@tigrisdata/cli 2.4.0 → 2.5.0

package/dist/lib/whoami.js

@@ -1,3 +1,3 @@
-import{listOrganizations as ue}from"@tigrisdata/iam";import w from"axios";import Z from"open";function f(){return{domain:process.env.AUTH0_DOMAIN||"auth.tigris.dev",clientId:process.env.AUTH0_CLIENT_ID||"DMejqeM3CQ4IqTjEcd3oA9eEiT40hn8D",audience:process.env.AUTH0_AUDIENCE||"https://tigris-os-api"}}var E=process.env.TIGRIS_CLAIMS_NAMESPACE||"https://tigris";function z(){return{endpoint:process.env.TIGRIS_STORAGE_ENDPOINT||"https://t3.storage.dev",iamEndpoint:process.env.TIGRIS_IAM_ENDPOINT||"https://iam.storageapi.dev"}}import{homedir as J}from"os";import{join as N}from"path";import{readFileSync as Y,writeFileSync as B,existsSync as b,mkdirSync as W}from"fs";import{chmod as Q}from"fs/promises";var A=N(J(),".tigris"),m=N(A,"config.json");function X(){b(A)||W(A,{recursive:!0,mode:448})}function c(){if(b(m))try{let t=Y(m,"utf8");return JSON.parse(t)}catch{return{}}return{}}async function h(t){X(),B(m,JSON.stringify(t,null,2),{mode:384});try{await Q(m,384)}catch{}}async function S(t){let e=c();e.tokens=t,await h(e)}async function d(){return c().tokens||null}async function x(){let t=c();delete t.tokens,await h(t)}async function D(t){let e=c();e.organizations=t,await h(e)}function $(){return c().organizations||[]}function l(){return c().selectedOrganization||null}function C(){let t=c();return t.temporaryCredentials||t.credentials||null}async function K(t){let e=c();e.loginMethod=t,await h(e)}function y(){return c().loginMethod||null}var _=class{config;baseUrl;constructor(){this.config=f(),this.baseUrl=`https://${this.config.domain}`}async login(e){let o=(await w.post(`${this.baseUrl}/oauth/device/code`,{client_id:this.config.clientId,audience:this.config.audience,scope:"openid profile email offline_access"},{headers:{"Content-Type":"application/x-www-form-urlencoded"}})).data;e?.onDeviceCode?.(o.user_code,o.verification_uri),await this.sleep(2e3);try{await Z(o.verification_uri_complete)}catch{}e?.onWaiting?.();let i=await this.pollForToken(o.device_code,o.interval||5);await S(i),K("oauth"),await this.extractAndStoreOrganizations(i.idToken)}async pollForToken(e,n){let i=0;for(;i<60;){i++;try{let r=(await w.post(`${this.baseUrl}/oauth/token`,{client_id:this.config.clientId,device_code:e,grant_type:"urn:ietf:params:oauth:grant-type:device_code"},{headers:{"Content-Type":"application/x-www-form-urlencoded"}})).data,a=Date.now()+(r.expires_in||3600)*1e3;return{accessToken:r.access_token,refreshToken:r.refresh_token,idToken:r.id_token,expiresAt:a}}catch(s){if(w.isAxiosError(s)&&s.response){let r=s.response.data?.error;if(r==="authorization_pending"){await this.sleep(n*1e3);continue}if(r==="slow_down"){n+=5,await this.sleep(n*1e3);continue}throw new Error(s.response.data?.error_description||"Authentication failed")}throw s}}throw new Error("Authentication timed out. Please try again.")}async getAccessToken(){let e=await d();if(!e)throw new Error('Not authenticated. Please run "tigris login" to authenticate.');let n=300*1e3;return Date.now()+n>=e.expiresAt&&(e=await this.refreshAccessToken(e)),e.accessToken}async refreshAccessToken(e){let n=null;if(e?.refreshToken?n=e:n=await d(),!n)throw new Error('No refresh token available. Please run "tigris login" to re-authenticate.');try{let i=(await w.post(`${this.baseUrl}/oauth/token`,{client_id:this.config.clientId,grant_type:"refresh_token",refresh_token:n.refreshToken,scope:"openid profile email offline_access"},{headers:{"Content-Type":"application/x-www-form-urlencoded"}})).data,s={accessToken:i.access_token,refreshToken:i.refresh_token||n.refreshToken,idToken:i.id_token||n.idToken,expiresAt:Date.now()+(i.expires_in||3600)*1e3};return await S(s),s}catch{throw await x(),new Error('Token refresh failed. Please run "tigris login" to re-authenticate.')