From 52a877fcfacd23a17b46dc2f80c19b145364eb81 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Fri, 22 Aug 2025 23:22:55 +0530
Subject: [PATCH 01/80] feat: enhance ServiceAccountToken model with creator
 validation and relationship

- Added `created_by_service_account` field to associate tokens with service accounts.
- Implemented validation in `clean` method to ensure only one creator field is set.
- Introduced `get_creator_account` method to retrieve the creator, whether an organisation member or a service account.
---
 backend/api/models.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/backend/api/models.py b/backend/api/models.py
index e71b18ac8..8c5ec8c8c 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -556,11 +556,35 @@ class ServiceAccountToken(models.Model):
     created_by = models.ForeignKey(
         OrganisationMember, on_delete=models.CASCADE, blank=True, null=True
     )
+    created_by_service_account = models.ForeignKey(
+        ServiceAccount,
+        on_delete=models.SET_NULL,
+        blank=True,
+        null=True,
+        related_name="created_tokens",
+    )
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
     updated_at = models.DateTimeField(auto_now=True)
     deleted_at = models.DateTimeField(blank=True, null=True)
     expires_at = models.DateTimeField(null=True)
 
+    def clean(self):
+        # Ensure only one of created_by or created_by_service_account is set
+        # Service accounts can create tokens for themselves and others
+        if not (self.created_by or self.created_by_service_account):
+            from django.core.exceptions import ValidationError
+            raise ValidationError(
+                "Must set either created_by (organisation member) or created_by_service_account"
+            )
+        if self.created_by and self.created_by_service_account:
+            from django.core.exceptions import ValidationError
+            raise ValidationError(
+                "Only one of created_by or created_by_service_account may be set"
+            )
+
+    def get_creator_account(self):
+        return self.created_by or self.created_by_service_account
+
     def delete(self, *args, **kwargs):
         """
         Soft delete the object by setting the 'deleted_at' field.

From e9d91ba6927d49c785c02f2eeb04731a7fe9c32d Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Fri, 22 Aug 2025 23:23:15 +0530
Subject: [PATCH 02/80] fix: update ServiceAccountTokenSerializer to use
 ServiceAccountToken model

---
 backend/api/serializers.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/api/serializers.py b/backend/api/serializers.py
index 7c8fd5d90..a8cc4b3e5 100644
--- a/backend/api/serializers.py
+++ b/backend/api/serializers.py
@@ -15,6 +15,7 @@
     Organisation,
     Secret,
     ServiceToken,
+    ServiceAccountToken,
     UserToken,
     PersonalSecret,
 )
@@ -248,7 +249,7 @@ class ServiceAccountTokenSerializer(serializers.ModelSerializer):
     )
 
     class Meta:
-        model = UserToken
+        model = ServiceAccountToken
         fields = [
             "wrapped_key_share",
             "account_id",

From d060d092b4b1caa2a2ad7a455e82f5f6081574e0 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Fri, 22 Aug 2025 23:23:31 +0530
Subject: [PATCH 03/80] feat: add created_by_service_account field to
 ServiceAccountToken model

- Introduced a new ForeignKey field to associate service account tokens with their creator service accounts.
- This migration enhances the model's relationship capabilities.
---
 ...accounttoken_created_by_service_account.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py

diff --git a/backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py b/backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py
new file mode 100644
index 000000000..d48f24941
--- /dev/null
+++ b/backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py
@@ -0,0 +1,19 @@
+# Generated by Django 4.2.22 on 2025-08-22 08:59
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0105_environmentkey_unique_envkey_user_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='serviceaccounttoken',
+            name='created_by_service_account',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='created_tokens', to='api.serviceaccount'),
+        ),
+    ]

From 9c2ae453624f93c13460fb94e1b3d512d33e295b Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Fri, 22 Aug 2025 23:23:39 +0530
Subject: [PATCH 04/80] feat: implement ServiceAccountUser class for service
 account handling

- Added a new ServiceAccountUser class to represent service account users in the authentication process.
- Updated PhaseTokenAuthentication to utilize ServiceAccountUser when the creator is not an organization member, enhancing the handling of service account tokens.
---
 backend/api/auth.py | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/backend/api/auth.py b/backend/api/auth.py
index 7439c356e..40a6f8457 100644
--- a/backend/api/auth.py
+++ b/backend/api/auth.py
@@ -17,6 +17,18 @@
 logger = logging.getLogger(__name__)
 
 
+class ServiceAccountUser:
+    """Mock ServiceAccount user"""
+    
+    def __init__(self, service_account):
+        self.userId = service_account.id
+        self.id = service_account.id
+        self.is_authenticated = True
+        self.is_active = True
+        self.username = service_account.name
+        self.service_account = service_account
+
+
 class PhaseTokenAuthentication(authentication.BaseAuthentication):
     def authenticate(self, request):
 
@@ -97,8 +109,14 @@ def authenticate(self, request):
 
             try:
                 service_token = get_service_token(auth_token)
-                service_account = get_service_account_from_token(auth_token)
-                user = service_token.created_by.user
+                service_account = get_service_account_from_token(auth_token)          
+                
+                creator = getattr(service_token, "created_by", None)
+                if creator:
+                    user = creator.user
+                else:
+                    user = ServiceAccountUser(service_account)
+                    
                 auth["service_account"] = service_account
                 auth["service_account_token"] = service_token
 

From 828cf77fed4a762a36753974fbe97ef29d12bfc7 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Fri, 22 Aug 2025 23:56:23 +0530
Subject: [PATCH 05/80] feat: add createdByServiceAccount field to
 ServiceAccountTokenType

- Introduced a new field `createdByServiceAccount` to the ServiceAccountTokenType to enhance the model's relationship with service accounts.
- This addition supports better tracking of token creation by service accounts.
---
 frontend/apollo/schema.graphql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index e726ab1c0..70ce7e45c 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -305,6 +305,7 @@ type ServiceAccountTokenType {
   token: String!
   wrappedKeyShare: String!
   createdBy: OrganisationMemberType
+  createdByServiceAccount: ServiceAccountType
   createdAt: DateTime
   updatedAt: DateTime!
   deletedAt: DateTime

From c42700fc84da5afd48f13fc5548cafe84a2410a9 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Fri, 22 Aug 2025 23:59:17 +0530
Subject: [PATCH 06/80] feat: add EnableServiceAccountSseMutation and related
 types

- Introduced `EnableServiceAccountSseMutation` to facilitate enabling third-party authentication for service accounts.
- Added `createdByServiceAccount` field to `ServiceAccountTokenType` for better tracking of token creation.
- Updated `GetServiceAccountTokensQuery` to include `createdByServiceAccount` information, enhancing the query's detail on token origins.
---
 frontend/apollo/graphql.ts | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 41d614bca..84193664d 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -1975,6 +1975,7 @@ export type ServiceAccountTokenType = {
   __typename?: 'ServiceAccountTokenType';
   createdAt?: Maybe<Scalars['DateTime']['output']>;
   createdBy?: Maybe<OrganisationMemberType>;
+  createdByServiceAccount?: Maybe<ServiceAccountType>;
   deletedAt?: Maybe<Scalars['DateTime']['output']>;
   expiresAt?: Maybe<Scalars['DateTime']['output']>;
   id: Scalars['String']['output'];
@@ -2643,6 +2644,15 @@ export type DeleteServiceAccountTokenOpMutationVariables = Exact<{
 
 export type DeleteServiceAccountTokenOpMutation = { __typename?: 'Mutation', deleteServiceAccountToken?: { __typename?: 'DeleteServiceAccountTokenMutation', ok?: boolean | null } | null };
 
+export type EnableServiceAccountSseMutationVariables = Exact<{
+  serviceAccountId: Scalars['ID']['input'];
+  serverWrappedKeyring: Scalars['String']['input'];
+  serverWrappedRecovery: Scalars['String']['input'];
+}>;
+
+
+export type EnableServiceAccountSseMutation = { __typename?: 'Mutation', enableServiceAccountThirdPartyAuth?: { __typename?: 'EnableServiceAccountThirdPartyAuthMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, thirdPartyAuthEnabled?: boolean | null } | null } | null };
+
 export type UpdateServiceAccountHandlerKeysMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
   handlers?: InputMaybe<Array<InputMaybe<ServiceAccountHandlerInput>> | InputMaybe<ServiceAccountHandlerInput>>;
@@ -3145,7 +3155,7 @@ export type GetServiceAccountTokensQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountTokensQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, tokens?: Array<{ __typename?: 'ServiceAccountTokenType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, lastUsed?: any | null, createdBy?: { __typename?: 'OrganisationMemberType', fullName?: string | null, avatarUrl?: string | null, self?: boolean | null } | null } | null> | null } | null> | null };
+export type GetServiceAccountTokensQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, tokens?: Array<{ __typename?: 'ServiceAccountTokenType', id: string, name: string, createdAt?: any | null, expiresAt?: any | null, lastUsed?: any | null, createdBy?: { __typename?: 'OrganisationMemberType', fullName?: string | null, avatarUrl?: string | null, self?: boolean | null } | null, createdByServiceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null } | null } | null> | null } | null> | null };
 
 export type GetServiceAccountsQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3344,6 +3354,7 @@ export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
 export const DeleteServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountOpMutation, DeleteServiceAccountOpMutationVariables>;
 export const DeleteServiceAccountTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountTokenOpMutation, DeleteServiceAccountTokenOpMutationVariables>;
+export const EnableServiceAccountSseDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableServiceAccountSSE"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountThirdPartyAuth"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableServiceAccountSseMutation, EnableServiceAccountSseMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
@@ -3403,7 +3414,7 @@ export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"Ope
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
 export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
-export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
+export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
 export const GetOrganisationSyncsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationSyncs"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"authentication"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"history"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"completedAt"}},{"kind":"Field","name":{"kind":"Name","value":"meta"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"credentials"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"expectedCredentials"}},{"kind":"Field","name":{"kind":"Name","value":"optionalCredentials"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"email"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetOrganisationSyncsQuery, GetOrganisationSyncsQueryVariables>;
 export const GetAwsSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsSecrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"arn"}}]}}]}}]} as unknown as DocumentNode<GetAwsSecretsQuery, GetAwsSecretsQueryVariables>;

