@flowcore/cli-plugin-iam 1.7.0 → 1.8.0

package/README.md

@@ -18,7 +18,7 @@ $ npm install -g @flowcore/cli-plugin-iam
 $ iam COMMAND
 running command...
 $ iam (--version)
-@flowcore/cli-plugin-iam/1.7.0 linux-x64 node-v20.16.0
+@flowcore/cli-plugin-iam/1.8.0 linux-x64 node-v20.20.0
 $ iam --help [COMMAND]
 USAGE
   $ iam COMMAND
@@ -27,12 +27,152 @@ USAGE
 <!-- usagestop -->
 # Commands
 <!-- commands -->
+* [`iam assign policy POLICY_NAME`](#iam-assign-policy-policy_name)
+* [`iam assign role ROLE_NAME`](#iam-assign-role-role_name)
+* [`iam create policy NAME`](#iam-create-policy-name)
+* [`iam create role NAME`](#iam-create-role-name)
 * [`iam delete policy NAME`](#iam-delete-policy-name)
 * [`iam delete role NAME`](#iam-delete-role-name)
 * [`iam edit policy NAME`](#iam-edit-policy-name)
 * [`iam edit role NAME`](#iam-edit-role-name)
+* [`iam get key-policies KEY_ID`](#iam-get-key-policies-key_id)
+* [`iam get key-roles KEY_ID`](#iam-get-key-roles-key_id)
 * [`iam get policy [NAME]`](#iam-get-policy-name)
 * [`iam get role [NAME]`](#iam-get-role-name)
+* [`iam get user-policies USER_ID`](#iam-get-user-policies-user_id)
+* [`iam get user-roles USER_ID`](#iam-get-user-roles-user_id)
+* [`iam unassign policy POLICY_NAME`](#iam-unassign-policy-policy_name)
+* [`iam unassign role ROLE_NAME`](#iam-unassign-role-role_name)
+* [`iam validate key KEY_ID`](#iam-validate-key-key_id)
+* [`iam validate user USER_ID`](#iam-validate-user-user_id)
+
+## `iam assign policy POLICY_NAME`
+
+Assign an IAM policy to a user, API key, or role. Exactly one of --user, --key, or --role must be specified
+
+```
+USAGE
+  $ iam assign policy POLICY_NAME -t <value> [--profile <value>] [-j] [--key <value> | --user <value> | --role
+    <value>]
+
+ARGUMENTS
+  POLICY_NAME  The name of the policy to assign
+
+FLAGS
+  -j, --json             Output result as JSON
+  -t, --tenant=<value>   (required) The tenant (organization slug) containing the policy
+      --key=<value>      The API key ID to assign the policy to
+      --profile=<value>  Specify the configuration profile to use
+      --role=<value>     The role name to assign the policy to
+      --user=<value>     The user ID to assign the policy to
+
+DESCRIPTION
+  Assign an IAM policy to a user, API key, or role. Exactly one of --user, --key, or --role must be specified
+
+EXAMPLES
+  $ flowcore iam assign policy read-access --user "auth0|abc123" -t my-org
+
+  $ flowcore iam assign policy read-access --key "550e8400-e29b-41d4-a716-446655440000" -t my-org
+
+  $ flowcore iam assign policy read-access --role data-reader -t my-org
+
+  $ flowcore iam assign policy read-access --user "auth0|abc123" -t my-org -j
+```
+
+_See code: [src/commands/assign/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/assign/policy.ts)_
+
+## `iam assign role ROLE_NAME`
+
+Assign an IAM role to a user or API key. Exactly one of --user or --key must be specified
+
+```
+USAGE
+  $ iam assign role ROLE_NAME -t <value> [--profile <value>] [-j] [--key <value> | --user <value>]
+
+ARGUMENTS
+  ROLE_NAME  The name of the role to assign
+
+FLAGS
+  -j, --json             Output result as JSON