}}async getIdTokenClaims(){let e=await d();if(!e||!e.idToken)throw new Error('Not authenticated. Please run "tigris login" to authenticate.');try{let n=e.idToken.split(".")[1],o=Buffer.from(n,"base64").toString("utf8");return JSON.parse(o)}catch{throw new Error("Failed to decode ID token")}}async extractAndStoreOrganizations(e){if(e)try{let n=e.split(".")[1],o=Buffer.from(n,"base64").toString("utf8"),s=JSON.parse(o)[E];if(!s)return;let r=s?.ns?.map(a=>typeof a=="object"&&a!==null?{id:a.id,name:a.name,displayName:a.name}:{id:a,name:a,displayName:a})||[];if(r.length===0)return;D(r)}catch{}}async getOrganizations(){return await this.getAccessToken(),$()}async logout(){await x()}async isAuthenticated(){return await d()!==null}sleep(e){return new Promise(n=>setTimeout(n,e))}},v=null;function T(){return v||(v=new _),v}import{S3Client as _e}from"@aws-sdk/client-s3";var L=z(),ee=f();async function te(){return y()}async function R(){if(await te()==="oauth"){let o=await T().getAccessToken();if(!l())throw new Error('No organization selected. Please run "tigris orgs select" first.');let s=L.endpoint,r=L.iamEndpoint,a=ee.domain;return{sessionToken:o,accessKeyId:"",secretAccessKey:"",endpoint:s,organizationId:l()??void 0,iamEndpoint:r,authDomain:a}}let e=C();if(e)return{accessKeyId:e.accessKeyId,secretAccessKey:e.secretAccessKey,endpoint:e.endpoint};throw new Error('Not authenticated. Please run "tigris login" or "tigris configure" first.')}import{readFileSync as ne,existsSync as ie}from"fs";import{join as F,dirname as oe}from"path";import{fileURLToPath as se}from"url";import*as U from"yaml";var re=se(import.meta.url),ae=oe(re),I=null;function ce(){let t=ae;for(let e=0;e<5;e++){let n=F(t,"specs.yaml");if(ie(n))return n;t=F(t,"..")}throw new Error("Could not find specs.yaml")}function ge(){if(!I){let t=ce(),e=ne(t,"utf8");I=U.parse(e)}return I}function j(t,e){let o=ge().commands.find(i=>i.name===t);return o?e&&o.operations?o.operations.find(i=>i.name===e)||null:o:null}var de={success:"\u2714",failure:"\u2716",hint:"\u2192"};function le(){return process.stdout.isTTY===!0}function G(t){let e=j(t.command,t.operation);if(e)return e.messages}function V(t,e){let n=t;return n=n.replace(/\\n/g,`
-`),e&&(n=n.replace(/\{\{(\w+)\}\}/g,(o,i)=>{let s=e[i];return s!==void 0?String(s):`{{${i}}}`})),n}function k(t,e,n){let o=G(t);o?.onFailure&&console.error(`${de.failure} ${V(o.onFailure,n)}`),e&&console.error(`  ${e}`)}function M(t,e){if(!le())return;let n=G(t);n?.onAlreadyDone&&console.log(V(n.onAlreadyDone,e))}function q(t,e){return{command:t,operation:e}}var u=q("whoami");async function pe(){try{let t=y(),e=C(),n,o;if(t==="oauth"){let s=T();if(!await s.isAuthenticated()){M(u);return}let a=await s.getIdTokenClaims();n=a.email,o=a.sub}else if(e)n=void 0,o=e.accessKeyId;else{M(u);return}let i=[];if(i.push(""),i.push("User Information:"),i.push(`   Email: ${n||"N/A"}`),i.push(`   User ID: ${o||"N/A"}`),t==="oauth"){let s=await R(),r=l(),{data:a,error:O}=await ue({config:s});O&&(k(u,O.message),process.exit(1));let p=a?.organizations??