From 5a45642e0f492f5832048db8aedb90cf5115d9bc Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 00:02:53 +0530
Subject: [PATCH 07/80] feat: add EnableServiceAccountSSE mutation and update
 GetServiceAccountTokens query

- Introduced `EnableServiceAccountSSE` mutation to enable third-party authentication for service accounts.
- Updated `GetServiceAccountTokens` query to include `createdByServiceAccount` field, enhancing token origin tracking.
---
 frontend/apollo/gql.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 601d00997..7ebdf7d5e 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -66,6 +66,7 @@ const documents = {
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountTokenOpDocument,
+    "mutation EnableServiceAccountSSE($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountThirdPartyAuth(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}": types.EnableServiceAccountSseDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
@@ -125,7 +126,7 @@ const documents = {
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
     "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
-    "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
+    "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
     "query GetOrganisationSyncs($orgId: ID!) {\n  syncs(orgId: $orgId) {\n    id\n    environment {\n      id\n      name\n      envType\n      app {\n        id\n        name\n      }\n    }\n    path\n    serviceInfo {\n      id\n      name\n      provider {\n        id\n      }\n    }\n    options\n    isActive\n    lastSync\n    status\n    authentication {\n      id\n      name\n      credentials\n    }\n    createdAt\n    history {\n      id\n      status\n      createdAt\n      completedAt\n      meta\n    }\n  }\n  savedCredentials(orgId: $orgId) {\n    id\n    name\n    credentials\n    createdAt\n    provider {\n      id\n      name\n      expectedCredentials\n      optionalCredentials\n    }\n    syncCount\n  }\n  apps(organisationId: $orgId, appId: null) {\n    id\n    name\n    identityKey\n    createdAt\n    sseEnabled\n    members {\n      id\n      fullName\n      avatarUrl\n      email\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetOrganisationSyncsDocument,
     "query GetAwsSecrets($credentialId: ID!) {\n  awsSecrets(credentialId: $credentialId) {\n    name\n    arn\n  }\n}": types.GetAwsSecretsDocument,
@@ -375,6 +376,10 @@ export function graphql(source: "mutation DeleteServiceAccountOp($id: ID!) {\n
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation EnableServiceAccountSSE($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountThirdPartyAuth(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableServiceAccountSSE($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountThirdPartyAuth(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -614,7 +619,7 @@ export function graphql(source: "query GetServiceAccountHandlers($orgId: ID!) {\
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      lastUsed\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      lastUsed\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */

From c031aa9d4067be68eb2c090c2d11c3c903e8b7e9 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:24:57 +0530
Subject: [PATCH 08/80] feat: rename EnableServiceAccountThirdPartyAuthMutation
 and add client-side key management mutation

- Renamed `EnableServiceAccountThirdPartyAuthMutation` to `EnableServiceAccountServerSideKeyManagementMutation` for clarity.
- Introduced `EnableServiceAccountClientSideKeyManagementMutation` to manage client-side key management, allowing for the deletion of server-wrapped keys and enhancing service account security management.
---
 .../graphene/mutations/service_accounts.py    | 32 +++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index b8768e955..2b8bb9716 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -82,7 +82,7 @@ def mutate(
         return CreateServiceAccountMutation(service_account=service_account)
 
 
-class EnableServiceAccountThirdPartyAuthMutation(graphene.Mutation):
+class EnableServiceAccountServerSideKeyManagementMutation(graphene.Mutation):
     class Arguments:
         service_account_id = graphene.ID()
         server_wrapped_keyring = graphene.String()
@@ -113,7 +113,35 @@ def mutate(
         service_account.server_wrapped_recovery = server_wrapped_recovery
         service_account.save()
 
-        return EnableServiceAccountThirdPartyAuthMutation(
+        return EnableServiceAccountServerSideKeyManagementMutation(
+            service_account=service_account
+        )
+
+
+class EnableServiceAccountClientSideKeyManagementMutation(graphene.Mutation):
+    class Arguments:
+        service_account_id = graphene.ID()
+
+    service_account = graphene.Field(ServiceAccountType)
+
+    @classmethod
+    def mutate(cls, root, info, service_account_id):
+        user = info.context.user
+        service_account = ServiceAccount.objects.get(id=service_account_id)
+
+        if not user_has_permission(
+            user, "update", "ServiceAccounts", service_account.organisation
+        ):
+            raise GraphQLError(
+                "You don't have the permissions required to update Service Accounts in this organisation"
+            )
+
+        # Delete server-wrapped keys to disable server-side key management
+        service_account.server_wrapped_keyring = None
+        service_account.server_wrapped_recovery = None
+        service_account.save()
+
+        return EnableServiceAccountClientSideKeyManagementMutation(
             service_account=service_account
         )
 

From 3d51fa9b3c28aafafd14a72228a3c92647dde6ff Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:25:10 +0530
Subject: [PATCH 09/80] feat: update service account mutations for key
 management

- Renamed `EnableServiceAccountThirdPartyAuthMutation` to `EnableServiceAccountServerSideKeyManagementMutation` for improved clarity.
- Added `EnableServiceAccountClientSideKeyManagementMutation` to support client-side key management, enhancing service account security features.
---
 backend/backend/schema.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 66a34f6f1..9d9a38635 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -10,7 +10,8 @@
     CreateServiceAccountTokenMutation,
     DeleteServiceAccountMutation,
     DeleteServiceAccountTokenMutation,
-    EnableServiceAccountThirdPartyAuthMutation,
+    EnableServiceAccountClientSideKeyManagementMutation,
+    EnableServiceAccountServerSideKeyManagementMutation,
     UpdateServiceAccountHandlersMutation,
     UpdateServiceAccountMutation,
 )
@@ -931,8 +932,11 @@ class Mutation(graphene.ObjectType):
 
     # Service Accounts
     create_service_account = CreateServiceAccountMutation.Field()
-    enable_service_account_third_party_auth = (
-        EnableServiceAccountThirdPartyAuthMutation.Field()
+    enable_service_account_server_side_key_management = (
+        EnableServiceAccountServerSideKeyManagementMutation.Field()
+    )
+    enable_service_account_client_side_key_management = (
+        EnableServiceAccountClientSideKeyManagementMutation.Field()
     )
     update_service_account_handlers = UpdateServiceAccountHandlersMutation.Field()
     update_service_account = UpdateServiceAccountMutation.Field()

From 5ce3ca8ab7cd48a238a2d0dc451cbb502e8ac84f Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:25:18 +0530
Subject: [PATCH 10/80] feat: enhance service account mutations for key
 management

- Renamed `EnableServiceAccountThirdPartyAuthMutation` to `EnableServiceAccountServerSideKeyManagementMutation` for better clarity.
- Added `EnableServiceAccountClientSideKeyManagementMutation` to facilitate client-side key management, improving service account security features.
---
 frontend/apollo/schema.graphql | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 70ce7e45c..a09623e64 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -802,7 +802,8 @@ type Mutation {
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
   updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
   createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
-  enableServiceAccountThirdPartyAuth(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountThirdPartyAuthMutation
+  enableServiceAccountServerSideKeyManagement(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountServerSideKeyManagementMutation
+  enableServiceAccountClientSideKeyManagement(serviceAccountId: ID): EnableServiceAccountClientSideKeyManagementMutation
   updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
   updateServiceAccount(name: String, roleId: ID, serviceAccountId: ID): UpdateServiceAccountMutation
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
@@ -1027,7 +1028,11 @@ input ServiceAccountHandlerInput {
   wrappedRecovery: String!
 }
 
-type EnableServiceAccountThirdPartyAuthMutation {
+type EnableServiceAccountServerSideKeyManagementMutation {
+  serviceAccount: ServiceAccountType
+}
+
+type EnableServiceAccountClientSideKeyManagementMutation {
   serviceAccount: ServiceAccountType
 }
 

