$ flowcore iam get key-roles "550e8400-e29b-41d4-a716-446655440000" -w`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        wide: Flags.boolean({
+            char: "w",
+            description: "Show additional columns in table output",
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(GetKeyRoles);
+        await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const [err, response] = await tryit(iamClient.getApiV1RoleAssociationsKeyByKeyId)(args.KEY_ID, {
+            headers: {
+                Authorization: `Bearer ${auth?.accessToken}`,
+            },
+        });
+        if (err) {
+            this.logger.fatal(`Failed to get key roles: ${getErrorMessage(err)}`);
+        }
+        const roles = response.data;
+        if (flags.json) {
+            console.log(JSON.stringify(roles, null, 2));
+        }
+        else {
+            const headers = [
+                "Role ID",
+                "Name",
+                "Description",
+                ...(flags.wide ? ["Organization ID"] : []),
+            ];
+            let table = this.ui.table().head(headers);
+            for (const role of roles) {
+                const row = [
+                    role.id,
+                    role.name,
+                    role.description ?? "",
+                    ...(flags.wide ? [role.organizationId] : []),
+                ];
+                table = table.row(row);
+            }
+            table.render();
+        }
+    }
+}

package/dist/commands/get/user-policies.d.ts

@@ -0,0 +1,14 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class GetUserPolicies extends BaseCommand<typeof GetUserPolicies> {
+    static args: {
+        USER_ID: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        wide: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/get/user-policies.js

@@ -0,0 +1,94 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class GetUserPolicies extends BaseCommand {
+    static args = {
+        USER_ID: Args.string({
+            description: "The user ID to get policies for (e.g. auth0|abc123)",
+            required: true,
+        }),
+    };
+    static description = "List all IAM policies assigned to a specific user, optionally scoped to a tenant";
+    static examples = [
+        `$ flowcore iam get user-policies "auth0|abc123" -t my-org`,
+        `$ flowcore iam get user-policies "auth0|abc123" -j`,
+        `$ flowcore iam get user-policies "auth0|abc123" -t my-org -w`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "Scope results to a specific tenant (organization slug)",
+            required: false,
+        }),
+        wide: Flags.boolean({
+            char: "w",
+            description: "Show additional columns in table output",
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(GetUserPolicies);
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const authHeaders = {
+            headers: { Authorization: `Bearer ${auth?.accessToken}` },
+        };
+        let organizationId;
+        if (flags.tenant) {
+            const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+            if (!organization) {
+                this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+            }
+            organizationId = organization.organization.id;
+        }
+        const [err, response] = await tryit(iamClient.getApiV1PolicyAssociationsUserByUserId)(args.USER_ID, organizationId ? { organizationId } : undefined, authHeaders);
+        if (err) {
+            this.logger.fatal(`Failed to get user policies: ${getErrorMessage(err)}`);
+        }
+        const policies = response.data;
+        if (flags.json) {
+            console.log(JSON.stringify(policies, null, 2));
+        }
+        else {
+            const headers = [
+                "Policy ID",
+                "Name",
+                "Version",
+                "Description",
+                "Documents",
+                ...(flags.wide ? ["Organization ID"] : []),
+            ];
+            let table = this.ui.table().head(headers);
+            for (const policy of policies) {
+                const row = [
+                    policy.id,
+                    policy.name,
+                    policy.version,
+                    policy.description ?? "",
+                    String(policy.policyDocuments.length),
+                    ...(flags.wide ? [policy.organizationId] : []),
+                ];
+                table = table.row(row);
+            }
+            table.render();
+        }
+    }
+}

package/dist/commands/get/user-roles.d.ts

@@ -0,0 +1,14 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class GetUserRoles extends BaseCommand<typeof GetUserRoles> {
+    static args: {
+        USER_ID: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        wide: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}