fix: use resolveAuthMethod() in IAM config helpers (#63)

getIAMConfig() had its own auth resolution logic that diverged from
resolveAuthMethod(), missing AWS profiles and env var credentials.
Now delegates to resolveAuthMethod() as the single source of truth.

getOAuthIAMConfig() keeps using the stored login method since IAM
user/policy operations always require OAuth, even when env vars or
AWS profile override S3 auth.

Also moves isFlyOrganization() into auth/fly.ts where isFlyUser()
lives, and deduplicates the inline check in organizations/create.ts.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: designcode

src/auth/fly.ts

@@ -1,12 +1,29 @@
 import axios from 'axios';
 
 import { getAuth0Config, TIGRIS_CLAIMS_NAMESPACE } from './client.js';
-import type { OrganizationInfo } from './storage.js';
+import { getSelectedOrganization, type OrganizationInfo } from './storage.js';
 
 export function isFlyUser(organizationId?: string): boolean {
   return !!organizationId?.startsWith('flyio_');
 }
 
+/**
+ * Check if current org is Fly.io. Prints message and returns true if so.
+ * @param feature - what's unavailable, e.g. "User management" or "Organization creation"
+ */
+export function isFlyOrganization(feature: string): boolean {
+  const selectedOrg = getSelectedOrganization();
+  if (isFlyUser(selectedOrg ?? undefined)) {
+    console.log(
+      `${feature} is not available for Fly.io organizations.\n` +
+        'Your resources are managed through Fly.io.\n\n' +
+        'Visit https://fly.io to manage your organization.'
+    );
+    return true;
+  }
+  return false;
+}
+
 export async function fetchOrganizationsFromUserInfo(
   accessToken: string
 ): Promise<OrganizationInfo[] | null> {

src/auth/iam.ts

@@ -1,39 +1,26 @@
 /**
  * Shared IAM auth helpers
- * Consolidates OAuth check + auth check + config building patterns
+ * Uses resolveAuthMethod() as the single source of truth for auth priority.
  */
 
 import { failWithError } from '@utils/exit.js';
 import type { MessageContext } from '@utils/messages.js';
 
 import { getAuthClient } from './client.js';
-import { isFlyUser } from './fly.js';
-import { getCredentials, getLoginMethod, getTigrisConfig } from './provider.js';
-import { getSelectedOrganization } from './storage.js';
-
-/**
- * Check if current org is Fly.io. Prints message and returns true if so.
- */
-export function isFlyOrganization(): boolean {
-  const selectedOrg = getSelectedOrganization();
-  if (isFlyUser(selectedOrg ?? undefined)) {
-    console.log(
-      'User management is not available for Fly.io organizations.\n' +
-        'Your users are managed through Fly.io.\n\n' +
-        'Visit https://fly.io to manage your organization members.'
-    );
-    return true;
-  }
-  return false;
-}
+export { isFlyOrganization } from './fly.js';
+import { getTigrisConfig, resolveAuthMethod } from './provider.js';
+import { getLoginMethod, getSelectedOrganization } from './storage.js';
 
 /**
  * OAuth-only IAM config. Exits on non-OAuth or unauthenticated.
  * Used by IAM policy and user commands.
+ *
+ * Checks the *stored* login method (not resolveAuthMethod) because these
+ * operations always require OAuth — even when env vars or AWS profile
+ * are set for S3.
  */
 export async function getOAuthIAMConfig(context: MessageContext) {
-  const loginMethod = await getLoginMethod();
-  if (loginMethod !== 'oauth') {
+  if (getLoginMethod() !== 'oauth') {
     failWithError(
       context,
       'This operation requires OAuth login.\nRun "tigris login oauth" first.'
@@ -48,12 +35,11 @@ export async function getOAuthIAMConfig(context: MessageContext) {
     );
   }
 
-  const accessToken = await authClient.getAccessToken();
   const selectedOrg = getSelectedOrganization();
   const { iamEndpoint, mgmtEndpoint } = getTigrisConfig();
 
   return {
-    sessionToken: accessToken,
+    sessionToken: await authClient.getAccessToken(),
     organizationId: selectedOrg ?? undefined,
     iamEndpoint,
     mgmtEndpoint,
@@ -62,41 +48,31 @@ export async function getOAuthIAMConfig(context: MessageContext) {
 