From 41001dd1dd1b43e8b1f48f14d39e41396eadb989 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:29:19 +0530
Subject: [PATCH 11/80] feat: update service account mutations and queries for
 key management

- Replaced `EnableServiceAccountSSE` mutation with `EnableSAClientKeyManagement` and `EnableSAServerKeyManagement` mutations to enhance key management capabilities.
- Updated `GetServiceAccountDetail` query to include `thirdPartyAuthEnabled` field, improving service account detail retrieval.
---
 frontend/apollo/gql.ts | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 7ebdf7d5e..211aa3992 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -66,7 +66,8 @@ const documents = {
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountTokenOpDocument,
-    "mutation EnableServiceAccountSSE($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountThirdPartyAuth(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}": types.EnableServiceAccountSseDocument,
+    "mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      thirdPartyAuthEnabled\n    }\n  }\n}": types.EnableSaClientKeyManagementDocument,
+    "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
@@ -124,7 +125,7 @@ const documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      name\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    thirdPartyAuthEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
@@ -379,7 +380,11 @@ export function graphql(source: "mutation DeleteServiceAccountTokenOp($id: ID!)
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation EnableServiceAccountSSE($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountThirdPartyAuth(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableServiceAccountSSE($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountThirdPartyAuth(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"];
+export function graphql(source: "mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      thirdPartyAuthEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      thirdPartyAuthEnabled\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -611,7 +616,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    thirdPartyAuthEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    thirdPartyAuthEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */

From 9a5772fdd94b3ccdcb0c730271ad2d797d709bdf Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:29:35 +0530
Subject: [PATCH 12/80] feat: enhance service account mutations and queries for
 key management

- Introduced `EnableServiceAccountClientSideKeyManagementMutation` and `EnableServiceAccountServerSideKeyManagementMutation` to improve key management capabilities.
- Updated `GetServiceAccountDetail` query to include `thirdPartyAuthEnabled` field for better service account detail retrieval.
- Renamed existing mutations for clarity and consistency in naming conventions.
---
 frontend/apollo/graphql.ts | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 84193664d..165d606c4 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -473,8 +473,13 @@ export type EditSecretMutation = {
   secret?: Maybe<SecretType>;
 };
 
-export type EnableServiceAccountThirdPartyAuthMutation = {
-  __typename?: 'EnableServiceAccountThirdPartyAuthMutation';
+export type EnableServiceAccountClientSideKeyManagementMutation = {
+  __typename?: 'EnableServiceAccountClientSideKeyManagementMutation';
+  serviceAccount?: Maybe<ServiceAccountType>;
+};
+
+export type EnableServiceAccountServerSideKeyManagementMutation = {
+  __typename?: 'EnableServiceAccountServerSideKeyManagementMutation';
   serviceAccount?: Maybe<ServiceAccountType>;
 };
 
@@ -735,7 +740,8 @@ export type Mutation = {
   deleteUserToken?: Maybe<DeleteUserTokenMutation>;
   editSecret?: Maybe<EditSecretMutation>;
   editSecrets?: Maybe<BulkEditSecretMutation>;
-  enableServiceAccountThirdPartyAuth?: Maybe<EnableServiceAccountThirdPartyAuthMutation>;
+  enableServiceAccountClientSideKeyManagement?: Maybe<EnableServiceAccountClientSideKeyManagementMutation>;
+  enableServiceAccountServerSideKeyManagement?: Maybe<EnableServiceAccountServerSideKeyManagementMutation>;
   initEnvSync?: Maybe<InitEnvSync>;
   modifySubscription?: Maybe<UpdateSubscriptionResponse>;
   readSecret?: Maybe<ReadSecretMutation>;
@@ -1149,7 +1155,12 @@ export type MutationEditSecretsArgs = {
 };
 
 
-export type MutationEnableServiceAccountThirdPartyAuthArgs = {
+export type MutationEnableServiceAccountClientSideKeyManagementArgs = {
+  serviceAccountId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
+export type MutationEnableServiceAccountServerSideKeyManagementArgs = {
   serverWrappedKeyring?: InputMaybe<Scalars['String']['input']>;
   serverWrappedRecovery?: InputMaybe<Scalars['String']['input']>;
   serviceAccountId?: InputMaybe<Scalars['ID']['input']>;
@@ -2644,14 +2655,21 @@ export type DeleteServiceAccountTokenOpMutationVariables = Exact<{
 
 export type DeleteServiceAccountTokenOpMutation = { __typename?: 'Mutation', deleteServiceAccountToken?: { __typename?: 'DeleteServiceAccountTokenMutation', ok?: boolean | null } | null };
 
-export type EnableServiceAccountSseMutationVariables = Exact<{
+export type EnableSaClientKeyManagementMutationVariables = Exact<{
+  serviceAccountId: Scalars['ID']['input'];
+}>;
+
+
+export type EnableSaClientKeyManagementMutation = { __typename?: 'Mutation', enableServiceAccountClientSideKeyManagement?: { __typename?: 'EnableServiceAccountClientSideKeyManagementMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, thirdPartyAuthEnabled?: boolean | null } | null } | null };
+
+export type EnableSaServerKeyManagementMutationVariables = Exact<{
   serviceAccountId: Scalars['ID']['input'];
   serverWrappedKeyring: Scalars['String']['input'];
   serverWrappedRecovery: Scalars['String']['input'];
 }>;
 
 
-export type EnableServiceAccountSseMutation = { __typename?: 'Mutation', enableServiceAccountThirdPartyAuth?: { __typename?: 'EnableServiceAccountThirdPartyAuthMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, thirdPartyAuthEnabled?: boolean | null } | null } | null };
+export type EnableSaServerKeyManagementMutation = { __typename?: 'Mutation', enableServiceAccountServerSideKeyManagement?: { __typename?: 'EnableServiceAccountServerSideKeyManagementMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, thirdPartyAuthEnabled?: boolean | null } | null } | null };
 
 export type UpdateServiceAccountHandlerKeysMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3140,7 +3158,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, thirdPartyAuthEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3354,7 +3372,8 @@ export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
 export const DeleteServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountOpMutation, DeleteServiceAccountOpMutationVariables>;
 export const DeleteServiceAccountTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountTokenOpMutation, DeleteServiceAccountTokenOpMutationVariables>;
-export const EnableServiceAccountSseDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableServiceAccountSSE"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountThirdPartyAuth"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableServiceAccountSseMutation, EnableServiceAccountSseMutationVariables>;
+export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAClientKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountClientSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaClientKeyManagementMutation, EnableSaClientKeyManagementMutationVariables>;
+export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
@@ -3412,7 +3431,7 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;

From 234b985702009c46f21f2ab207e1334a23d8bb7a Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:30:03 +0530
Subject: [PATCH 13/80] feat: add service account secret wrapping and
 unwrapping functions

- Introduced `wrapServiceAccountSecretsForServer` to securely wrap service account keyring and recovery for server-side encryption.
- Added `unwrapServiceAccountSecretsForUser` to decrypt and retrieve the original keyring and recovery for the current user.
- Enhanced documentation with detailed JSDoc comments for both functions, improving code clarity and usability.
---
 frontend/utils/crypto/service-accounts.ts | 60 ++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/frontend/utils/crypto/service-accounts.ts b/frontend/utils/crypto/service-accounts.ts
index 797479c53..81ed02bb5 100644
--- a/frontend/utils/crypto/service-accounts.ts
+++ b/frontend/utils/crypto/service-accounts.ts
@@ -124,4 +124,62 @@ export const updateServiceAccountHandlers = async (orgId: string, userKeyring: O
 
   })
   
-}
\ No newline at end of file
+}
+
+/**
+ * Wraps service account keyring and recovery for server-side encryption.
+ * 
+ * @param {string} keyringString - The service account keyring as JSON string
+ * @param {string} recoveryString - The service account recovery/mnemonic string
+ * @param {string} serverPublicKey - The server's public key for encryption
+ * @returns {Promise<{ serverWrappedKeyring: string; serverWrappedRecovery: string }>}
+ */
+export const wrapServiceAccountSecretsForServer = async (
+  keyringString: string,
+  recoveryString: string,
+  serverPublicKey: string
+) => {
+  const serverWrappedKeyring = await encryptAsymmetric(keyringString, serverPublicKey)
+  const serverWrappedRecovery = await encryptAsymmetric(recoveryString, serverPublicKey)
+
+  return {
+    serverWrappedKeyring,
+    serverWrappedRecovery,
+  }
+}
+
+/**
+ * Unwraps service account keyring and recovery for the current user.
+ * 
+ * @param {string} wrappedKeyring - The user-wrapped keyring
+ * @param {string} wrappedRecovery - The user-wrapped recovery
+ * @param {OrganisationKeyring} userKeyring - The current user's keyring
+ * @returns {Promise<{ keyringString: string; recoveryString: string }>}
+ */
+export const unwrapServiceAccountSecretsForUser = async (
+  wrappedKeyring: string,
+  wrappedRecovery: string,
+  userKeyring: OrganisationKeyring
+) => {
+  const userKxKeys = {
+    publicKey: await getUserKxPublicKey(userKeyring.publicKey),
+    privateKey: await getUserKxPrivateKey(userKeyring.privateKey),
+  }
+
+  const keyringString = await decryptAsymmetric(
+    wrappedKeyring,
+    userKxKeys.privateKey,
+    userKxKeys.publicKey
+  )
+
+  const recoveryString = await decryptAsymmetric(
+    wrappedRecovery,
+    userKxKeys.privateKey,
+    userKxKeys.publicKey
+  )
+
+  return {
+    keyringString,
+    recoveryString,
+  }
+}

