chore: add possible roles for SAs and expand fixtures covering all roles

Author: mbevc1

cmd/kosli/root.go

@@ -94,6 +94,11 @@ The ^.kosli_ignore^ will be treated as part of the artifact like any other file,
 	// the server is the authority on which types are actually accepted
 	validEnvTypesList = "K8S, ECS, S3, lambda, server, docker, azure-apps, cloud-run, logical"
 
+	// single source of truth for the service account privilege list shown in
+	// flag help texts; the server is the authority on which privileges are
+	// actually accepted
+	validServiceAccountPrivilegesList = "admin, member, snapshotter, reader"
+
 	// flags
 	apiTokenFlag                    = "The Kosli API token."
 	artifactName                    = "[optional] Artifact display name, if different from file, image or directory name."
@@ -121,7 +126,7 @@ The ^.kosli_ignore^ will be treated as part of the artifact like any other file,
 	ignoreCaseFlag                  = "[optional] Perform case-insensitive matching for --name. By default matching is case sensitive."
 	serviceAccountNameFlag          = "The name of the service account whose API keys are managed."
 	serviceAccountDescriptionFlag   = "[optional] A description for the service account."
-	serviceAccountPrivilegeFlag     = "The privilege granted to the service account."
+	serviceAccountPrivilegeFlag     = "The privilege granted to the service account. One of: [" + validServiceAccountPrivilegesList + "]."
 	serviceAccountAssumeYesFlag     = "[optional] Skip the confirmation prompt and delete the service account without asking. (alias: --yes)"
 	apiKeyDescriptionFlag           = "A description for the API key."
 	apiKeyExpiresAtFlag             = "[optional] When the API key expires. Accepts an epoch timestamp or a date like '2026-06-04', '2026-06-04 15:04:05', or an RFC3339 timestamp. Defaults to no expiry."

cmd/kosli/serviceAccount_test.go

@@ -47,14 +47,23 @@ func TestPrintServiceAccountAsTableEmptyDescription(t *testing.T) {
 
 func TestPrintServiceAccountsListAsTable(t *testing.T) {
 	raw := `[{"name":"ci-bot","description":"first","privilege":"member","created_at":1780584129.5},` +
-		`{"name":"deployer","description":"","privilege":"admin","created_at":1780584130.5}]`
+		`{"name":"deployer","description":"","privilege":"admin","created_at":1780584130.5},` +
+		`{"name":"snapshot-bot","description":"snaps","privilege":"snapshotter","created_at":1780584131.5},` +
+		`{"name":"auditor","description":"ro","privilege":"reader","created_at":1780584132.5}]`
 
 	var buf bytes.Buffer
 	err := printServiceAccountsListAsTable(raw, &buf, 0)
 	require.NoError(t, err)
 
 	out := buf.String()
-	for _, want := range []string{"NAME", "DESCRIPTION", "PRIVILEGE", "CREATED", "ci-bot", "first", "deployer", "admin"} {
+	// every privilege must render in the PRIVILEGE column
+	for _, want := range []string{
+		"NAME", "DESCRIPTION", "PRIVILEGE", "CREATED",
+		"ci-bot", "first", "member",
+		"deployer", "admin",
+		"snapshot-bot", "snapshotter",
+		"auditor", "reader",
+	} {
 		require.Contains(t, out, want)
 	}
 	// the deployer's empty description must render as N/A, not blank
@@ -90,6 +99,18 @@ func (suite *ServiceAccountCommandTestSuite) TestCreateServiceAccountCmd() {
 			cmd:         "create sa ci-bot --privilege member --dry-run" + suite.defaultKosliArguments,
 			goldenRegex: `service-accounts/docs-cmd-test-user`,
 		},
+		{
+			wantError:   false,
+			name:        "the snapshotter privilege passes through to the payload (dry-run)",
+			cmd:         "create service-account snapshot-bot --privilege snapshotter --dry-run" + suite.defaultKosliArguments,
+			goldenRegex: `(?s)service-accounts/docs-cmd-test-user.*"privilege": "snapshotter"`,
+		},
+		{
+			wantError:   false,
+			name:        "the reader privilege passes through to the payload (dry-run)",
+			cmd:         "create service-account auditor --privilege reader --dry-run" + suite.defaultKosliArguments,
+			goldenRegex: `(?s)service-accounts/docs-cmd-test-user.*"privilege": "reader"`,
+		},
 		{
 			wantError: true,
 			name:      "create fails when NAME argument is missing",
@@ -220,9 +241,9 @@ func (suite *ServiceAccountCommandTestSuite) TestServiceAccountSuccessOutput() {
 		},
 		{
 			wantError:   false,
-			name:        "list prints the returned service accounts",
-			cmd:         "list service-accounts --output json" + args,
-			goldenRegex: `(?s)ci-bot.*deployer`,
+			name:        "list prints the returned service accounts across all privileges",
+			cmd:         "list service-accounts" + args,
+			goldenRegex: `(?s)ci-bot.*member.*deployer.*admin.*snapshot-bot.*snapshotter.*auditor.*reader`,
 		},
 		{
 			wantError:   false,

cmd/kosli/testdata/service-account/README.md

@@ -20,7 +20,7 @@ response contract lives in one place.
 | Fixture | Endpoint / response |
 |---------|---------------------|
 | `created_service_account.json` | `POST /service-accounts/{org}` → `201` (create) |
-| `listed_service_accounts.json` | `GET /service-accounts/{org}` → `200` (list) |
+| `listed_service_accounts.json` | `GET /service-accounts/{org}` → `200` (list; one account per privilege: member, admin, snapshotter, reader) |
 | `service_account.json` | `GET /service-accounts/{org}/{name}` → `200` (get) |
 | `updated_service_account.json` | `PATCH /service-accounts/{org}/{name}` → `200` (update) |
 | `delete_success.json` | `DELETE /service-accounts/{org}/{name}` → `200` (bare `"OK"`) |

cmd/kosli/testdata/service-account/listed_service_accounts.json

@@ -1 +1 @@
-[{"name":"ci-bot","description":"CI service account","privilege":"member","created_at":1780584129.5},{"name":"deployer","description":"","privilege":"admin","created_at":1780584130.5}]
+[{"name":"ci-bot","description":"CI service account","privilege":"member","created_at":1780584129.5},{"name":"deployer","description":"","privilege":"admin","created_at":1780584130.5},{"name":"snapshot-bot","description":"reports env snapshots","privilege":"snapshotter","created_at":1780584131.5},{"name":"auditor","description":"read-only access","privilege":"reader","created_at":1780584132.5}]