+  -t, --tenant=<value>   (required) The tenant (organization slug) containing the role
+      --key=<value>      The API key ID to assign the role to
+      --profile=<value>  Specify the configuration profile to use
+      --user=<value>     The user ID to assign the role to
+
+DESCRIPTION
+  Assign an IAM role to a user or API key. Exactly one of --user or --key must be specified
+
+EXAMPLES
+  $ flowcore iam assign role data-reader --user "auth0|abc123" -t my-org
+
+  $ flowcore iam assign role data-reader --key "550e8400-e29b-41d4-a716-446655440000" -t my-org
+
+  $ flowcore iam assign role data-reader --user "auth0|abc123" -t my-org -j
+```
+
+_See code: [src/commands/assign/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/assign/role.ts)_
+
+## `iam create policy NAME`
+
+Create a new IAM policy with the specified name, version, and policy documents defining resource access rules
+
+```
+USAGE
+  $ iam create policy NAME --documents <value> -t <value> --version <value> [--profile <value>] [--description
+    <value>] [-j]
+
+ARGUMENTS
+  NAME  The name of the policy to create
+
+FLAGS
+  -j, --json                 Output result as JSON
+  -t, --tenant=<value>       (required) The tenant (organization slug) to create the policy in
+      --description=<value>  A description of the policy
+      --documents=<value>    (required) JSON array of policy documents, each with "resource" and "action" fields. Use
+                             "-" to read from stdin
+      --profile=<value>      Specify the configuration profile to use
+      --version=<value>      (required) The version of the policy (e.g. 2024-01-01)
+
+DESCRIPTION
+  Create a new IAM policy with the specified name, version, and policy documents defining resource access rules
+
+EXAMPLES
+  $ flowcore iam create policy read-access -t my-org --version "2024-01-01" --documents '[{"resource":"frn::my-org:data-core/*","action":["read","fetch"]}]'
+
+  $ cat docs.json | flowcore iam create policy read-access -t my-org --version "2024-01-01" --documents -
+
+  $ flowcore iam create policy admin-access -t my-org --version "2024-01-01" --description "Full admin access" --documents '[{"resource":"frn::my-org:*","action":"*"}]' -j
+```
+
+_See code: [src/commands/create/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/create/policy.ts)_
+
+## `iam create role NAME`
+
+Create a new IAM role with the specified name and optional description
+
+```
+USAGE
+  $ iam create role NAME -t <value> [--profile <value>] [--description <value>] [-j]
+
+ARGUMENTS
+  NAME  The name of the role to create
+
+FLAGS
+  -j, --json                 Output result as JSON
+  -t, --tenant=<value>       (required) The tenant (organization slug) to create the role in
+      --description=<value>  A description of the role
+      --profile=<value>      Specify the configuration profile to use
+
+DESCRIPTION
+  Create a new IAM role with the specified name and optional description
+
+EXAMPLES
+  $ flowcore iam create role data-reader -t my-org --description "Read-only data access"
+
+  $ flowcore iam create role admin -t my-org -j
+```
+
+_See code: [src/commands/create/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/create/role.ts)_
 