From d9528d547c15e8e72e34bdda15501036d285cfd9 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:31:06 +0530
Subject: [PATCH 14/80] feat: implement KeyManagementDialog for service account
 key management

- Introduced `KeyManagementDialog` component to manage service account key settings, allowing users to switch between client-side and server-side key management.
- Integrated Apollo Client for querying and mutating service account data, enhancing user experience with real-time updates.
- Added user permission checks to ensure only authorized users can manage key settings, improving security and usability.
- Included visual alerts and feedback for actions taken within the dialog, enhancing user interaction and clarity.
---
 .../service-accounts/KeyManagementDialog.tsx  | 405 ++++++++++++++++++
 1 file changed, 405 insertions(+)
 create mode 100644 frontend/components/service-accounts/KeyManagementDialog.tsx

diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
new file mode 100644
index 000000000..4bba4271d
--- /dev/null
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -0,0 +1,405 @@
+import { ServiceAccountType } from '@/apollo/graphql'
+import { useMutation, useQuery } from '@apollo/client'
+import { Dialog, Transition } from '@headlessui/react'
+import { useState, Fragment, useContext } from 'react'
+import { FaTimes, FaCog, FaUsers } from 'react-icons/fa'
+import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
+import { MdMenuBook } from 'react-icons/md'
+import clsx from 'clsx'
+import { toast } from 'react-toastify'
+import { Alert } from '../common/Alert'
+import { Button } from '../common/Button'
+import { KeyringContext } from '@/contexts/keyringContext'
+import GetServerKey from '@/graphql/queries/syncing/getServerKey.gql'
+import { GetServiceAccountDetail } from '@/graphql/queries/service-accounts/getServiceAccountDetail.gql'
+import { organisationContext } from '@/contexts/organisationContext'
+import {
+  unwrapServiceAccountSecretsForUser,
+  wrapServiceAccountSecretsForServer,
+} from '@/utils/crypto/service-accounts'
+import { userHasPermission } from '@/utils/access/permissions'
+import Link from 'next/link'
+import EnableServerSide from '@/graphql/mutations/service-accounts/enableServiceAccountServerSideKeyManagement.gql'
+import EnableClientSide from '@/graphql/mutations/service-accounts/enableServiceAccountClientSideKeyManagement.gql'
+
+interface KeyManagementDialogProps {
+  serviceAccount: ServiceAccountType
+  trigger?: React.ReactNode
+  mode?: 'enable' | 'manage'
+}
+
+export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
+  const { serviceAccount, trigger, mode = 'manage' } = props
+
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const { keyring } = useContext(KeyringContext)
+
+  const { data: serverKeyData } = useQuery(GetServerKey)
+  const [enableSSE, { loading: enableLoading }] = useMutation(EnableServerSide)
+  const [disableSSE, { loading: disableLoading }] = useMutation(EnableClientSide)
+
+  const userCanManageKeys = organisation
+    ? userHasPermission(organisation.role?.permissions, 'ServiceAccounts', 'update')
+    : false
+
+  const [isOpen, setIsOpen] = useState<boolean>(false)
+  const [selectedMode, setSelectedMode] = useState<'client' | 'server'>(
+    serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client'
+  )
+
+  const closeModal = () => {
+    setIsOpen(false)
+    // Reset to current state when closing
+    setSelectedMode(serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client')
+  }
+
+  const openModal = () => {
+    // Always sync mode with latest account state on open
+    setSelectedMode(serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client')
+    setIsOpen(true)
+  }
+
+  const handleSave = async (e: { preventDefault: () => void }) => {
+    e.preventDefault()
+
+    if (selectedMode === 'server' && !serviceAccount.thirdPartyAuthEnabled) {
+      // Enable server-side encryption
+      await handleEnableSSE()
+    } else if (selectedMode === 'client' && serviceAccount.thirdPartyAuthEnabled) {
+      // Disable server-side encryption (switch to client-side)
+      await handleDisableSSE()
+    } else {
+      // No change needed
+      closeModal()
+    }
+  }
+
+  const handleEnableSSE = async () => {
+    if (!keyring || !serverKeyData?.serverPublicKey) {
+      toast.error('Missing required keys')
+      return
+    }
+
+    try {
+      // Find the current user's handler for this service account
+      const currentUserHandler = serviceAccount.handlers?.find(
+        (handler) => handler?.user.self === true
+      )
+
+      if (!currentUserHandler) {
+        toast.error('You do not have handler access to this service account')
+        return
+      }
+
+      // Unwrap the service account secrets using the current user's keys
+      const { keyringString, recoveryString } = await unwrapServiceAccountSecretsForUser(
+        currentUserHandler.wrappedKeyring,
+        currentUserHandler.wrappedRecovery,
+        keyring
+      )
+
+      // Wrap the secrets for the server
+      const { serverWrappedKeyring, serverWrappedRecovery } =
+        await wrapServiceAccountSecretsForServer(
+          keyringString,
+          recoveryString,
+          serverKeyData.serverPublicKey
+        )
+
+      await toast.promise(
+        enableSSE({
+          variables: {
+            serviceAccountId: serviceAccount.id,
+            serverWrappedKeyring,
+            serverWrappedRecovery,
+          },
+          refetchQueries: [
+            {
+              query: GetServiceAccountDetail,
+              variables: { orgId: organisation!.id, id: serviceAccount.id },
+            },
+          ],
+        }),
+        {
+          pending: 'Enabling server-side key management...',
+          success: 'Server-side key management enabled.',
+          error: 'Failed to enable server-side key management',
+        }
+      )
+      // Ensure local state reflects new server-side mode
+      setSelectedMode('server')
+      closeModal()
+    } catch (error) {
+      console.error('Error enabling SSE:', error)
+      toast.error('Failed to enable server-side key management')
+    }
+  }
+
+  const handleDisableSSE = async () => {
+    try {
+      await toast.promise(
+        disableSSE({
+          variables: {
+            serviceAccountId: serviceAccount.id,
+          },
+          refetchQueries: [
+            {
+              query: GetServiceAccountDetail,
+              variables: { orgId: organisation!.id, id: serviceAccount.id },
+            },
+          ],
+        }),
+        {
+          pending: 'Switching to client-side key management...',
+          success: 'Client-side key management enabled.',
+          error: 'Failed to switch to client-side key management',
+        }
+      )
+      // Ensure local state reflects new client-side mode
+      setSelectedMode('client')
+      closeModal()
+    } catch (error) {
+      console.error('Error disabling SSE:', error)
+      toast.error('Failed to switch to client-side key management')
+    }
+  }
+
+  const currentMode = serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client'
+  const hasChanges = selectedMode !== currentMode
+
+  return (
+    <>
+      {trigger ? (
+        <div onClick={openModal} className="cursor-pointer">
+          {trigger}
+        </div>
+      ) : (
+        <div className="flex items-center justify-center">
+          <Button variant="primary" onClick={openModal} title="Manage Key Settings">
+            <FaCog /> Manage
+          </Button>
+        </div>
+      )}
+
+      <Transition appear show={isOpen} as={Fragment}>
+        <Dialog as="div" className="relative z-10" onClose={closeModal}>
+          <Transition.Child
+            as={Fragment}
+            enter="ease-out duration-300"
+            enterFrom="opacity-0"
+            enterTo="opacity-100"
+            leave="ease-in duration-200"
+            leaveFrom="opacity-100"
+            leaveTo="opacity-0"
+          >
+            <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
+          </Transition.Child>
+
+          <div className="fixed inset-0 overflow-y-auto">
+            <div className="flex min-h-full items-center justify-center p-4 text-center">
+              <Transition.Child
+                as={Fragment}
+                enter="ease-out duration-300"
+                enterFrom="opacity-0 scale-95"
+                enterTo="opacity-100 scale-100"
+                leave="ease-in duration-200"
+                leaveFrom="opacity-100 scale-100"
+                leaveTo="opacity-0 scale-95"
+              >
+                <Dialog.Panel className="w-full max-w-2xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
+                  <Dialog.Title as="div" className="flex w-full justify-between items-center">
+                    <h3 className="text-lg font-medium leading-6 text-black dark:text-white ">
+                      Key Management Settings
+                    </h3>
+
+                    <div className="flex items-center gap-2">
+                      <Link
+                        href="https://docs.phase.dev/access-control/service-accounts"
+                        target="_blank"
+                        rel="noreferrer"
+                      >
+                        <Button type="button" variant="outline">
+                          <MdMenuBook className="my-1 shrink-0" />
+                          Docs
+                        </Button>
+                      </Link>
+
+                      <Button variant="text" onClick={closeModal}>
+                        <FaTimes className="text-zinc-900 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-300" />
+                      </Button>
+                    </div>
+                  </Dialog.Title>
+
+                  {userCanManageKeys ? (
+                    <form className="space-y-6 py-4" onSubmit={handleSave}>
+                      <p className="text-neutral-500">
+                        Choose where and how keys are managed for this Service Account:
+                      </p>
+
+                      <div className="space-y-4">
+                        {/* Client-side option */}
+                        <label
+                          className={clsx(
+                            'flex items-start gap-3 p-4 rounded-lg cursor-pointer transition-colors ring-1 ring-inset',
+                            selectedMode === 'client'
+                              ? 'bg-emerald-400/10 ring-emerald-400/30'
+                              : 'ring-neutral-500/20 hover:bg-neutral-50 dark:hover:bg-neutral-800'
+                          )}
+                        >
+                          <input
+                            type="radio"
+                            name="keyManagement"
+                            value="client"
+                            checked={selectedMode === 'client'}
+                            onChange={(e) => setSelectedMode('client')}
+                            className="sr-only peer"
+                          />
+                          <span
+                            className={clsx(
+                              'mt-1 h-4 w-4 rounded-full border flex items-center justify-center shrink-0',
+                              selectedMode === 'client'
+                                ? 'border-emerald-500'
+                                : 'border-neutral-400'
+                            )}
+                          >
+                            <span
+                              className={clsx(
+                                'h-2.5 w-2.5 rounded-full transition-colors',
+                                selectedMode === 'client' ? 'bg-emerald-500' : 'bg-transparent'
+                              )}
+                            />
+                          </span>
+                          <div className="flex-1">
+                            <div
+                              className={clsx(
+                                'flex items-center gap-2 font-medium',
+                                selectedMode === 'client'
+                                  ? 'text-emerald-600'
+                                  : 'text-black dark:text-white'
+                              )}
+                            >
+                              <FaArrowDownUpLock
+                                className={clsx(
+                                  selectedMode === 'client' ? 'text-emerald-500' : ''
+                                )}
+                              />
+                              Client-side key management
+                            </div>
+                            <p className="text-sm text-neutral-500 mt-1">
+                              Handle all cryptographic operations such as token generation on the
+                              client with end-to-end encryption. Requires manual intervention.
+                            </p>
+                          </div>
+                        </label>
+
+                        {/* Server-side option */}
+                        <label
+                          className={clsx(
+                            'flex items-start gap-3 p-4 rounded-lg cursor-pointer transition-colors ring-1 ring-inset',
+                            selectedMode === 'server'
+                              ? 'bg-sky-400/10 ring-sky-400/30'
+                              : 'ring-neutral-500/20 hover:bg-neutral-50 dark:hover:bg-neutral-800'
+                          )}
+                        >
+                          <input
+                            type="radio"
+                            name="keyManagement"
+                            value="server"
+                            checked={selectedMode === 'server'}
+                            onChange={(e) => setSelectedMode('server')}
+                            className="sr-only peer"
+                          />
+                          <span
+                            className={clsx(
+                              'mt-1 h-4 w-4 rounded-full border flex items-center justify-center shrink-0',
+                              selectedMode === 'server' ? 'border-sky-500' : 'border-neutral-400'
+                            )}
+                          >
+                            <span
+                              className={clsx(
+                                'h-2.5 w-2.5 rounded-full transition-colors',
+                                selectedMode === 'server' ? 'bg-sky-500' : 'bg-transparent'
+                              )}
+                            />
+                          </span>
+                          <div className="flex-1">
+                            <div
+                              className={clsx(
+                                'flex items-center gap-2 font-medium',
+                                selectedMode === 'server'
+                                  ? 'text-sky-600'
+                                  : 'text-black dark:text-white'
+                              )}
+                            >
+                              <FaServer
+                                className={clsx(selectedMode === 'server' ? 'text-sky-500' : '')}
+                              />
+                              Server-side key management
+                            </div>
+                            <p className="text-sm text-neutral-500 mt-1">
+                              Allow the server to manage keys on behalf of the Service Account.
+                              Enables automated operations, token generation, and API access without
+                              manual intervention.
+                            </p>
+                          </div>
+                        </label>
+                      </div>
+
+                      {hasChanges &&
+                        selectedMode === 'server' &&
+                        !serviceAccount.thirdPartyAuthEnabled && (
+                          <Alert variant="info" icon={true}>
+                            Enabling server-side key management will allow the server to securely
+                            access keys and generate tokens on behalf of the Service Account.
+                          </Alert>
+                        )}
+
+                      {hasChanges &&
+                        selectedMode === 'client' &&
+                        serviceAccount.thirdPartyAuthEnabled && (
+                          <Alert variant="warning" icon={true}>
+                            Switching to client-side key management will remove server access to
+                            this account&apos;s keys. All previously generated access tokens will
+                            continue to work until they expire.
+                          </Alert>
+                        )}
+
+                      <div className="flex items-center gap-4 justify-between">
+                        <Button variant="secondary" type="button" onClick={closeModal}>
+                          Cancel
+                        </Button>
+                        <Button
+                          variant="primary"
+                          type="submit"
+                          isLoading={enableLoading || disableLoading}
+                          disabled={!hasChanges}
+                        >
+                          Save
+                        </Button>
+                      </div>
+                    </form>
+                  ) : (
+                    <div className="py-4 space-y-4">
+                      <Alert variant="info" icon={true}>
+                        Only users with Service Account update permissions can manage key settings
+                        for this Service Account. Please contact an Organization Owner or Admin.
+                      </Alert>
+
+                      <div className="flex items-center justify-end">
+                        <Link href={`/${organisation?.name}/access/service-accounts`}>
+                          <Button variant="secondary">
+                            <FaUsers /> View Service Accounts
+                          </Button>
+                        </Link>
+                      </div>
+                    </div>
+                  )}
+                </Dialog.Panel>
+              </Transition.Child>
+            </div>
+          </div>
+        </Dialog>
+      </Transition>
+    </>
+  )
+}