 /**
  * Dual-mode IAM config (OAuth or credentials).
+ * Uses resolveAuthMethod() to follow the same priority as getStorageConfig().
  * Used by access-key commands.
  */
 export async function getIAMConfig(context: MessageContext) {
-  const loginMethod = await getLoginMethod();
-  const tigrisConfig = getTigrisConfig();
-  const selectedOrg = getSelectedOrganization();
+  const method = await resolveAuthMethod();
+
+  switch (method.type) {
+    case 'oauth':
+      return getOAuthIAMConfig(context);
+
+    case 'aws-profile':
+    case 'credentials':
+    case 'environment':
+    case 'configured':
+      return {
+        accessKeyId: method.accessKeyId,
+        secretAccessKey: method.secretAccessKey,
+        organizationId: getSelectedOrganization() ?? undefined,
+        iamEndpoint: getTigrisConfig().iamEndpoint,
+      };
 
-  if (loginMethod === 'oauth') {
-    const authClient = getAuthClient();
-    if (!(await authClient.isAuthenticated())) {
+    case 'none':
       failWithError(
         context,
-        'Not authenticated. Run "tigris login oauth" first.'
+        'Not authenticated. Run "tigris login" or "tigris configure" first.'
       );
-    }
-
-    return {
-      sessionToken: await authClient.getAccessToken(),
-      organizationId: selectedOrg ?? undefined,
-      iamEndpoint: tigrisConfig.iamEndpoint,
-    };
-  }
-
-  const credentials = getCredentials();
-  if (!credentials) {
-    failWithError(
-      context,
-      'Not authenticated. Run "tigris login" or "tigris configure" first.'
-    );
   }
-
-  return {
-    accessKeyId: credentials.accessKeyId,
-    secretAccessKey: credentials.secretAccessKey,
-    organizationId: selectedOrg ?? undefined,
-    iamEndpoint: tigrisConfig.iamEndpoint,
-  };
 }

src/lib/iam/users/invite.ts

@@ -11,7 +11,7 @@ export default async function invite(options: Record<string, unknown>) {
 
   const format = getFormat(options);
 
-  if (isFlyOrganization()) return;
+  if (isFlyOrganization('User management')) return;
 
   const emailOption = getOption<string | string[]>(options, ['email']);
   const roleInput = getOption<string>(options, ['role', 'r']) ?? 'member';

src/lib/iam/users/list.ts

@@ -17,7 +17,7 @@ export default async function list(options: Record<string, unknown>) {
 
   const format = getFormat(options);
 
-  if (isFlyOrganization()) return;
+  if (isFlyOrganization('User management')) return;
 
   const iamConfig = await getOAuthIAMConfig(context);
 

src/lib/iam/users/remove.ts

@@ -17,7 +17,7 @@ export default async function removeUser(options: Record<string, unknown>) {
   const resourceOption = getOption<string | string[]>(options, ['resource']);
   const force = getOption<boolean>(options, ['yes', 'y', 'force']);
 
-  if (isFlyOrganization()) return;
+  if (isFlyOrganization('User management')) return;
 
   const iamConfig = await getOAuthIAMConfig(context);
 

src/lib/iam/users/revoke-invitation.ts

@@ -19,7 +19,7 @@ export default async function revokeInvitation(
   const resourceOption = getOption<string | string[]>(options, ['resource']);
   const force = getOption<boolean>(options, ['yes', 'y', 'force']);
 
-  if (isFlyOrganization()) return;
+  if (isFlyOrganization('User management')) return;
 
   const iamConfig = await getOAuthIAMConfig(context);
 

src/lib/iam/users/update-role.ts

@@ -14,7 +14,7 @@ export default async function updateRole(options: Record<string, unknown>) {
 
   const format = getFormat(options);
 
-  if (isFlyOrganization()) return;
+  if (isFlyOrganization('User management')) return;
 
   const validRoles = ['admin', 'member'] as const;
   type Role = (typeof validRoles)[number];

src/lib/organizations/create.ts

@@ -1,6 +1,5 @@
-import { isFlyUser } from '@auth/fly.js';
+import { isFlyOrganization } from '@auth/fly.js';
 import { getStorageConfig, requireOAuthLogin } from '@auth/provider.js';
-import { getSelectedOrganization } from '@auth/storage.js';
 import { createOrganization } from '@tigrisdata/iam';
 import { failWithError, printNextActions } from '@utils/exit.js';
 import { msg, printHint, printStart, printSuccess } from '@utils/messages.js';
@@ -12,17 +11,7 @@ export default async function create(options: Record<string, unknown>) {
   printStart(context);
 
   if (requireOAuthLogin('Organization creation')) return;
-
-  // Fly users cannot create organizations
-  const selectedOrg = getSelectedOrganization();
-  if (isFlyUser(selectedOrg ?? undefined)) {
-    console.log(
-      'Organization creation is not available for Fly.io users.\n' +
-        'Your organizations are managed through Fly.io.\n\n' +
-        'Visit https://fly.io to manage your organizations.'
-    );
-    return;
-  }
+  if (isFlyOrganization('Organization creation')) return;
 
   const name = getOption<string>(options, ['name', 'N']);