 ## `iam delete policy NAME`
 
@@ -55,7 +195,7 @@ DESCRIPTION
   Delete a policy
 ```
 
-_See code: [src/commands/delete/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.7.0/src/commands/delete/policy.ts)_
+_See code: [src/commands/delete/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/delete/policy.ts)_
 
 ## `iam delete role NAME`
 
@@ -78,7 +218,7 @@ DESCRIPTION
   Delete a role
 ```
 
-_See code: [src/commands/delete/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.7.0/src/commands/delete/role.ts)_
+_See code: [src/commands/delete/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/delete/role.ts)_
 
 ## `iam edit policy NAME`
 
@@ -104,7 +244,7 @@ EXAMPLES
   $ FC_EDITOR=code flowcore iam edit policy my-policy -t my-tenant
 ```
 
-_See code: [src/commands/edit/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.7.0/src/commands/edit/policy.ts)_
+_See code: [src/commands/edit/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/edit/policy.ts)_
 
 ## `iam edit role NAME`
 
@@ -130,7 +270,65 @@ EXAMPLES
   $ FC_EDITOR=code flowcore iam edit role my-role -t my-tenant
 ```
 
-_See code: [src/commands/edit/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.7.0/src/commands/edit/role.ts)_
+_See code: [src/commands/edit/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/edit/role.ts)_
+
+## `iam get key-policies KEY_ID`
+
+List all IAM policies assigned to a specific API key
+
+```
+USAGE
+  $ iam get key-policies KEY_ID [--profile <value>] [-j] [-w]
+
+ARGUMENTS
+  KEY_ID  The API key ID to get policies for
+
+FLAGS
+  -j, --json             Output result as JSON
+  -w, --wide             Show additional columns in table output
+      --profile=<value>  Specify the configuration profile to use
+
+DESCRIPTION
+  List all IAM policies assigned to a specific API key
+
+EXAMPLES
+  $ flowcore iam get key-policies "550e8400-e29b-41d4-a716-446655440000"
+
+  $ flowcore iam get key-policies "550e8400-e29b-41d4-a716-446655440000" -j
+
+  $ flowcore iam get key-policies "550e8400-e29b-41d4-a716-446655440000" -w
+```
+
+_See code: [src/commands/get/key-policies.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/get/key-policies.ts)_
+
+## `iam get key-roles KEY_ID`
+
+List all IAM roles assigned to a specific API key
+
+```
+USAGE
+  $ iam get key-roles KEY_ID [--profile <value>] [-j] [-w]
+
+ARGUMENTS
+  KEY_ID  The API key ID to get roles for
+
+FLAGS
+  -j, --json             Output result as JSON
+  -w, --wide             Show additional columns in table output
+      --profile=<value>  Specify the configuration profile to use
+
+DESCRIPTION
+  List all IAM roles assigned to a specific API key
+
+EXAMPLES
+  $ flowcore iam get key-roles "550e8400-e29b-41d4-a716-446655440000"
+
+  $ flowcore iam get key-roles "550e8400-e29b-41d4-a716-446655440000" -j
+
+  $ flowcore iam get key-roles "550e8400-e29b-41d4-a716-446655440000" -w
+```
+
+_See code: [src/commands/get/key-roles.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/get/key-roles.ts)_
 
 ## `iam get policy [NAME]`
 
@@ -153,7 +351,7 @@ DESCRIPTION
   Get a policy
 ```
 
-_See code: [src/commands/get/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.7.0/src/commands/get/policy.ts)_
+_See code: [src/commands/get/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/get/policy.ts)_
 
 ## `iam get role [NAME]`
 
@@ -176,5 +374,196 @@ DESCRIPTION
   Get a role
 ```
 