[];if(p.length>0){if(i.push(""),i.push(`Organizations (${p.length}):`),p.forEach(g=>{let H=g.id===r?">":" ";i.push(`   ${H} ${g.name} (${g.id})`)}),r){let g=p.find(P=>P.id===r);g&&(i.push(""),i.push(`Active: ${g.name}`))}}else i.push(""),i.push("Organizations: None")}else i.push(""),i.push("Login method: Access Key Credentials"),i.push("   (Organization listing requires OAuth login: tigris login)");i.push(""),console.log(i.join(`
-`))}catch(t){t instanceof Error?k(u,t.message):k(u),process.exit(1)}}export{pe as default};
+import{listOrganizations as Ae}from"@tigrisdata/iam";import S from"axios";import re from"open";var d="https://t3.storage.dev",E="https://iam.storageapi.dev";function h(){let n=process.env.TIGRIS_ENV==="development",e=process.env.AUTH0_DOMAIN||n?"auth-dev.tigris.dev":"auth.tigris.dev",t=process.env.AUTH0_CLIENT_ID||n?"JdJVYIyw0O1uHi5L5OJH903qaWBgd3gF":"DMejqeM3CQ4IqTjEcd3oA9eEiT40hn8D",o=process.env.AUTH0_AUDIENCE||n?"https://tigris-api-dev":"https://tigris-os-api";return{domain:e,clientId:t,audience:o}}var b=process.env.TIGRIS_CLAIMS_NAMESPACE||"https://tigris";function L(){return process.env.TIGRIS_STORAGE_ENDPOINT||process.env.TIGRIS_IAM_ENDPOINT?{endpoint:process.env.TIGRIS_STORAGE_ENDPOINT||d,iamEndpoint:process.env.TIGRIS_IAM_ENDPOINT||E}:{endpoint:process.env.AWS_ENDPOINT_URL_S3||d,iamEndpoint:process.env.AWS_ENDPOINT_URL_IAM||E}}import{homedir as G}from"os";import{join as g}from"path";import{readFileSync as ee,writeFileSync as ne,existsSync as C,mkdirSync as te}from"fs";import{loadSharedConfigFiles as ie}from"@smithy/shared-ini-file-loader";import{chmod as oe}from"fs/promises";var v=g(G(),".tigris"),y=g(v,"config.json");function se(){C(v)||te(v,{recursive:!0,mode:448})}function c(){if(C(y))try{let n=ee(y,"utf8");return JSON.parse(n)}catch{return{}}return{}}async function T(n){se(),ne(y,JSON.stringify(n,null,2),{mode:384});try{await oe(y,384)}catch{}}async function x(n){let e=c();e.tokens=n,await T(e)}async function p(){return c().tokens||null}async function k(){let n=c();delete n.tokens,await T(n)}async function F(n){let e=c();e.organizations=n,await T(e)}function U(){return c().organizations||[]}function u(){return c().selectedOrganization||null}function O(){if(process.env.TIGRIS_STORAGE_ACCESS_KEY_ID||process.env.TIGRIS_STORAGE_SECRET_ACCESS_KEY){let o=process.env.TIGRIS_STORAGE_ACCESS_KEY_ID,i=process.env.TIGRIS_STORAGE_SECRET_ACCESS_KEY;if(!o||!i)return null;let s=process.env.TIGRIS_STORAGE_ENDPOINT||d;return{accessKeyId:o,secretAccessKey:i,endpoint:s}}let n=process.env.AWS_ACCESS_KEY_ID,e=process.env.AWS_SECRET_ACCESS_KEY;if(!n||!e)return null;let t=process.env.AWS_ENDPOINT_URL_S3||d;return{accessKeyId:n,secretAccessKey:e,endpoint:t}}function $(){if(!process.env.AWS_PROFILE)return!1;let n=g(G(),".aws");return C(g(n,"credentials"))||C(g(n,"config"))}async function j(n){try{let{configFile:e}=await ie(),t=e[n];return t?{endpoint:t.endpoint_url_s3||t.endpoint_url,iamEndpoint:t.endpoint_url_iam,region:t.region}:{}}catch{return{}}}function W(){let n=c();return O()||n.temporaryCredentials||n.credentials||null}function P(){let n=c();return n.temporaryCredentials||n.credentials||null}async function Y(n){let e=c();e.loginMethod=n,await T(e)}function A(){return c().loginMethod||null}var M=class{config;baseUrl;constructor(){this.config=h(),this.baseUrl=`https://${this.config.domain}`}async login(e){let o=(await S.post(`${this.baseUrl}/oauth/device/code`,{client_id:this.config.clientId,audience:this.config.audience,scope:"openid profile email offline_access"},{headers:{"Content-Type":"application/x-www-form-urlencoded"}})).data;e?.onDeviceCode?.