qdrant · Davidonium · Apr 10, 2026 · Apr 2, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/internal/cmd/completion/iam.go b/internal/cmd/completion/iam.go
@@ -0,0 +1,37 @@
+package completion
+
+import (
+	"github.com/spf13/cobra"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+// RoleCompletion returns a completion function that completes IAM role names
+// with their ID as description.
+func RoleCompletion(s *state.State) func(*cobra.Command, []string, string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+		ctx := cmd.Context()
+		client, err := s.Client(ctx)
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		accountID, err := s.AccountID()
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		resp, err := client.IAM().ListRoles(ctx, &iamv1.ListRolesRequest{AccountId: accountID})
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		completions := make([]string, 0, len(resp.GetItems()))
+		for _, r := range resp.GetItems() {
+			completions = append(completions, r.GetName()+"\t"+r.GetId())
+		}
+		return completions, cobra.ShellCompDirectiveNoFileComp
+	}
+}
diff --git a/internal/cmd/iam/completion.go b/internal/cmd/iam/completion.go
@@ -0,0 +1,39 @@
+package iam
+
+import (
+	"github.com/spf13/cobra"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+// userCompletion returns a ValidArgsFunction that completes user IDs with
+// their email as description. It only completes the first positional argument.
+func userCompletion(s *state.State) func(*cobra.Command, []string, string) ([]string, cobra.ShellCompDirective) {
+	return func(cmd *cobra.Command, args []string, _ string) ([]string, cobra.ShellCompDirective) {
+		if len(args) > 0 {
+			return nil, cobra.ShellCompDirectiveNoFileComp
+		}
+		ctx := cmd.Context()
+		client, err := s.Client(ctx)
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+		accountID, err := s.AccountID()
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		resp, err := client.IAM().ListUsers(ctx, &iamv1.ListUsersRequest{AccountId: accountID})
+		if err != nil {
+			return nil, cobra.ShellCompDirectiveError
+		}
+
+		completions := make([]string, 0, len(resp.GetItems()))
+		for _, u := range resp.GetItems() {
+			completions = append(completions, u.GetId()+"\t"+u.GetEmail())
+		}
+		return completions, cobra.ShellCompDirectiveNoFileComp
+	}
+}
diff --git a/internal/cmd/iam/completion_test.go b/internal/cmd/iam/completion_test.go
@@ -0,0 +1,53 @@
+package iam_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/testutil"
+)
+
+func TestUserCompletion(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.IAMServer.ListUsersCalls.Returns(&iamv1.ListUsersResponse{
+		Items: []*iamv1.User{
+			{Id: "user-uuid-1", Email: "alice@example.com"},
+			{Id: "user-uuid-2", Email: "bob@example.com"},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "user", "describe", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "user-uuid-1")
+	assert.Contains(t, stdout, "alice@example.com")
+	assert.Contains(t, stdout, "user-uuid-2")
+	assert.Contains(t, stdout, "bob@example.com")
+}
+
+func TestUserCompletion_StopsAfterFirstArg(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "user", "describe", "user-uuid-1", "")
+	require.NoError(t, err)
+	assert.NotContains(t, stdout, "user-uuid")
+}
+
+func TestUserThenRoleCompletion_FirstArg(t *testing.T) {
+	env := testutil.NewTestEnv(t)
+
+	env.IAMServer.ListUsersCalls.Returns(&iamv1.ListUsersResponse{
+		Items: []*iamv1.User{
+			{Id: "user-uuid-1", Email: "alice@example.com"},
+		},
+	}, nil)
+
+	stdout, _, err := testutil.Exec(t, env, "__complete", "iam", "user", "assign-role", "")
+	require.NoError(t, err)
+	assert.Contains(t, stdout, "user-uuid-1")
+	assert.Contains(t, stdout, "alice@example.com")
+}
diff --git a/internal/cmd/iam/iam.go b/internal/cmd/iam/iam.go
@@ -14,6 +14,9 @@ func NewCommand(s *state.State) *cobra.Command {
 		Long:  `Manage IAM resources for the Qdrant Cloud account.`,
 		Args:  cobra.NoArgs,
 	}
-	cmd.AddCommand(newKeyCommand(s))
+	cmd.AddCommand(
+		newKeyCommand(s),
+		newUserCommand(s),
+	)
 	return cmd
 }
diff --git a/internal/cmd/iam/iam_test.go b/internal/cmd/iam/iam_test.go
@@ -0,0 +1,7 @@
+package iam_test
+
+// Shared test constants used across iam subcommand test files.