From 7018c3be2dfdd9c6d24ebcb463bf6f1e52406de0 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:31:16 +0530
Subject: [PATCH 15/80] feat: enhance ServiceAccountTokens component to display
 creator information

- Updated the `ServiceAccountTokens` component to conditionally render the creator's information, supporting both user and service account creators.
- Added fallback text for unknown creators, improving user experience and clarity in token origin tracking.
---
 .../_components/ServiceAccountTokens.tsx      | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx
index 9ef68e79a..a187190a3 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountTokens.tsx
@@ -94,10 +94,23 @@ export const ServiceAccountTokens = ({ account }: { account: ServiceAccountType
                     </div>
                     <div className="flex items-center gap-2">
                       <span className="text-neutral-500">by</span>
-                      <Avatar member={token!.createdBy!} size="sm" />
-                      <span className="font-medium text-zinc-900 dark:text-zinc-100">
-                        {token?.createdBy?.fullName}
-                      </span>
+                      {token?.createdBy ? (
+                        <>
+                          <Avatar member={token.createdBy} size="sm" />
+                          <span className="font-medium text-zinc-900 dark:text-zinc-100">
+                            {token.createdBy.fullName}
+                          </span>
+                        </>
+                      ) : token?.createdByServiceAccount ? (
+                        <>
+                          <Avatar serviceAccount={token.createdByServiceAccount} size="sm" />
+                          <span className="font-medium text-zinc-900 dark:text-zinc-100">
+                            {token.createdByServiceAccount.name}
+                          </span>
+                        </>
+                      ) : (
+                        <span className="text-neutral-400 italic">Unknown</span>
+                      )}
                     </div>
                   </div>
 

From 498f4c2d4f2c7ac1f912febf7ff2974b70731e89 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:31:23 +0530
Subject: [PATCH 16/80] feat: add createdByServiceAccount field to
 GetServiceAccountTokens query

- Enhanced the `GetServiceAccountTokens` query by including the `createdByServiceAccount` field, which provides details about the creator of the service account tokens, improving tracking and transparency of token origins.
---
 .../queries/service-accounts/getServiceAccountTokens.gql     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/frontend/graphql/queries/service-accounts/getServiceAccountTokens.gql b/frontend/graphql/queries/service-accounts/getServiceAccountTokens.gql
index d8cba2ac2..86dfefe13 100644
--- a/frontend/graphql/queries/service-accounts/getServiceAccountTokens.gql
+++ b/frontend/graphql/queries/service-accounts/getServiceAccountTokens.gql
@@ -11,6 +11,11 @@ query GetServiceAccountTokens($orgId: ID!, $id: ID) {
         avatarUrl
         self
       }
+      createdByServiceAccount {
+        id
+        name
+        identityKey
+      }
       lastUsed
     }
   }

From a0a57ab96882f204348b2f2006941a04942c8570 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:46:19 +0530
Subject: [PATCH 17/80] feat: rename third_party_auth_enabled to
 server_side_key_management_enabled in ServiceAccountType