(o.user_code,o.verification_uri),await this.sleep(2e3);try{await re(o.verification_uri_complete)}catch{}e?.onWaiting?.();let i=await this.pollForToken(o.device_code,o.interval||5);await x(i),Y("oauth"),await this.extractAndStoreOrganizations(i.idToken)}async pollForToken(e,t){let i=0;for(;i<60;){i++;try{let r=(await S.post(`${this.baseUrl}/oauth/token`,{client_id:this.config.clientId,device_code:e,grant_type:"urn:ietf:params:oauth:grant-type:device_code"},{headers:{"Content-Type":"application/x-www-form-urlencoded"}})).data,a=Date.now()+(r.expires_in||3600)*1e3;return{accessToken:r.access_token,refreshToken:r.refresh_token,idToken:r.id_token,expiresAt:a}}catch(s){if(S.isAxiosError(s)&&s.response){let r=s.response.data?.error;if(r==="authorization_pending"){await this.sleep(t*1e3);continue}if(r==="slow_down"){t+=5,await this.sleep(t*1e3);continue}throw new Error(s.response.data?.error_description||"Authentication failed")}throw s}}throw new Error("Authentication timed out. Please try again.")}async getAccessToken(){let e=await p();if(!e)throw new Error('Not authenticated. Please run "tigris login" to authenticate.');let t=300*1e3;return Date.now()+t>=e.expiresAt&&(e=await this.refreshAccessToken(e)),e.accessToken}async refreshAccessToken(e){let t=null;if(e?.refreshToken?t=e:t=await p(),!t)throw new Error('No refresh token available. Please run "tigris login" to re-authenticate.');try{let i=(await S.post(`${this.baseUrl}/oauth/token`,{client_id:this.config.clientId,grant_type:"refresh_token",refresh_token:t.refreshToken,scope:"openid profile email offline_access"},{headers:{"Content-Type":"application/x-www-form-urlencoded"}})).data,s={accessToken:i.access_token,refreshToken:i.refresh_token||t.refreshToken,idToken:i.id_token||t.idToken,expiresAt:Date.now()+(i.expires_in||3600)*1e3};return await x(s),s}catch{throw await k(),new Error('Token refresh failed. Please run "tigris login" to re-authenticate.')}}async getIdTokenClaims(){let e=await p();if(!e||!e.idToken)throw new Error('Not authenticated. Please run "tigris login" to authenticate.');try{let t=e.idToken.split(".")[1],o=Buffer.from(t,"base64").toString("utf8");return JSON.parse(o)}catch{throw new Error("Failed to decode ID token")}}async extractAndStoreOrganizations(e){if(e)try{let t=e.split(".")[1],o=Buffer.from(t,"base64").toString("utf8"),s=JSON.parse(o)[b];if(!s)return;let r=s?.ns?.map(a=>typeof a=="object"&&a!==null?{id:a.id,name:a.name,displayName:a.name}:{id:a,name:a,displayName:a})||[];if(r.length===0)return;F(r)}catch{}}async getOrganizations(){return await this.getAccessToken(),U()}async logout(){await k()}async isAuthenticated(){return await p()!