feat: add access key commands for qdrant cloud auth management

Adds `qcloud access key list`, `create`, and `delete` subcommands
for managing Qdrant Cloud auth access keys.

Author: Davidonium

internal/cli/root.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/spf13/cobra"
 
+	"github.com/qdrant/qcloud-cli/internal/cmd/access"
 	"github.com/qdrant/qcloud-cli/internal/cmd/backup"
 	"github.com/qdrant/qcloud-cli/internal/cmd/cloudprovider"
 	"github.com/qdrant/qcloud-cli/internal/cmd/cloudregion"
@@ -65,6 +66,7 @@ Documentation: https://github.com/qdrant/qcloud-cli`,
 	s.Config.BindPFlag(config.KeyEndpoint, cmd.PersistentFlags().Lookup("endpoint"))
 
 	cmd.AddCommand(version.NewCommand(s))
+	cmd.AddCommand(access.NewCommand(s))
 	cmd.AddCommand(cluster.NewCommand(s))
 	cmd.AddCommand(cloudprovider.NewCommand(s))
 	cmd.AddCommand(cloudregion.NewCommand(s))

internal/cmd/access/access.go

@@ -0,0 +1,19 @@
+package access
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+// NewCommand creates the access command group.
+func NewCommand(s *state.State) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "access",
+		Short: "Manage access to Qdrant Cloud",
+		Long:  `Manage access settings for the Qdrant Cloud account.`,
+		Args:  cobra.NoArgs,
+	}
+	cmd.AddCommand(newKeyCommand(s))
+	return cmd
+}

internal/cmd/access/key.go

@@ -0,0 +1,25 @@
+package access
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newKeyCommand(s *state.State) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "key",
+		Short: "Manage cloud management keys",
+		Long: `Manage cloud management keys for the account.
+
+Management keys authenticate requests to the Qdrant Cloud API. Use them to authorize
+the CLI, automation scripts, or any other tooling that calls the Qdrant Cloud API.`,
+		Args: cobra.NoArgs,
+	}
+	cmd.AddCommand(
+		newKeyListCommand(s),
+		newKeyCreateCommand(s),
+		newKeyDeleteCommand(s),
+	)
+	return cmd
+}

internal/cmd/access/key_create.go

@@ -0,0 +1,66 @@
+package access
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/spf13/cobra"
+
+	authv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/auth/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/cmd/base"
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newKeyCreateCommand(s *state.State) *cobra.Command {
+	return base.CreateCmd[*authv1.ManagementKey]{
+		Long: `Create a new cloud management key for the account.
+
+Management keys grant access to the Qdrant Cloud API. The full key value is returned
+only once at creation time — store it securely, as it cannot be retrieved again. If a
+key is lost, delete it and create a new one.`,
+		Example: `# Create a new management key
+qcloud access key create
+
+# Create and capture the key value in a script
+qcloud access key create --json | jq -r '.key'`,
+		BaseCobraCommand: func() *cobra.Command {
+			return &cobra.Command{
+				Use:   "create",
+				Short: "Create a cloud management key",
+				Args:  cobra.NoArgs,
+			}
+		},
+		Run: func(s *state.State, cmd *cobra.Command, args []string) (*authv1.ManagementKey, error) {
+			ctx := cmd.Context()
+			client, err := s.Client(ctx)
+			if err != nil {
+				return nil, err
+			}
+
+			accountID, err := s.AccountID()
+			if err != nil {
+				return nil, err
+			}
+
+			resp, err := client.Auth().CreateManagementKey(ctx, &authv1.CreateManagementKeyRequest{
+				ManagementKey: &authv1.ManagementKey{
+					AccountId: accountID,
+				},
+			})
+			if err != nil {
+				return nil, fmt.Errorf("failed to create management key: %w", err)
+			}
+
+			return resp.GetManagementKey(), nil
+		},
+		PrintResource: func(_ *cobra.Command, out io.Writer, key *authv1.ManagementKey) {
+			fmt.Fprintf(out, "Management key %s created.\n", key.GetId())
+			if k := key.GetKey(); k != "" {
+				fmt.Fprintln(out, "")
+				fmt.Fprintln(out, "Save this key now — it will not be shown again:")
+				fmt.Fprintf(out, "  %s\n", k)
+			}
+		},
+	}.CobraCommand(s)
+}

internal/cmd/access/key_create_test.go

@@ -0,0 +1,66 @@
+package access_test
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	authv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/auth/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/testutil"
+)
+
+func TestKeyCreate_PrintsIDAndKey(t *testing.T) {
+	env := testutil.NewTestEnv(t, testutil.WithAccountID("test-account-id"))
+
+	env.AuthServer.CreateManagementKeyCalls.Returns(&authv1.CreateManagementKeyResponse{
+		ManagementKey: &authv1.ManagementKey{
+			Id:  "new-key-id",
+			Key: "super-secret-value",
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "access", "key", "create")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "new-key-id")
+	assert.Contains(t, stdout, "super-secret-value")
+	assert.Contains(t, stdout, "Save this key now")
+
+	req, ok := env.AuthServer.CreateManagementKeyCalls.Last()
+	require.True(t, ok)
+	assert.Equal(t, "test-account-id", req.GetManagementKey().GetAccountId())
+}
+
+func TestKeyCreate_BackendError(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.AuthServer.CreateManagementKeyCalls.Returns(nil, fmt.Errorf("internal server error"))
+
+	_, _, err := testutil.Exec(t, env, "access", "key", "create")
+	require.Error(t, err)
+}
+
+func TestKeyCreate_JSONOutput(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.AuthServer.CreateManagementKeyCalls.Returns(&authv1.CreateManagementKeyResponse{
+		ManagementKey: &authv1.ManagementKey{
+			Id:  "json-key-id",
+			Key: "secret",
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "access", "key", "create", "--json")
+	require.NoError(t, err)
+
+	var result struct {
+		ID  string `json:"id"`
+		Key string `json:"key"`
+	}
+	require.NoError(t, json.Unmarshal([]byte(stdout), &result))
+	assert.Equal(t, "json-key-id", result.ID)
+	assert.Equal(t, "secret", result.Key)
+}