- Updated the `ServiceAccountType` to replace the `third_party_auth_enabled` field with `server_side_key_management_enabled`, reflecting a clearer purpose for server-side key management.
- Adjusted the corresponding resolver method to match the new field name, ensuring consistency in the API.
---
 backend/backend/graphene/types.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index ebf3d3c82..6e32f3202 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -676,7 +676,7 @@ def resolve_environments(self, info):
 
 class ServiceAccountType(DjangoObjectType):
 
-    third_party_auth_enabled = graphene.Boolean()
+    server_side_key_management_enabled = graphene.Boolean()
     handlers = graphene.List(ServiceAccountHandlerType)
     tokens = graphene.List(ServiceAccountTokenType)
     app_memberships = graphene.List(graphene.NonNull(AppMembershipType))
@@ -694,7 +694,7 @@ class Meta:
             "deleted_at",
         )
 
-    def resolve_third_party_auth_enabled(self, info):
+    def resolve_server_side_key_management_enabled(self, info):
         return (
             self.server_wrapped_keyring is not None
             and self.server_wrapped_recovery is not None

From 5e80b3f8e48263f951819f88e59a10469a373563 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:46:40 +0530
Subject: [PATCH 18/80] feat: update ServiceAccountType and related queries for
 key management

- Replaced the `thirdPartyAuthEnabled` field with `serverSideKeyManagementEnabled` in the `ServiceAccountType` to better reflect the functionality of server-side key management.
- Updated the `GetServiceAccountDetail` query and related mutations to utilize the new field, ensuring consistency across the API.
- Adjusted the GraphQL documents and types to align with the new schema changes, enhancing clarity and usability in service account management.
---
 frontend/apollo/gql.ts         | 12 ++++++------
 frontend/apollo/graphql.ts     | 14 +++++++-------
 frontend/apollo/schema.graphql |  2 +-
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 211aa3992..11620e7a3 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -66,8 +66,8 @@ const documents = {
     "mutation CreateSAToken($serviceAccountId: ID!, $name: String!, $identityKey: String!, $token: String!, $wrappedKeyShare: String!, $expiry: BigInt) {\n  createServiceAccountToken(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    identityKey: $identityKey\n    token: $token\n    wrappedKeyShare: $wrappedKeyShare\n    expiry: $expiry\n  ) {\n    token {\n      id\n    }\n  }\n}": types.CreateSaTokenDocument,
     "mutation DeleteServiceAccountOp($id: ID!) {\n  deleteServiceAccount(serviceAccountId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountOpDocument,
     "mutation DeleteServiceAccountTokenOp($id: ID!) {\n  deleteServiceAccountToken(tokenId: $id) {\n    ok\n  }\n}": types.DeleteServiceAccountTokenOpDocument,
-    "mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      thirdPartyAuthEnabled\n    }\n  }\n}": types.EnableSaClientKeyManagementDocument,
-    "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
+    "mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaClientKeyManagementDocument,
+    "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
     "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
@@ -125,7 +125,7 @@ const documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      name\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    thirdPartyAuthEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
@@ -380,11 +380,11 @@ export function graphql(source: "mutation DeleteServiceAccountTokenOp($id: ID!)
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      thirdPartyAuthEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      thirdPartyAuthEnabled\n    }\n  }\n}"];
+export function graphql(source: "mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      serverSideKeyManagementEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      serverSideKeyManagementEnabled\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      thirdPartyAuthEnabled\n    }\n  }\n}"];
+export function graphql(source: "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}"): (typeof documents)["mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -616,7 +616,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    thirdPartyAuthEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    thirdPartyAuthEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 165d606c4..b43cbb13a 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -2011,7 +2011,7 @@ export type ServiceAccountType = {
   name: Scalars['String']['output'];
   networkPolicies?: Maybe<Array<NetworkAccessPolicyType>>;
   role?: Maybe<RoleType>;
-  thirdPartyAuthEnabled?: Maybe<Scalars['Boolean']['output']>;
+  serverSideKeyManagementEnabled?: Maybe<Scalars['Boolean']['output']>;
   tokens?: Maybe<Array<Maybe<ServiceAccountTokenType>>>;
   updatedAt: Scalars['DateTime']['output'];
 };
@@ -2660,7 +2660,7 @@ export type EnableSaClientKeyManagementMutationVariables = Exact<{
 }>;
 
 
-export type EnableSaClientKeyManagementMutation = { __typename?: 'Mutation', enableServiceAccountClientSideKeyManagement?: { __typename?: 'EnableServiceAccountClientSideKeyManagementMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, thirdPartyAuthEnabled?: boolean | null } | null } | null };
+export type EnableSaClientKeyManagementMutation = { __typename?: 'Mutation', enableServiceAccountClientSideKeyManagement?: { __typename?: 'EnableServiceAccountClientSideKeyManagementMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null } | null } | null };
 
 export type EnableSaServerKeyManagementMutationVariables = Exact<{
   serviceAccountId: Scalars['ID']['input'];
@@ -2669,7 +2669,7 @@ export type EnableSaServerKeyManagementMutationVariables = Exact<{
 }>;
 
 
-export type EnableSaServerKeyManagementMutation = { __typename?: 'Mutation', enableServiceAccountServerSideKeyManagement?: { __typename?: 'EnableServiceAccountServerSideKeyManagementMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, thirdPartyAuthEnabled?: boolean | null } | null } | null };
+export type EnableSaServerKeyManagementMutation = { __typename?: 'Mutation', enableServiceAccountServerSideKeyManagement?: { __typename?: 'EnableServiceAccountServerSideKeyManagementMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, serverSideKeyManagementEnabled?: boolean | null } | null } | null };
 
 export type UpdateServiceAccountHandlerKeysMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3158,7 +3158,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, thirdPartyAuthEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3372,8 +3372,8 @@ export const CreateServiceAccountOpDocument = {"kind":"Document","definitions":[
 export const CreateSaTokenDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSAToken"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"token"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"BigInt"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"token"},"value":{"kind":"Variable","name":{"kind":"Name","value":"token"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyShare"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyShare"}}},{"kind":"Argument","name":{"kind":"Name","value":"expiry"},"value":{"kind":"Variable","name":{"kind":"Name","value":"expiry"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"token"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSaTokenMutation, CreateSaTokenMutationVariables>;
 export const DeleteServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountOpMutation, DeleteServiceAccountOpMutationVariables>;
 export const DeleteServiceAccountTokenOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteServiceAccountTokenOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteServiceAccountToken"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"tokenId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteServiceAccountTokenOpMutation, DeleteServiceAccountTokenOpMutationVariables>;
-export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAClientKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountClientSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaClientKeyManagementMutation, EnableSaClientKeyManagementMutationVariables>;
-export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
+export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAClientKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountClientSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaClientKeyManagementMutation, EnableSaClientKeyManagementMutationVariables>;
+export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
 export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
@@ -3431,7 +3431,7 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"thirdPartyAuthEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index a09623e64..40a41f322 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -280,7 +280,7 @@ type ServiceAccountType {
   createdAt: DateTime
   updatedAt: DateTime!
   deletedAt: DateTime
-  thirdPartyAuthEnabled: Boolean
+  serverSideKeyManagementEnabled: Boolean
   handlers: [ServiceAccountHandlerType]
   tokens: [ServiceAccountTokenType]
   appMemberships: [AppMembershipType!]

From b299c7718c382b77bf68f289857ca5b8c504127a Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:47:00 +0530
Subject: [PATCH 19/80] feat: add serverSideKeyManagementEnabled field to
 GetServiceAccountDetail query

- Updated the `GetServiceAccountDetail` query to include the `serverSideKeyManagementEnabled` field, enhancing the detail provided for service accounts and aligning with recent schema changes for key management.
---
 .../graphql/queries/service-accounts/getServiceAccountDetail.gql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
index 1ed76111c..791c432c9 100644
--- a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
+++ b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
@@ -3,6 +3,7 @@ query GetServiceAccountDetail($orgId: ID!, $id: ID) {
     id
     name
     identityKey
+    serverSideKeyManagementEnabled
     role {
       id
       name

From 86f6fbac4e527063edff48809e79f88bdc1b286a Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:47:08 +0530
Subject: [PATCH 20/80] feat: add mutations for enabling client-side and
 server-side key management for service accounts