==null}sleep(e){return new Promise(t=>setTimeout(t,e))}},N=null;function _(){return N||(N=new M),N}import{S3Client as Le}from"@aws-sdk/client-s3";import{fromIni as ae}from"@aws-sdk/credential-providers";var w=L(),ce=h();async function de(){return A()}async function V(){if($()){let o=process.env.AWS_PROFILE||"default",i=await j(o),s=await ae({profile:o})();return{accessKeyId:s.accessKeyId,secretAccessKey:s.secretAccessKey,endpoint:i.endpoint||w.endpoint||d,iamEndpoint:i.iamEndpoint||w.iamEndpoint}}let n=await de();if(n==="oauth"){let i=await _().getAccessToken();if(!u())throw new Error('No organization selected. Please run "tigris orgs select" first.');return{sessionToken:i,accessKeyId:"",secretAccessKey:"",endpoint:w.endpoint,organizationId:u()??void 0,iamEndpoint:w.iamEndpoint,authDomain:ce.domain}}if(n==="credentials"){let o=P();if(o)return{accessKeyId:o.accessKeyId,secretAccessKey:o.secretAccessKey,endpoint:o.endpoint}}let e=O();if(e)return{accessKeyId:e.accessKeyId,secretAccessKey:e.secretAccessKey,endpoint:e.endpoint};let t=P();if(t)return{accessKeyId:t.accessKeyId,secretAccessKey:t.secretAccessKey,endpoint:t.endpoint};throw new Error('Not authenticated. Please run "tigris login" or "tigris configure" first.')}import{readFileSync as le,existsSync as ge}from"fs";import{join as q,dirname as pe}from"path";import{fileURLToPath as ue}from"url";import*as H from"yaml";var fe=ue(import.meta.url),me=pe(fe),D=null;function he(){let n=me;for(let e=0;e<5;e++){let t=q(n,"specs.yaml");if(ge(t))return t;n=q(n,"..")}throw new Error("Could not find specs.yaml")}function Ce(){if(!D){let n=he(),e=le(n,"utf8");D=H.parse(e)}return D}function J(n,e){let o=Ce().commands.find(i=>i.name===n);return o?e&&o.operations?o.operations.find(i=>i.name===e)||null:o:null}var ye={success:"\u2714",failure:"\u2716",hint:"\u2192"};function Te(){return process.stdout.isTTY===!0}function B(n){let e=J(n.command,n.operation);if(e)return e.messages}function Q(n,e){let t=n;return t=t.replace(/\\n/g,`
+`),e&&(t=t.replace(/\{\{(\w+)\}\}/g,(o,i)=>{let s=e[i];return s!==void 0?String(s):`{{${i}}}`})),t}function I(n,e,t){let o=B(n);o?.onFailure&&console.error(`${ye.failure} ${Q(o.onFailure,t)}`),e&&console.error(`  ${e}`)}function K(n,e){if(!Te())return;let t=B(n);t?.onAlreadyDone&&console.log(Q(t.onAlreadyDone,e))}function X(n,e){return{command:n,operation:e}}var f=X("whoami");async function Se(){try{let n=A(),e=W(),t,o;if(n==="oauth"){let s=_();if(!await s.isAuthenticated()){K(f);return}let a=await s.getIdTokenClaims();t=a.email,o=a.sub}else if(e)t=void 0,o=e.accessKeyId;else{K(f);return}let i=[];if(i.push(""),i.push("User Information:"),i.push(`   Email: ${t||"N/A"}`),i.push(`   User ID: ${o||"N/A"}`),n==="oauth"){let s=await V(),r=u(),{data:a,error:R}=await Ae({config:s});R&&(I(f,R.message),process.exit(1));let m=a?.organizations??[];if(m.length>0){if(i.push(""),i.push(`Organizations (${m.length}):`),m.forEach(l=>{let Z=l.id===r?">":" ";i.push(`   ${Z} ${l.name} (${l.id})`)}),r){let l=m.find(z=>z.id===r);l&&(i.push(""),i.push(`Active: ${l.name}`))}}else i.push(""),i.push("Organizations: None")}else i.push(""),i.push("Login method: Access Key Credentials"),i.push("   (Organization listing requires OAuth login: tigris login)");i.push(""),console.log(i.join(`
+`))}catch(n){n instanceof Error?I(f,n.message):I(f),process.exit(1)}}export{Se as default};

package/dist/specs.yaml

@@ -79,7 +79,7 @@ commands:
   #########################
   # configure
   - name: configure
-    description: Save credentials permanently. After running this, all commands work automatically
+    description: Save credentials permanently. After running this, all commands uses these credentials.
     alias: c
     messages:
       onStart: 'Saving credentials...'
