feat: add 'kosli get api-key' command#992
Merged
Merged
Conversation
Add a 'get api-key' subcommand that fetches a single API key's metadata
via `GET /api/v2/service-accounts/{org}/{name}/api-keys/{key_id}`,
completing CRUD support for service-account API keys alongside the
existing create/list/rotate/delete commands.
The command takes a positional KEY-ID and a required `--service-account`
flag (consistent with delete/rotate), supports table and json output,
and only ever returns key metadata - the secret value is shown once at
creation/rotation time.
Closes #991
Contributor
|
Claude finished @mbevc1's task in 1m 56s —— View job Review:
|
| Check | Result |
|---|---|
go build ./... |
✅ pass |
go vet ./cmd/kosli/... |
✅ pass |
go mod tidy |
not run (no go.mod/go.sum changes in this PR) |
| Unit/suite tests | go test was not in my allowed tools. Build+vet pass and the test code reads correctly; the suite tests need the local server per CLAUDE.md. Please confirm make test_integration_single TARGET=TestApiKeyCommandTestSuite is green locally/CI. |
What's good
- Consistent with existing patterns —
getApiKeyOptions,PreRunEglobal-flag check,RequireFlags,url.JoinPath, and theFormattedPrinttable/json map all mirrorlistApiKeys.go/delete/rotate exactly. - DRY refactor landed —
apiKeyMetadataTimestamps(apiKey.go:34) is now shared by both the get renderer (apiKey.go:117) and the list renderer (listApiKeys.go:103), so the two can't drift. This addresses the prior review comment. - Security-conscious — the metadata struct (
apiKeyMetadata) has noKeyfield, and the long/short help explicitly state the secret is only shown at creation/rotation. Good. - Solid test coverage — arg-count validation (0/1/2 args), missing
--service-account,akalias +-sshorthand, table vs json output,N/Arendering for zero timestamps, and a 404-surfaced-as-error case (apiKey_test.go:507). Fixture-driven contract intestdata/service-account/keeps response bodies in one place. - No alias collision —
akis unique amonggetsubcommands (get.go:21-34).
Minor / non-blocking observations
- Shadowing
url(getApiKey.go:65):url, err := url.JoinPath(...)shadows the importedurlpackage. It's correct (RHS evaluates before assignment) and matcheslistApiKeys.go:67, so it's consistent — just noting it as a readability micro-nit shared with the existing code; no change needed. printApiKeyMetadataAsTableassumes a single object. The get endpoint returns one object, so this is correct. If the API ever returned an array on this path the unmarshal would error out cleanly rather than misbehave — fine as-is.
Nothing here blocks merge. Nice, tidy addition. 👍
· 20260706_get_key
mbevc1
enabled auto-merge (squash)
July 6, 2026 12:03
FayeSGW
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a 'get api-key' subcommand that fetches a single API key's metadata via
GET /api/v2/service-accounts/{org}/{name}/api-keys/{key_id}, completing CRUD support for service-account API keys alongside the existing create/list/rotate/delete commands.The command takes a positional KEY-ID and a required
--service-accountflag (consistent with delete/rotate), supports table and json output, and only ever returns key metadata - the secret value is shown once at creation/rotation time.Also creates a reusable function to calculate timestamps.
Closes #991