-_See code: [src/commands/get/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.7.0/src/commands/get/role.ts)_
+_See code: [src/commands/get/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/get/role.ts)_
+
+## `iam get user-policies USER_ID`
+
+List all IAM policies assigned to a specific user, optionally scoped to a tenant
+
+```
+USAGE
+  $ iam get user-policies USER_ID [--profile <value>] [-j] [-t <value>] [-w]
+
+ARGUMENTS
+  USER_ID  The user ID to get policies for (e.g. auth0|abc123)
+
+FLAGS
+  -j, --json             Output result as JSON
+  -t, --tenant=<value>   Scope results to a specific tenant (organization slug)
+  -w, --wide             Show additional columns in table output
+      --profile=<value>  Specify the configuration profile to use
+
+DESCRIPTION
+  List all IAM policies assigned to a specific user, optionally scoped to a tenant
+
+EXAMPLES
+  $ flowcore iam get user-policies "auth0|abc123" -t my-org
+
+  $ flowcore iam get user-policies "auth0|abc123" -j
+
+  $ flowcore iam get user-policies "auth0|abc123" -t my-org -w
+```
+
+_See code: [src/commands/get/user-policies.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/get/user-policies.ts)_
+
+## `iam get user-roles USER_ID`
+
+List all IAM roles assigned to a specific user, optionally scoped to a tenant
+
+```
+USAGE
+  $ iam get user-roles USER_ID [--profile <value>] [-j] [-t <value>] [-w]
+
+ARGUMENTS
+  USER_ID  The user ID to get roles for (e.g. auth0|abc123)
+
+FLAGS
+  -j, --json             Output result as JSON
+  -t, --tenant=<value>   Scope results to a specific tenant (organization slug)
+  -w, --wide             Show additional columns in table output
+      --profile=<value>  Specify the configuration profile to use
+
+DESCRIPTION
+  List all IAM roles assigned to a specific user, optionally scoped to a tenant
+
+EXAMPLES
+  $ flowcore iam get user-roles "auth0|abc123" -t my-org
+
+  $ flowcore iam get user-roles "auth0|abc123" -j
+
+  $ flowcore iam get user-roles "auth0|abc123" -t my-org -w
+```
+
+_See code: [src/commands/get/user-roles.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/get/user-roles.ts)_
+
+## `iam unassign policy POLICY_NAME`
+
+Remove an IAM policy assignment from a user, API key, or role. Exactly one of --user, --key, or --role must be specified
+
+```
+USAGE
+  $ iam unassign policy POLICY_NAME -t <value> [--profile <value>] [-j] [--key <value> | --user <value> | --role
+    <value>] [-y]
+
+ARGUMENTS
+  POLICY_NAME  The name of the policy to unassign
+
+FLAGS
+  -j, --json             Output result as JSON
+  -t, --tenant=<value>   (required) The tenant (organization slug) containing the policy
+  -y, --yes              Skip confirmation prompt
+      --key=<value>      The API key ID to unassign the policy from
+      --profile=<value>  Specify the configuration profile to use
+      --role=<value>     The role name to unassign the policy from
+      --user=<value>     The user ID to unassign the policy from
+
+DESCRIPTION
+  Remove an IAM policy assignment from a user, API key, or role. Exactly one of --user, --key, or --role must be
+  specified
+
+EXAMPLES
+  $ flowcore iam unassign policy read-access --user "auth0|abc123" -t my-org -y
+
+  $ flowcore iam unassign policy read-access --key "550e8400-e29b-41d4-a716-446655440000" -t my-org -y
+
+  $ flowcore iam unassign policy read-access --role data-reader -t my-org -y
+
+  $ flowcore iam unassign policy read-access --user "auth0|abc123" -t my-org -j -y
+```
+
+_See code: [src/commands/unassign/policy.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/unassign/policy.ts)_
+
+## `iam unassign role ROLE_NAME`
+
+Remove an IAM role assignment from a user or API key. Exactly one of --user or --key must be specified
+
+```
+USAGE
+  $ iam unassign role ROLE_NAME -t <value> [--profile <value>] [-j] [--key <value> | --user <value>] [-y]