@@ -189,84 +189,6 @@ commands:
             alias: b
             required: false
 
-  # access-keys
-  - name: access-keys
-    description: Manage access keys
-    alias: keys
-    operations:
-      - name: list
-        description: List all access keys
-        alias: l
-        messages:
-          onStart: ''
-          onSuccess: ''
-          onFailure: 'Failed to list access keys'
-          onEmpty: 'No access keys found'
-      - name: create
-        description: Create a new access key
-        alias: c
-        messages:
-          onStart: 'Creating access key...'
-          onSuccess: 'Access key created'
-          onFailure: 'Failed to create access key'
-        arguments:
-          - name: name
-            description: Name for the access key
-            type: positional
-            required: true
-      - name: delete
-        description: Delete an access key
-        alias: d
-        messages:
-          onStart: 'Deleting access key...'
-          onSuccess: 'Access key deleted'
-          onFailure: 'Failed to delete access key'
-        arguments:
-          - name: id
-            description: Access key ID
-            type: positional
-            required: true
-      - name: get
-        description: Get details of an access key
-        alias: g
-        messages:
-          onStart: ''
-          onSuccess: ''
-          onFailure: 'Failed to get access key'
-        arguments:
-          - name: id
-            description: Access key ID
-            type: positional
-            required: true
-      - name: assign
-        description: Assign bucket roles to an access key
-        alias: a
-        messages:
-          onStart: 'Assigning bucket roles...'
-          onSuccess: 'Bucket roles assigned'
-          onFailure: 'Failed to assign bucket roles'
-        arguments:
-          - name: id
-            description: Access key ID
-            type: positional
-            required: true
-          - name: bucket
-            alias: b
-            description: Bucket name (can specify multiple)
-            multiple: true
-          - name: role
-            alias: r
-            description: Role to assign (can specify multiple to pair with buckets)
-            multiple: true
-            options:
-              - Editor
-              - ReadOnly
-          - name: admin
-            description: Grant admin access to all buckets in the organization
-            type: flag
-          - name: revoke-roles
-            description: Revoke all bucket roles from the access key
-            type: flag
 
   #########################
   # Unix style commands
@@ -426,6 +348,8 @@ commands:
             type: positional
             required: true
             description: Name of the organization
+            examples:
+              - my-organization
       - name: select
         description: Select the organization to use
         alias: s
@@ -438,6 +362,8 @@ commands:
             type: positional
             required: true
             description: Name of the organization
+            examples:
+              - my-organization
 
   #########################
   # Manage buckets
@@ -464,7 +390,7 @@ commands:
       # create
       - name: create
         description: Create bucket
-        alias: [c]
+        alias: c
         messages:
           onStart: 'Creating bucket...'