- Introduced `EnableSAClientKeyManagement` mutation to enable client-side key management for service accounts.
- Added `EnableSAServerKeyManagement` mutation to enable server-side key management, requiring additional parameters for secure key handling.
- Enhanced service account management capabilities by providing distinct mutations for both client-side and server-side key management.
---
 ...eServiceAccountClientSideKeyManagement.gql | 12 ++++++++++++
 ...eServiceAccountServerSideKeyManagement.gql | 19 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 frontend/graphql/mutations/service-accounts/enableServiceAccountClientSideKeyManagement.gql
 create mode 100644 frontend/graphql/mutations/service-accounts/enableServiceAccountServerSideKeyManagement.gql

diff --git a/frontend/graphql/mutations/service-accounts/enableServiceAccountClientSideKeyManagement.gql b/frontend/graphql/mutations/service-accounts/enableServiceAccountClientSideKeyManagement.gql
new file mode 100644
index 000000000..91bfd41e8
--- /dev/null
+++ b/frontend/graphql/mutations/service-accounts/enableServiceAccountClientSideKeyManagement.gql
@@ -0,0 +1,12 @@
+mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {
+  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {
+    serviceAccount {
+      id
+      name
+      identityKey
+      serverSideKeyManagementEnabled
+    }
+  }
+}
+
+
diff --git a/frontend/graphql/mutations/service-accounts/enableServiceAccountServerSideKeyManagement.gql b/frontend/graphql/mutations/service-accounts/enableServiceAccountServerSideKeyManagement.gql
new file mode 100644
index 000000000..65a7d4950
--- /dev/null
+++ b/frontend/graphql/mutations/service-accounts/enableServiceAccountServerSideKeyManagement.gql
@@ -0,0 +1,19 @@
+mutation EnableSAServerKeyManagement(
+  $serviceAccountId: ID!
+  $serverWrappedKeyring: String!
+  $serverWrappedRecovery: String!
+) {
+  enableServiceAccountServerSideKeyManagement(
+    serviceAccountId: $serviceAccountId
+    serverWrappedKeyring: $serverWrappedKeyring
+    serverWrappedRecovery: $serverWrappedRecovery
+  ) {
+    serviceAccount {
+      id
+      name
+      serverSideKeyManagementEnabled
+    }
+  }
+}
+
+

From 64bdc5514cfff51834c88deb11c59a03bf9b97e0 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:47:32 +0530
Subject: [PATCH 21/80] fix: update KeyManagementDialog to use
 serverSideKeyManagementEnabled

- Replaced instances of thirdPartyAuthEnabled with serverSideKeyManagementEnabled in KeyManagementDialog component to ensure accurate state management for key management modes.
- Adjusted modal open/close behavior and save logic to reflect the new field, enhancing the functionality and clarity of service account key management.
---
 .../service-accounts/KeyManagementDialog.tsx     | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
index 4bba4271d..05e00c1fe 100644
--- a/frontend/components/service-accounts/KeyManagementDialog.tsx
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -44,28 +44,28 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
 
   const [isOpen, setIsOpen] = useState<boolean>(false)
   const [selectedMode, setSelectedMode] = useState<'client' | 'server'>(
-    serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client'
+    serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client'
   )
 
   const closeModal = () => {
     setIsOpen(false)
     // Reset to current state when closing
-    setSelectedMode(serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client')
+    setSelectedMode(serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client')
   }
 
   const openModal = () => {
     // Always sync mode with latest account state on open
-    setSelectedMode(serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client')
+    setSelectedMode(serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client')
     setIsOpen(true)
   }
 
   const handleSave = async (e: { preventDefault: () => void }) => {
     e.preventDefault()
 
-    if (selectedMode === 'server' && !serviceAccount.thirdPartyAuthEnabled) {
+    if (selectedMode === 'server' && !serviceAccount.serverSideKeyManagementEnabled) {
       // Enable server-side encryption
       await handleEnableSSE()
-    } else if (selectedMode === 'client' && serviceAccount.thirdPartyAuthEnabled) {
+    } else if (selectedMode === 'client' && serviceAccount.serverSideKeyManagementEnabled) {
       // Disable server-side encryption (switch to client-side)
       await handleDisableSSE()
     } else {
@@ -164,7 +164,7 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
     }
   }
 
-  const currentMode = serviceAccount.thirdPartyAuthEnabled ? 'server' : 'client'
+  const currentMode = serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client'
   const hasChanges = selectedMode !== currentMode
 
   return (
@@ -347,7 +347,7 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
 
                       {hasChanges &&
                         selectedMode === 'server' &&
-                        !serviceAccount.thirdPartyAuthEnabled && (
+                        !serviceAccount.serverSideKeyManagementEnabled && (
                           <Alert variant="info" icon={true}>
                             Enabling server-side key management will allow the server to securely
                             access keys and generate tokens on behalf of the Service Account.
@@ -356,7 +356,7 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
 
                       {hasChanges &&
                         selectedMode === 'client' &&
-                        serviceAccount.thirdPartyAuthEnabled && (
+                        serviceAccount.serverSideKeyManagementEnabled && (
                           <Alert variant="warning" icon={true}>
                             Switching to client-side key management will remove server access to
                             this account&apos;s keys. All previously generated access tokens will

From c9dae07986554ba6ab3e60513b4b546e57a07178 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 17:47:50 +0530
Subject: [PATCH 22/80] feat: enhance ServiceAccount page with key management
 display

- Added visual indicators for server-side and client-side key management modes in the ServiceAccount component.
- Integrated KeyManagementDialog for managing key settings, allowing users to switch between management modes.
- Improved user experience by providing clear labels and management options based on the service account's key management configuration.
---
 .../service-accounts/[account]/page.tsx       | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index f54f2c4c6..19c2e44ff 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -9,6 +9,7 @@ import { useMutation, useQuery } from '@apollo/client'
 import Link from 'next/link'
 import { useContext, useEffect, useState } from 'react'
 import { FaBan, FaBoxOpen, FaChevronLeft, FaCog, FaEdit, FaNetworkWired } from 'react-icons/fa'
+import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
 import { DeleteServiceAccountDialog } from '../_components/DeleteServiceAccountDialog'
 import { AddAppButton } from './_components/AddAppsToServiceAccountsButton'
 import { ServiceAccountType } from '@/apollo/graphql'
@@ -22,6 +23,7 @@ import { SseLabel } from '@/components/apps/EncryptionModeIndicator'
 import { IPChip } from '../../network/_components/IPChip'
 import { UpdateAccountNetworkPolicies } from '@/components/access/UpdateAccountNetworkPolicies'
 import { ServiceAccountTokens } from './_components/ServiceAccountTokens'
+import { KeyManagementDialog } from '@/components/service-accounts/KeyManagementDialog'
 
 export default function ServiceAccount({ params }: { params: { team: string; account: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -166,6 +168,29 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
               )}
             </h3>
             <span className="text-neutral-500 text-sm font-mono pl-2">{account.id}</span>
+            <div className="flex items-center gap-2 text-sm text-neutral-500 mt-1">
+              {account.serverSideKeyManagementEnabled ? (
+                <FaServer className="text-neutral-500" />
+              ) : (
+                <FaArrowDownUpLock className="text-neutral-500" />
+              )}
+              <span className="whitespace-nowrap">KMS Mode:</span>
+              <span className="font-medium text-zinc-900 dark:text-zinc-100">
+                {account.serverSideKeyManagementEnabled ? 'Server-side' : 'Client-side'} key
+                management
+              </span>
+              {userCanUpdateSA && (
+                <KeyManagementDialog
+                  serviceAccount={account}
+                  trigger={
+                    <Button variant="secondary" className="flex items-center gap-2">
+                      <FaCog className="h-4 w-4" />
+                      <span>Manage</span>
+                    </Button>
+                  }
+                />
+              )}
+            </div>
           </div>
         </div>
 

From b5302520e124464f4560262a2e1886d207417ef3 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 18:09:07 +0530
Subject: [PATCH 23/80] refactor: streamline KeyManagementDialog save logic and
 remove unnecessary state updates

- Updated the save handler in KeyManagementDialog to close the modal immediately after saving, improving user experience.
- Removed redundant state updates and comments related to mode changes, simplifying the code and enhancing clarity.
- Adjusted the rendering logic to eliminate unnecessary alerts, focusing on relevant user feedback for key management actions.
---
 .../components/service-accounts/KeyManagementDialog.tsx  | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
index 05e00c1fe..6f021274c 100644
--- a/frontend/components/service-accounts/KeyManagementDialog.tsx
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -61,6 +61,7 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
 
   const handleSave = async (e: { preventDefault: () => void }) => {
     e.preventDefault()
+    setIsOpen(false)
 
     if (selectedMode === 'server' && !serviceAccount.serverSideKeyManagementEnabled) {
       // Enable server-side encryption
@@ -69,8 +70,6 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
       // Disable server-side encryption (switch to client-side)
       await handleDisableSSE()
     } else {
-      // No change needed
-      closeModal()
     }
   }
 
@@ -126,9 +125,6 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
           error: 'Failed to enable server-side key management',
         }
       )
-      // Ensure local state reflects new server-side mode
-      setSelectedMode('server')
-      closeModal()
     } catch (error) {
       console.error('Error enabling SSE:', error)
       toast.error('Failed to enable server-side key management')
@@ -155,9 +151,6 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
           error: 'Failed to switch to client-side key management',
         }
       )
-      // Ensure local state reflects new client-side mode
-      setSelectedMode('client')
-      closeModal()
     } catch (error) {
       console.error('Error disabling SSE:', error)
       toast.error('Failed to switch to client-side key management')

From aeb4bac83746859ed46f9af89288d59d96a0bded Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sat, 23 Aug 2025 18:09:15 +0530
Subject: [PATCH 24/80] refactor: remove unnecessary alert from
 KeyManagementDialog