+
+ARGUMENTS
+  ROLE_NAME  The name of the role to unassign
+
+FLAGS
+  -j, --json             Output result as JSON
+  -t, --tenant=<value>   (required) The tenant (organization slug) containing the role
+  -y, --yes              Skip confirmation prompt
+      --key=<value>      The API key ID to unassign the role from
+      --profile=<value>  Specify the configuration profile to use
+      --user=<value>     The user ID to unassign the role from
+
+DESCRIPTION
+  Remove an IAM role assignment from a user or API key. Exactly one of --user or --key must be specified
+
+EXAMPLES
+  $ flowcore iam unassign role data-reader --user "auth0|abc123" -t my-org -y
+
+  $ flowcore iam unassign role data-reader --key "550e8400-e29b-41d4-a716-446655440000" -t my-org -y
+
+  $ flowcore iam unassign role data-reader --user "auth0|abc123" -t my-org -j -y
+```
+
+_See code: [src/commands/unassign/role.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/unassign/role.ts)_
+
+## `iam validate key KEY_ID`
+
+Validate whether an API key has permission to perform an action on one or more resources
+
+```
+USAGE
+  $ iam validate key KEY_ID --action <value> --resource <value>... -t <value> [--profile <value>] [-j]
+
+ARGUMENTS
+  KEY_ID  The API key ID to validate access for
+
+FLAGS
+  -j, --json                 Output result as JSON
+  -t, --tenant=<value>       (required) The tenant (organization slug) to validate within
+      --action=<value>       (required) The action to validate (e.g. read, write, ingest, fetch)
+      --profile=<value>      Specify the configuration profile to use
+      --resource=<value>...  (required) The resource FRN to validate against (can be specified multiple times)
+
+DESCRIPTION
+  Validate whether an API key has permission to perform an action on one or more resources
+
+EXAMPLES
+  $ flowcore iam validate key "550e8400-e29b-41d4-a716-446655440000" -t my-org --action ingest --resource "frn::my-org:event-type/*"
+
+  $ flowcore iam validate key "550e8400-e29b-41d4-a716-446655440000" -t my-org --action read --resource "frn::my-org:data-core/my-core" -j
+
+  $ flowcore iam validate key "550e8400-e29b-41d4-a716-446655440000" -t my-org --action read --resource "frn::my-org:data-core/core1" --resource "frn::my-org:data-core/core2"
+```
+
+_See code: [src/commands/validate/key.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/validate/key.ts)_
+
+## `iam validate user USER_ID`
+
+Validate whether a user has permission to perform an action on one or more resources
+
+```
+USAGE
+  $ iam validate user USER_ID --action <value> --resource <value>... -t <value> [--profile <value>] [-j]
+
+ARGUMENTS
+  USER_ID  The user ID to validate access for (e.g. auth0|abc123)
+
+FLAGS
+  -j, --json                 Output result as JSON
+  -t, --tenant=<value>       (required) The tenant (organization slug) to validate within
+      --action=<value>       (required) The action to validate (e.g. read, write, ingest, fetch)
+      --profile=<value>      Specify the configuration profile to use
+      --resource=<value>...  (required) The resource FRN to validate against (can be specified multiple times)
+
+DESCRIPTION
+  Validate whether a user has permission to perform an action on one or more resources
+
+EXAMPLES
+  $ flowcore iam validate user "auth0|abc123" -t my-org --action read --resource "frn::my-org:data-core/my-core"
+
+  $ flowcore iam validate user "auth0|abc123" -t my-org --action write --resource "frn::my-org:data-core/*" -j
+
+  $ flowcore iam validate user "auth0|abc123" -t my-org --action read --resource "frn::my-org:data-core/core1" --resource "frn::my-org:data-core/core2"
+```
+
+_See code: [src/commands/validate/user.ts](https://github.com/flowcore-io/cli-plugin-iam/blob/v1.8.0/src/commands/validate/user.ts)_
 <!-- commandsstop -->