+const (
+	testUserID = "7b2ea926-724b-4de2-b73a-8675c42a6ebe"
+	testRoleID = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+)
diff --git a/internal/cmd/iam/resolve.go b/internal/cmd/iam/resolve.go
@@ -0,0 +1,114 @@
+package iam
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	iamv1 "github.com/qdrant/qdrant-cloud-public-api/gen/go/qdrant/cloud/iam/v1"
+
+	"github.com/qdrant/qcloud-cli/internal/cmd/output"
+	"github.com/qdrant/qcloud-cli/internal/cmd/util"
+	"github.com/qdrant/qcloud-cli/internal/qcloudapi"
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+// resolveUser looks up a user by UUID or email from the account's user list.
+func resolveUser(cmd *cobra.Command, client *qcloudapi.Client, accountID, idOrEmail string) (*iamv1.User, error) {
+	ctx := cmd.Context()
+	resp, err := client.IAM().ListUsers(ctx, &iamv1.ListUsersRequest{AccountId: accountID})
+	if err != nil {
+		return nil, fmt.Errorf("failed to list users: %w", err)
+	}
+	for _, u := range resp.GetItems() {
+		if util.IsUUID(idOrEmail) {
+			if u.GetId() == idOrEmail {
+				return u, nil
+			}
+		} else {
+			if u.GetEmail() == idOrEmail {
+				return u, nil
+			}
+		}
+	}
+	return nil, fmt.Errorf("user %s not found", idOrEmail)
+}
+
+// resolveRoleIDs converts a slice of role names or UUIDs to UUIDs.
+// Values that already look like UUIDs are passed through unchanged.
+// Non-UUID values are resolved by name via ListRoles.
+func resolveRoleIDs(ctx context.Context, client *qcloudapi.Client, accountID string, namesOrIDs []string) ([]string, error) {
+	if len(namesOrIDs) == 0 {
+		return nil, nil
+	}
+
+	// Check whether any name resolution is needed.
+	var needsLookup bool
+	for _, v := range namesOrIDs {
+		if !util.IsUUID(v) {
+			needsLookup = true
+			break
+		}
+	}
+
+	var rolesByName map[string]string
+	if needsLookup {
+		resp, err := client.IAM().ListRoles(ctx, &iamv1.ListRolesRequest{AccountId: accountID})
+		if err != nil {
+			return nil, fmt.Errorf("failed to list roles: %w", err)
+		}
+		rolesByName = make(map[string]string, len(resp.GetItems()))
+		for _, r := range resp.GetItems() {
+			rolesByName[r.GetName()] = r.GetId()
+		}
+	}
+
+	ids := make([]string, 0, len(namesOrIDs))
+	for _, v := range namesOrIDs {
+		if util.IsUUID(v) {
+			ids = append(ids, v)
+		} else {
+			id, ok := rolesByName[v]
+			if !ok {
+				return nil, fmt.Errorf("role %q not found", v)
+			}
+			ids = append(ids, id)
+		}
+	}
+	return ids, nil
+}
+
+// modifyUserRoles calls AssignUserRoles with the given add/delete IDs, then
+// fetches and prints the resulting role list. errVerb is used in the error
+// message ("failed to <errVerb> roles").