           onSuccess: "Bucket '{{name}}' created successfully"
@@ -474,6 +400,8 @@ commands:
             description: Name of the bucket
             type: positional
             required: false
+            examples:
+              - my-bucket
           - name: access
             description: Access level
             alias: a
@@ -512,6 +440,8 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
       # delete
       - name: delete
         description: Delete bucket
@@ -526,6 +456,8 @@ commands:
             type: positional
             required: true
             multiple: true
+            examples:
+              - my-bucket
       # set
       - name: set
         description: Update bucket settings
@@ -539,6 +471,8 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: access
             description: Bucket access level
             options: *access_options
@@ -581,6 +515,8 @@ commands:
             description: Name of the source bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: format
             description: Output format
             alias: f
@@ -599,10 +535,14 @@ commands:
             description: Name of the source bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: fork-name
             description: Name for the new fork
             type: positional
             required: true
+            examples:
+              - my-fork
           - name: snapshot
             description: Create fork from a specific snapshot
             alias: s
@@ -628,6 +568,8 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: format
             description: Output format
             alias: f
@@ -646,10 +588,14 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: snapshot-name
             description: Name of the snapshot (optional)
             type: positional
             required: false
+            examples:
+              - my-snapshot
 
   #########################
   # Manage objects
@@ -672,6 +618,8 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: prefix
             description: Filter objects by prefix
             alias: p
@@ -693,10 +641,14 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: key
             description: Key of the object
             type: positional
             required: true
+            examples:
+              - my-file.txt
           - name: output
             description: Output file path (if not specified, prints to stdout)
             alias: o
@@ -717,14 +669,20 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: key
             description: Key for the object
             type: positional
             required: true
+            examples:
+              - my-file.txt
           - name: file
             description: Path to the file to upload
             type: positional
             required: true
+            examples:
+              - ./my-file.txt
           - name: access
             description: Access level
             alias: a
@@ -751,8 +709,101 @@ commands:
             description: Name of the bucket
             type: positional
             required: true
+            examples:
+              - my-bucket
           - name: key
             description: Key of the object (comma separated for multiple)
             type: positional
             required: true
             multiple: true
+            examples:
+              - my-file.txt
+
+  #########################
+  # Manage access keys
+  #########################
+  - name: access-keys
+    description: Manage access keys
+    alias: keys
+    operations:
+      - name: list
+        description: List all access keys
+        alias: l
+        messages:
+          onStart: ''
+          onSuccess: ''
+          onFailure: 'Failed to list access keys'
+          onEmpty: 'No access keys found'
+      - name: create
+        description: Create a new access key
+        alias: c
+        messages:
+          onStart: 'Creating access key...'
+          onSuccess: 'Access key created'
+          onFailure: 'Failed to create access key'
+        arguments:
+          - name: name
+            description: Name for the access key
+            type: positional
+            required: true
+            examples:
+              - my-key
+      - name: delete
+        description: Delete an access key
+        alias: d
+        messages:
+          onStart: 'Deleting access key...'
+          onSuccess: 'Access key deleted'
+          onFailure: 'Failed to delete access key'
+        arguments:
+          - name: id
+            description: Access key ID
+            type: positional
+            required: true
+            examples:
+              - tid_AaBbCcDdEeFf
+      - name: get
+        description: Get details of an access key
+        alias: g
+        messages:
+          onStart: ''
+          onSuccess: ''
+          onFailure: 'Failed to get access key'
+        arguments:
+          - name: id
+            description: Access key ID
+            type: positional
+            required: true
+            examples:
+              - tid_AaBbCcDdEeFf
+      - name: assign
+        description: Assign bucket roles to an access key
+        alias: a
+        messages:
+          onStart: 'Assigning bucket roles...'
+          onSuccess: 'Bucket roles assigned'
+          onFailure: 'Failed to assign bucket roles'
+        arguments:
+          - name: id
+            description: Access key ID
+            type: positional
+            required: true
+            examples:
+              - tid_AaBbCcDdEeFf
+          - name: bucket
+            alias: b
+            description: Bucket name (can specify multiple)
+            multiple: true
+          - name: role
+            alias: r
+            description: Role to assign (can specify multiple to pair with buckets)
+            multiple: true
+            options:
+              - Editor
+              - ReadOnly
+          - name: admin
+            description: Grant admin access to all buckets in the organization
+            type: flag
+          - name: revoke-roles
+            description: Revoke all bucket roles from the access key
+            type: flag

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tigrisdata/cli",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "description": "Command line interface for Tigris object storage",
   "type": "module",
   "exports": {
@@ -78,6 +78,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.908.0",
+    "@aws-sdk/credential-providers": "^3.981.0",
+    "@smithy/shared-ini-file-loader": "^4.4.3",
     "@tigrisdata/iam": "^1.1.0",
     "@tigrisdata/storage": "^2.12.0",
     "axios": "^1.12.2",