package/bin/dev.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env -S node --loader ts-node/esm --no-warnings=ExperimentalWarning
 
-import {execute} from '@oclif/core'
+import { execute } from "@oclif/core"
 
-await execute({development: true, dir: import.meta.url})
+await execute({ development: true, dir: import.meta.url })

package/bin/run.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
 
-import {execute} from '@oclif/core'
+import { execute } from "@oclif/core"
 
-await execute({dir: import.meta.url})
+await execute({ dir: import.meta.url })

package/dist/commands/assign/policy.d.ts

@@ -0,0 +1,16 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class AssignPolicy extends BaseCommand<typeof AssignPolicy> {
+    static args: {
+        POLICY_NAME: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        key: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        role: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        user: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/assign/policy.js

@@ -0,0 +1,124 @@
+import { BaseCommand, ValidateLogin } from "@flowcore/cli-plugin-config";
+import { ClientFactory } from "@flowcore/cli-plugin-core";
+import { Args, Flags } from "@oclif/core";
+import { tryit } from "radash";
+import { OrganizationService } from "../../services/organization.service.js";
+import { Api as IamApi } from "../../utils/clients/iam/Api.js";
+import { getErrorMessage } from "../../utils/error-message.util.js";
+export default class AssignPolicy extends BaseCommand {
+    static args = {
+        POLICY_NAME: Args.string({
+            description: "The name of the policy to assign",
+            required: true,
+        }),
+    };
+    static description = "Assign an IAM policy to a user, API key, or role. Exactly one of --user, --key, or --role must be specified";
+    static examples = [
+        `$ flowcore iam assign policy read-access --user "auth0|abc123" -t my-org`,
+        `$ flowcore iam assign policy read-access --key "550e8400-e29b-41d4-a716-446655440000" -t my-org`,
+        "$ flowcore iam assign policy read-access --role data-reader -t my-org",
+        `$ flowcore iam assign policy read-access --user "auth0|abc123" -t my-org -j`,
+    ];
+    static flags = {
+        json: Flags.boolean({
+            char: "j",
+            description: "Output result as JSON",
+            required: false,
+        }),
+        key: Flags.string({
+            description: "The API key ID to assign the policy to",
+            exclusive: ["user", "role"],
+            required: false,
+        }),
+        role: Flags.string({
+            description: "The role name to assign the policy to",
+            exclusive: ["user", "key"],
+            required: false,
+        }),
+        tenant: Flags.string({
+            char: "t",
+            description: "The tenant (organization slug) containing the policy",
+            required: true,
+        }),
+        user: Flags.string({
+            description: "The user ID to assign the policy to",
+            exclusive: ["key", "role"],
+            required: false,
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(AssignPolicy);
+        if (!flags.user && !flags.key && !flags.role) {
+            this.logger.fatal("Exactly one of --user, --key, or --role is required");
+        }
+        const graphqlClient = await ClientFactory.create(this.cliConfiguration, this.logger, flags.json);
+        const organizationService = new OrganizationService(graphqlClient);
+        const organizations = await organizationService.getMyOrganizations();
+        const iamClient = new IamApi();
+        const config = this.cliConfiguration.getConfig();
+        const login = new ValidateLogin(config.login.url);
+        await login.validate(config, this.cliConfiguration, !flags.json);
+        const { auth } = config;
+        if (!auth?.accessToken) {
+            this.logger.fatal("Not logged in, run 'flowcore login'");
+        }
+        const organization = organizations.me.organizations.find((org) => org.organization.org === flags.tenant);
+        if (!organization) {
+            this.logger.fatal(`Organization ${flags.tenant} not found, or you are not a member`);
+        }
+        const authHeaders = {
+            headers: { Authorization: `Bearer ${auth?.accessToken}` },
+        };
+        // Resolve policy name to ID
+        const [policiesErr, policies] = await tryit(iamClient.getApiV1PolicyAssociationsOrganizationByOrganizationId)(organization.organization.id, authHeaders);
+        if (policiesErr) {
+            this.logger.fatal(`Failed to get policies: ${policiesErr.message}`);
+        }
+        const policy = policies.data.find((p) => p.name === args.POLICY_NAME);
+        if (!policy) {
+            this.logger.fatal(`Policy "${args.POLICY_NAME}" not found in tenant: ${flags.tenant}`);
+        }
+        let result;
+        if (flags.user) {
+            const [err, response] = await tryit(iamClient.postApiV1PolicyAssociationsUserByUserId)(flags.user, { policyId: policy.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to assign policy to user: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        else if (flags.key) {
+            const [err, response] = await tryit(iamClient.postApiV1PolicyAssociationsKeyByKeyId)(flags.key, { policyId: policy.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to assign policy to key: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        else if (flags.role) {
+            // Resolve role name to ID
+            const [rolesErr, roles] = await tryit(iamClient.getApiV1RoleAssociationsOrganizationByOrganizationId)(organization.organization.id, authHeaders);
+            if (rolesErr) {
+                this.logger.fatal(`Failed to get roles: ${rolesErr.message}`);
+            }
+            const role = roles.data.find((r) => r.name === flags.role);
+            if (!role) {
+                this.logger.fatal(`Role "${flags.role}" not found in tenant: ${flags.tenant}`);
+            }
+            const [err, response] = await tryit(iamClient.postApiV1PolicyAssociationsRoleByRoleId)(role.id, { policyId: policy.id }, authHeaders);
+            if (err) {
+                this.logger.fatal(`Failed to assign policy to role: ${getErrorMessage(err)}`);
+            }
+            result = response.data;
+        }
+        if (flags.json) {
+            console.log(JSON.stringify(result, null, 2));
+        }
+        else {
+            const target = flags.user
+                ? `user ${flags.user}`
+                : flags.key
+                    ? `key ${flags.key}`
+                    : `role ${flags.role}`;
+            this.logger.info(`Policy "${args.POLICY_NAME}" assigned to ${target}`);
+        }
+    }
+}

package/dist/commands/assign/role.d.ts

@@ -0,0 +1,15 @@
+import { BaseCommand } from "@flowcore/cli-plugin-config";
+export default class AssignRole extends BaseCommand<typeof AssignRole> {
+    static args: {
+        ROLE_NAME: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        key: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        tenant: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        user: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}