internal/cmd/access/key_delete.go

@@ -0,0 +1,71 @@
+package access
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	authv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/auth/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/cmd/base"
+	"github.com/qdrant/qcloud-cli/internal/cmd/completion"
+	"github.com/qdrant/qcloud-cli/internal/cmd/util"
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newKeyDeleteCommand(s *state.State) *cobra.Command {
+	return base.Cmd{
+		Long: `Delete a cloud management key from the account.
+
+Deleting a key immediately revokes its access to the Qdrant Cloud API. Any client
+using the deleted key will receive authentication errors. This action cannot be undone.
+
+A confirmation prompt is shown unless --force is passed.`,
+		Example: `# Delete a management key (with confirmation prompt)
+qcloud access key delete a1b2c3d4-e5f6-7890-abcd-ef1234567890
+
+# Delete without confirmation
+qcloud access key delete a1b2c3d4-e5f6-7890-abcd-ef1234567890 --force`,
+		BaseCobraCommand: func() *cobra.Command {
+			cmd := &cobra.Command{
+				Use:   "delete <key-id>",
+				Short: "Delete a cloud management key",
+				Args:  util.ExactArgs(1, "a management key ID"),
+			}
+			cmd.Flags().BoolP("force", "f", false, "Skip confirmation prompt")
+			return cmd
+		},
+		ValidArgsFunction: completion.ManagementKeyIDCompletion(s),
+		Run: func(s *state.State, cmd *cobra.Command, args []string) error {
+			keyID := args[0]
+
+			force, _ := cmd.Flags().GetBool("force")
+			if !util.ConfirmAction(force, cmd.ErrOrStderr(), fmt.Sprintf("Are you sure you want to delete management key %s?", keyID)) {
+				fmt.Fprintln(cmd.OutOrStdout(), "Aborted.")
+				return nil
+			}
+
+			ctx := cmd.Context()
+			client, err := s.Client(ctx)
+			if err != nil {
+				return err
+			}
+
+			accountID, err := s.AccountID()
+			if err != nil {
+				return err
+			}
+
+			_, err = client.Auth().DeleteManagementKey(ctx, &authv1.DeleteManagementKeyRequest{
+				AccountId:       accountID,
+				ManagementKeyId: keyID,
+			})
+			if err != nil {
+				return fmt.Errorf("failed to delete management key: %w", err)
+			}
+
+			fmt.Fprintf(cmd.OutOrStdout(), "Management key %s deleted.\n", keyID)
+			return nil
+		},
+	}.CobraCommand(s)
+}

internal/cmd/access/key_delete_test.go

@@ -0,0 +1,72 @@
+package access_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	authv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/auth/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/testutil"
+)
+
+func TestKeyDelete_WithForce(t *testing.T) {
+	env := testutil.NewTestEnv(t, testutil.WithAccountID("test-account-id"))
+
+	env.AuthServer.DeleteManagementKeyCalls.Returns(&authv1.DeleteManagementKeyResponse{}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "access", "key", "delete", "key-abc", "--force")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "key-abc")
+	assert.Contains(t, stdout, "deleted")
+
+	req, ok := env.AuthServer.DeleteManagementKeyCalls.Last()
+	require.True(t, ok)
+	assert.Equal(t, "test-account-id", req.GetAccountId())
+	assert.Equal(t, "key-abc", req.GetManagementKeyId())
+}
+
+func TestKeyDelete_Aborted(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	stdout, _, err := testutil.Exec(t, env, "access", "key", "delete", "key-abc")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "Aborted.")
+	assert.Equal(t, 0, env.AuthServer.DeleteManagementKeyCalls.Count())
+}
+
+func TestKeyDelete_BackendError(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.AuthServer.DeleteManagementKeyCalls.Returns(nil, fmt.Errorf("internal server error"))
+
+	_, _, err := testutil.Exec(t, env, "access", "key", "delete", "key-abc", "--force")
+	require.Error(t, err)
+}
+
+func TestKeyDelete_MissingArg(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	_, _, err := testutil.Exec(t, env, "access", "key", "delete")
+	require.Error(t, err)
+}
+
+func TestKeyDeleteCompletion(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.AuthServer.ListManagementKeysCalls.Returns(&authv1.ListManagementKeysResponse{
+		Items: []*authv1.ManagementKey{
+			{Id: "key-uuid-1", Prefix: "abc123"},
+			{Id: "key-uuid-2", Prefix: "def456"},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "access", "key", "delete", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "key-uuid-1")
+	assert.Contains(t, stdout, "abc123")
+	assert.Contains(t, stdout, "key-uuid-2")
+	assert.Contains(t, stdout, "def456")
+}