qdrant · Davidonium · Apr 10, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 8, 2026
diff --git a/internal/cmd/completion/iam.go b/internal/cmd/completion/iam.go
@@ -0,0 +1,71 @@
+package completion
+
+import (
+	"github.com/spf13/cobra"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+// RoleIDCompletion returns a ValidArgsFunction that completes role IDs.
+func RoleIDCompletion(s *state.State) func(*cobra.Command, []string, string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, args []string, _ string) ([]string, cobra.ShellCompDirective) {
+		if len(args) > 0 {
+			return nil, cobra.ShellCompDirectiveNoFileComp
+		}
+
+		ctx := cmd.Context()
+		client, err := s.Client(ctx)
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		accountID, err := s.AccountID()
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		resp, err := client.IAM().ListRoles(ctx, &iamv1.ListRolesRequest{
+			AccountId: accountID,
+		})
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		completions := make([]string, 0, len(resp.GetItems()))
+		for _, r := range resp.GetItems() {
+			completions = append(completions, r.GetId()+"\t"+r.GetName())
+		}
+		return completions, cobra.ShellCompDirectiveNoFileComp
+	}
+}
+
+// PermissionCompletion returns a completion function for the --permission flag.
+func PermissionCompletion(s *state.State) func(*cobra.Command, []string, string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+		ctx := cmd.Context()
+		client, err := s.Client(ctx)
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		accountID, err := s.AccountID()
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		resp, err := client.IAM().ListPermissions(ctx, &iamv1.ListPermissionsRequest{
+			AccountId: accountID,
+		})
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		completions := make([]string, 0, len(resp.GetPermissions()))
+		for _, p := range resp.GetPermissions() {
+			completions = append(completions, p.GetValue()+"\t"+p.GetCategory())
+		}
+		return completions, cobra.ShellCompDirectiveNoFileComp
+	}
+}
diff --git a/internal/cmd/iam/completion_test.go b/internal/cmd/iam/completion_test.go
@@ -0,0 +1,102 @@
+package iam_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/testutil"
+)
+
+func TestRoleIDCompletion_Describe(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	env.IAMServer.ListRolesCalls.Returns(&iamv1.ListRolesResponse{
+		Items: []*iamv1.Role{
+			{Id: "role-uuid-1", Name: "Admin"},
+			{Id: "role-uuid-2", Name: "Viewer"},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "role", "describe", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "role-uuid-1")
+	assert.Contains(t, stdout, "Admin")
+	assert.Contains(t, stdout, "role-uuid-2")
+	assert.Contains(t, stdout, "Viewer")
+}
+
+func TestRoleIDCompletion_Delete(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	env.IAMServer.ListRolesCalls.Returns(&iamv1.ListRolesResponse{
+		Items: []*iamv1.Role{
+			{Id: "role-uuid-1", Name: "Admin"},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "role", "delete", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "role-uuid-1")
+	assert.Contains(t, stdout, "Admin")
+}
+
+func TestRoleIDCompletion_AssignPermission(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	env.IAMServer.ListRolesCalls.Returns(&iamv1.ListRolesResponse{
+		Items: []*iamv1.Role{
+			{Id: "role-uuid-1", Name: "Custom Role"},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "role", "assign-permission", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "role-uuid-1")
+	assert.Contains(t, stdout, "Custom Role")
+}
+
+func TestPermissionCompletion_Create(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	env.IAMServer.ListPermissionsCalls.Returns(&iamv1.ListPermissionsResponse{
+		Permissions: []*iamv1.Permission{
+			{Value: "read:clusters", Category: new("Cluster")},
+			{Value: "write:backups", Category: new("Backup")},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "role", "create", "--name", "test", "--permission", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "read:clusters")
+	assert.Contains(t, stdout, "Cluster")
+	assert.Contains(t, stdout, "write:backups")
+	assert.Contains(t, stdout, "Backup")
+}
+
+func TestPermissionCompletion_AssignPermission(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	env.IAMServer.ListPermissionsCalls.Returns(&iamv1.ListPermissionsResponse{
+		Permissions: []*iamv1.Permission{
+			{Value: "read:clusters", Category: new("Cluster")},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "role", "assign-permission", "some-role-id", "--permission", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "read:clusters")
+	assert.Contains(t, stdout, "Cluster")
+}
+
+func TestPermissionCompletion_RemovePermission(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+	env.IAMServer.ListPermissionsCalls.Returns(&iamv1.ListPermissionsResponse{
+		Permissions: []*iamv1.Permission{
+			{Value: "write:backups", Category: new("Backup")},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "role", "remove-permission", "some-role-id", "--permission", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "write:backups")
+	assert.Contains(t, stdout, "Backup")
+}
diff --git a/internal/cmd/iam/iam.go b/internal/cmd/iam/iam.go
@@ -14,6 +14,10 @@ func NewCommand(s *state.State) *cobra.Command {
 		Long:  `Manage IAM resources for the Qdrant Cloud account.`,
 		Args:  cobra.NoArgs,
 	}
-	cmd.AddCommand(newKeyCommand(s))
+	cmd.AddCommand(
+		newKeyCommand(s),
+		newRoleCommand(s),
+		newPermissionCommand(s),
+	)
 	return cmd
 }
diff --git a/internal/cmd/iam/permission.go b/internal/cmd/iam/permission.go
@@ -0,0 +1,21 @@
+package iam
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newPermissionCommand(s *state.State) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "permission",
+		Short: "Manage permissions in Qdrant Cloud",
+		Long: `Manage permissions for the Qdrant Cloud account.