+func modifyUserRoles(s *state.State, cmd *cobra.Command, client *qcloudapi.Client, accountID string, user *iamv1.User, addIDs, removeIDs []string, errVerb string) error {
+	ctx := cmd.Context()
+
+	_, err := client.IAM().AssignUserRoles(ctx, &iamv1.AssignUserRolesRequest{
+		AccountId:       accountID,
+		UserId:          user.GetId(),
+		RoleIdsToAdd:    addIDs,
+		RoleIdsToDelete: removeIDs,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to %s roles: %w", errVerb, err)
+	}
+
+	rolesResp, err := client.IAM().ListUserRoles(ctx, &iamv1.ListUserRolesRequest{
+		AccountId: accountID,
+		UserId:    user.GetId(),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list user roles: %w", err)
+	}
+
+	if s.Config.JSONOutput() {
+		return output.PrintJSON(cmd.OutOrStdout(), rolesResp)
+	}
+
+	w := cmd.OutOrStdout()
+	fmt.Fprintf(w, "Roles for %s:\n", user.GetEmail())
+	printRoles(w, rolesResp.GetRoles())
+	return nil
+}
diff --git a/internal/cmd/iam/user.go b/internal/cmd/iam/user.go
@@ -0,0 +1,26 @@
+package iam
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newUserCommand(s *state.State) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "user",
+		Short: "Manage users in Qdrant Cloud",
+		Long: `Manage users in the Qdrant Cloud account.
+
+Provides commands to list users, view user details and assigned roles, and
+manage role assignments.`,
+		Args: cobra.NoArgs,
+	}
+	cmd.AddCommand(
+		newUserListCommand(s),
+		newUserDescribeCommand(s),
+		newUserAssignRoleCommand(s),
+		newUserRemoveRoleCommand(s),
+	)
+	return cmd
+}
diff --git a/internal/cmd/iam/user_assign_role.go b/internal/cmd/iam/user_assign_role.go
@@ -0,0 +1,67 @@
+package iam
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/qdrant/qcloud-cli/internal/cmd/base"
+	"github.com/qdrant/qcloud-cli/internal/cmd/completion"
+	"github.com/qdrant/qcloud-cli/internal/cmd/util"
+	"github.com/qdrant/qcloud-cli/internal/state"
+)
+
+func newUserAssignRoleCommand(s *state.State) *cobra.Command {
+	return base.Cmd{
+		BaseCobraCommand: func() *cobra.Command {
+			cmd := &cobra.Command{
+				Use:   "assign-role <user-id-or-email>",
+				Short: "Assign one or more roles to a user",
+				Args:  util.ExactArgs(1, "a user ID or email"),
+			}
+
+			_ = cmd.Flags().StringSliceP("role", "r", nil, "A role ID or name")
+			_ = cmd.RegisterFlagCompletionFunc("role", completion.RoleCompletion(s))
+			return cmd
+		},
+		ValidArgsFunction: userCompletion(s),
+		Long: `Assign one or more roles to a user in the account.
+
+Accepts either a user ID (UUID) or an email address to identify the user.
+Each role accepts either a role UUID or a role name, which is
+resolved to an ID via the IAM service. Prints the user's resulting roles
+after the assignment.`,
+		Example: `# Assign a role by name
+qcloud iam user assign-role user@example.com --role admin
+
+# Assign a role by ID
+qcloud iam user assign-role user@example.com --role 7b2ea926-724b-4de2-b73a-8675c42a6ebe
+
+# Assign multiple roles at once
+qcloud iam user assign-role user@example.com --role admin --role viewer
+
+# Assign multiple roles at once using comma separated values
+qcloud iam user assign-role user@example.com --role admin,viewer`,
+		Run: func(s *state.State, cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			client, err := s.Client(ctx)
+			if err != nil {
+				return err
+			}
+			accountID, err := s.AccountID()
+			if err != nil {
+				return err
+			}
+			user, err := resolveUser(cmd, client, accountID, args[0])
+			if err != nil {
+				return err
+			}
+
+			roles, _ := cmd.Flags().GetStringSlice("role")
+			roleIDs, err := resolveRoleIDs(ctx, client, accountID, roles)
+			if err != nil {
+				return err
+			}
+
+			return modifyUserRoles(s, cmd, client, accountID, user, roleIDs, nil, "assign")
+		},
+	}.CobraCommand(s)
+}