diff --git a/README.md b/README.md index 8373110..c360e41 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,13 @@ tcld apikey create --name --description --d ``` tcld apikey list ``` + +### List API keys for a specific owner (service account or user): +Note: only Global Admins may list API keys for other users/service accounts. +``` +tcld apikey list --owner-id +``` + ### Delete an API Key: ``` tcld apikey delete --id @@ -75,6 +82,8 @@ tcld apikey enable --id ``` ### Performing an API Key rotation: + +#### Current User Specific Rotation 1. Generate the new API key to rotate to. ``` tcld apikey create --name --description --duration @@ -85,6 +94,17 @@ tcld apikey create --name --description --d tcld apikey delete --id ``` +#### Service Account Specific Rotation +1. Generate the new API key to rotate to. +``` +tcld apikey create --name --description --duration --service-account-id +``` +2. Update temporal clients to use the new API key and monitor deployments to make sure all old API key usage is gone. +3. Delete the old API key. +``` +tcld apikey delete --id +``` + # Namespace Management ### List namespaces user has access to: diff --git a/app/apikey.go b/app/apikey.go index 1511343..1e42956 100644 --- a/app/apikey.go +++ b/app/apikey.go @@ -12,6 +12,10 @@ import ( "github.com/urfave/cli/v2" ) +const ( + ownerIDFlagName = "owner-id" +) + type ( APIKeyClient struct { client authservice.AuthServiceClient @@ -85,12 +89,13 @@ func (s *APIKeyClient) createServiceAccountAPIKey( return PrintProto(resp) } -func (s *APIKeyClient) listAPIKey() error { +func (s *APIKeyClient) listAPIKey(ownerID string) error { totalRes := &authservice.GetAPIKeysResponse{} pageToken := "" for { resp, err := s.client.GetAPIKeys(s.ctx, &authservice.GetAPIKeysRequest{ + OwnerId: ownerID, PageToken: pageToken, }) if err != nil { @@ -258,9 +263,17 @@ func NewAPIKeyCommand(getAPIKeyClientFn GetAPIKeyClientFn) (CommandOut, error) { Name: "list", Usage: "List apikeys", Aliases: []string{"l"}, - Flags: []cli.Flag{}, + Flags: []cli.Flag{ + &cli.StringFlag{ + Name: ownerIDFlagName, + Usage: "The owner id of the API Keys to list", + Aliases: []string{"oid"}, + }, + }, Action: func(ctx *cli.Context) error { - return c.listAPIKey() + return c.listAPIKey( + ctx.String(ownerIDFlagName), + ) }, }, { diff --git a/app/apikey_test.go b/app/apikey_test.go index f24e17e..d1054a3 100644 --- a/app/apikey_test.go +++ b/app/apikey_test.go @@ -87,6 +87,14 @@ func (s *APIKeyTestSuite) TestList() { }, }, nil).Times(1) s.NoError(s.RunCmd("apikey", "list")) + s.mockAuthService.EXPECT().GetAPIKeys(gomock.Any(), gomock.Any()).Return(&authservice.GetAPIKeysResponse{ + ApiKeys: []*auth.APIKey{ + { + Id: "test-apikey-id-1", + }, + }, + }, nil).Times(1) + s.NoError(s.RunCmd("apikey", "list", "--owner-id", "ownerID")) } func (s *APIKeyTestSuite) TestCreate() {