+
+Permissions represent individual access rights that can be assigned to roles.
+Use these commands to discover which permissions are available in the system.`,
+		Args: cobra.NoArgs,
+	}
+	cmd.AddCommand(newPermissionListCommand(s))
+	return cmd
+}
diff --git a/internal/cmd/iam/permission_list.go b/internal/cmd/iam/permission_list.go
@@ -0,0 +1,57 @@
+package iam
+
+import (
+	"io"
+
+	"github.com/spf13/cobra"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/cmd/base"
+	"github.com/qdrant/qcloud-cli/internal/cmd/output"
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newPermissionListCommand(s *state.State) *cobra.Command {
+	return base.ListCmd[*iamv1.ListPermissionsResponse]{
+		Use:   "list",
+		Short: "List all available permissions",
+		Long: `List all permissions known in the system for the account.
+
+Permissions are the individual access rights that can be assigned to roles.
+Each permission has a value (e.g. "read:clusters") and a category
+(e.g. "Cluster").`,
+		Example: `# List all available permissions
+qcloud iam permission list
+
+# Output as JSON
+qcloud iam permission list --json`,
+		Fetch: func(s *state.State, cmd *cobra.Command) (*iamv1.ListPermissionsResponse, error) {
+			ctx := cmd.Context()
+			client, err := s.Client(ctx)
+			if err != nil {
+				return nil, err
+			}
+
+			accountID, err := s.AccountID()
+			if err != nil {
+				return nil, err
+			}
+
+			return client.IAM().ListPermissions(ctx, &iamv1.ListPermissionsRequest{
+				AccountId: accountID,
+			})
+		},
+		PrintText: func(_ *cobra.Command, w io.Writer, resp *iamv1.ListPermissionsResponse) error {
+			t := output.NewTable[*iamv1.Permission](w)
+			t.AddField("PERMISSION", func(v *iamv1.Permission) string {
+				return v.GetValue()
+			})
+			t.AddField("CATEGORY", func(v *iamv1.Permission) string {
+				return v.GetCategory()
+			})
+			t.Write(resp.GetPermissions())
+			return nil
+		},
+	}.CobraCommand(s)
+}
diff --git a/internal/cmd/iam/permission_list_test.go b/internal/cmd/iam/permission_list_test.go
@@ -0,0 +1,71 @@
+package iam_test
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/testutil"
+)
+
+func TestPermissionList_TableOutput(t *testing.T) {
+	env := testutil.NewTestEnv(t, testutil.WithAccountID("test-account-id"))
+
+	env.IAMServer.ListPermissionsCalls.Returns(&iamv1.ListPermissionsResponse{
+		Permissions: []*iamv1.Permission{
+			{Value: "read:clusters", Category: new("Cluster")},
+			{Value: "write:roles", Category: new("IAM")},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "iam", "permission", "list")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "PERMISSION")
+	assert.Contains(t, stdout, "CATEGORY")
+	assert.Contains(t, stdout, "read:clusters")
+	assert.Contains(t, stdout, "Cluster")
+	assert.Contains(t, stdout, "write:roles")
+	assert.Contains(t, stdout, "IAM")
+
+	req, ok := env.IAMServer.ListPermissionsCalls.Last()
+	require.True(t, ok)
+	assert.Equal(t, "test-account-id", req.GetAccountId())
+}
+
+func TestPermissionList_JSONOutput(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.IAMServer.ListPermissionsCalls.Returns(&iamv1.ListPermissionsResponse{
+		Permissions: []*iamv1.Permission{
+			{Value: "read:clusters", Category: new("Cluster")},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "iam", "permission", "list", "--json")
+	require.NoError(t, err)
+
+	var result struct {
+		Permissions []struct {
+			Value    string `json:"value"`
+			Category string `json:"category"`
+		} `json:"permissions"`
+	}
+	require.NoError(t, json.Unmarshal([]byte(stdout), &result))
+	require.Len(t, result.Permissions, 1)
+	assert.Equal(t, "read:clusters", result.Permissions[0].Value)
+	assert.Equal(t, "Cluster", result.Permissions[0].Category)
+}
+
+func TestPermissionList_BackendError(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.IAMServer.ListPermissionsCalls.Returns(nil, fmt.Errorf("internal server error"))
+
+	_, _, err := testutil.Exec(t, env, "iam", "permission", "list")
+	require.Error(t, err)
+}
diff --git a/internal/cmd/iam/role.go b/internal/cmd/iam/role.go
@@ -0,0 +1,29 @@
+package iam
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newRoleCommand(s *state.State) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "role",
+		Short: "Manage roles in Qdrant Cloud",
+		Long: `Manage roles for the Qdrant Cloud account.
+
+Roles define sets of permissions that control access to resources. There are two
+types of roles: system roles (immutable, managed by Qdrant) and custom roles
+(created and managed by the account). Use these commands to list, inspect, create,
+update, and delete custom roles, as well as manage their permissions.`,
+		Args: cobra.NoArgs,
+	}
+	cmd.AddCommand(newRoleListCommand(s))
+	cmd.AddCommand(newRoleDescribeCommand(s))
+	cmd.AddCommand(newRoleCreateCommand(s))
+	cmd.AddCommand(newRoleUpdateCommand(s))
+	cmd.AddCommand(newRoleDeleteCommand(s))
+	cmd.AddCommand(newRoleAssignPermissionCommand(s))
+	cmd.AddCommand(newRoleRemovePermissionCommand(s))
+	return cmd
+}