- Eliminated the alert related to server-side key management in the KeyManagementDialog component, streamlining the user interface and focusing on relevant feedback for client-side management.
- This change enhances clarity and reduces visual clutter for users managing service account keys.
---
 .../components/service-accounts/KeyManagementDialog.tsx  | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
index 6f021274c..d6ac9b7d3 100644
--- a/frontend/components/service-accounts/KeyManagementDialog.tsx
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -338,15 +338,6 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
                         </label>
                       </div>
 
-                      {hasChanges &&
-                        selectedMode === 'server' &&
-                        !serviceAccount.serverSideKeyManagementEnabled && (
-                          <Alert variant="info" icon={true}>
-                            Enabling server-side key management will allow the server to securely
-                            access keys and generate tokens on behalf of the Service Account.
-                          </Alert>
-                        )}
-
                       {hasChanges &&
                         selectedMode === 'client' &&
                         serviceAccount.serverSideKeyManagementEnabled && (

From b40b3779be7a7dd23941182c0199c968fc0af3eb Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sun, 24 Aug 2025 22:33:07 +0530
Subject: [PATCH 25/80] feat: add TTL utility functions for human-readable time
 formats

- Introduced a new module with functions to parse, format, and validate TTL strings, enhancing the handling of time-related data.
- Added examples for common TTL formats, improving usability and clarity for developers working with time-to-live values.
---
 frontend/utils/ttl.ts | 85 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 frontend/utils/ttl.ts

diff --git a/frontend/utils/ttl.ts b/frontend/utils/ttl.ts
new file mode 100644
index 000000000..379fead7d
--- /dev/null
+++ b/frontend/utils/ttl.ts
@@ -0,0 +1,85 @@
+// TTL conversion utilities for human-readable time formats
+
+export interface ParsedTTL {
+  value: number
+  unit: 's' | 'm' | 'h' | 'd'
+  seconds: number
+}
+
+/**
+ * Parse a human-readable TTL string into seconds
+ * Supports: 60s (seconds), 10m (minutes), 100h (hours), 365d (days)
+ */
+export function parseTTL(ttlString: string): number {
+  const trimmed = ttlString.trim()
+  if (!trimmed) return 0
+
+  // If it's just a number, assume seconds
+  if (/^\d+$/.test(trimmed)) {
+    return parseInt(trimmed, 10)
+  }
+
+  const match = trimmed.match(/^(\d+)([smhd])$/i)
+  if (!match) {
+    // If invalid format, try to parse as number
+    const num = parseInt(trimmed, 10)
+    return isNaN(num) ? 0 : num
+  }
+
+  const value = parseInt(match[1], 10)
+  const unit = match[2].toLowerCase() as 's' | 'm' | 'h' | 'd'
+
+  switch (unit) {
+    case 's':
+      return value
+    case 'm':
+      return value * 60
+    case 'h':
+      return value * 60 * 60
+    case 'd':
+      return value * 24 * 60 * 60
+    default:
+      return value
+  }
+}
+
+/**
+ * Format seconds into a human-readable TTL string
+ * Automatically chooses the most appropriate unit
+ */
+export function formatTTL(seconds: number): string {
+  if (seconds === 0) return '0s'
+
+  // Find the largest unit that divides evenly
+  if (seconds % (24 * 60 * 60) === 0) {
+    return `${seconds / (24 * 60 * 60)}d`
+  }
+  if (seconds % (60 * 60) === 0) {
+    return `${seconds / (60 * 60)}h`
+  }
+  if (seconds % 60 === 0) {
+    return `${seconds / 60}m`
+  }
+  return `${seconds}s`
+}
+
+/**
+ * Validate a TTL string format
+ */
+export function isValidTTL(ttlString: string): boolean {
+  const trimmed = ttlString.trim()
+  if (!trimmed) return false
+
+  // Just a number is valid (assumes seconds)
+  if (/^\d+$/.test(trimmed)) return true
+
+  // Format: number + unit
+  return /^\d+[smhd]$/i.test(trimmed)
+}
+
+/**
+ * Get TTL examples for placeholders
+ */
+export function getTTLExamples(): string[] {
+  return ['60s', '10m', '2h', '7d']
+}

From 7023dca2926dd75f48351bd241fac97ea44d53f4 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:47:46 +0530
Subject: [PATCH 26/80] feat: add IdentityProviders class for managing
 authentication configurations

- Introduced a new IdentityProviders class to encapsulate configurations for supported identity providers, enhancing the structure for identity authentication.
- Implemented methods to retrieve all providers, supported providers, and specific provider configurations, improving the usability and maintainability of identity management.
---
 backend/api/identity_providers.py | 57 +++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 backend/api/identity_providers.py

diff --git a/backend/api/identity_providers.py b/backend/api/identity_providers.py
new file mode 100644
index 000000000..5a62bdca3
--- /dev/null
+++ b/backend/api/identity_providers.py
@@ -0,0 +1,57 @@
+class IdentityProviders:
+    """
+    Configuration for supported identity providers.
+    Similar to Providers in services.py but specifically for identity authentication.
+    """
+    
+    AWS_IAM = {
+        "id": "aws_iam",
+        "name": "AWS IAM",
+        "description": "Use AWS STS GetCallerIdentity to authenticate.",
+        "icon_id": "aws",  # Maps to ProviderIcon component
+        "supported": True,
+    }
+    
+    # Future identity providers can be added here:
+    # GitHub OIDC
+    #     "id": "github_oidc", 
+    #     "name": "GitHub OIDC",
+    #     "description": "Use GitHub OIDC for authentication.",
+    #     "icon_id": "github",
+    #     "supported": False,
+    # }
+    #
+    # Kubernetes OIDC
+    #     "id": "kubernetes_oidc",
+    #     "name": "Kubernetes OIDC", 
+    #     "description": "Use Kubernetes OIDC for authentication.",
+    #     "icon_id": "kubernetes",
+    #     "supported": False,
+    # }
+
+    @classmethod
+    def get_all_providers(cls):
+        """Get all identity providers, including unsupported ones for future roadmap display."""
+        return [
+            provider
+            for provider in cls.__dict__.values()
+            if isinstance(provider, dict)
+        ]
+    
+    @classmethod
+    def get_supported_providers(cls):
+        """Get only currently supported identity providers."""
+        return [
+            provider
+            for provider in cls.__dict__.values()
+            if isinstance(provider, dict) and provider.get("supported", False)
+        ]
+    
+    @classmethod
+    def get_provider_config(cls, provider_id):
+        """Get configuration for a specific provider by ID."""
+        for provider in cls.__dict__.values():
+            if isinstance(provider, dict) and provider["id"] == provider_id:
+                return provider
+        raise ValueError(f"Identity provider '{provider_id}' not found")
+

From 75149441d62f7c2aa3621e96ac80ac95fad6b5bf Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:48:37 +0530
Subject: [PATCH 27/80] feat: add Identity model for third-party identity
 configurations

- Introduced a new Identity model to manage third-party identity configurations at the organization level, allowing multiple service accounts to be associated with a single identity.
- Added fields for provider-specific configurations, token settings, and methods to retrieve trusted principals, enhancing the flexibility and usability of identity management.
---
 backend/api/models.py | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/backend/api/models.py b/backend/api/models.py
index 8c5ec8c8c..fde4f810e 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -279,6 +279,9 @@ class ServiceAccount(models.Model):
     network_policies = models.ManyToManyField(
         NetworkAccessPolicy, blank=True, related_name="service_accounts"
     )
+    identities = models.ManyToManyField(
+        "Identity", blank=True, related_name="service_accounts"
+    )
     created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
     updated_at = models.DateTimeField(auto_now=True)
     deleted_at = models.DateTimeField(null=True, blank=True)
@@ -732,6 +735,46 @@ class SecretEvent(models.Model):
     user_agent = models.TextField(null=True, blank=True)
 
 
+class Identity(models.Model):
+    """
+    Third-party identity configuration.
+
+    Scope: Organisation level; can be attached to multiple ServiceAccounts.
+    """
+    id = models.TextField(default=uuid4, primary_key=True, editable=False)
+    organisation = models.ForeignKey(Organisation, on_delete=models.CASCADE)
+    provider = models.CharField(max_length=64)
+    name = models.CharField(max_length=100)
+    description = models.TextField(blank=True, null=True)
+
+    # Provider-specific configuration
+    # Example for aws_iam:
+    # {
+    #   "trustedPrincipals": "arn:..., arn:...",
+    #   "signatureTtlSeconds": 60,
+    #   "stsEndpoint": "https://sts.amazonaws.com"
+    # }
+    config = models.JSONField(default=dict)
+
+    # Token configuration
+    token_name_pattern = models.CharField(max_length=128, blank=True, null=True)
+    default_ttl_seconds = models.IntegerField(default=3600)
+    max_ttl_seconds = models.IntegerField(default=86400)
+
+    created_at = models.DateTimeField(auto_now_add=True, blank=True, null=True)
+    updated_at = models.DateTimeField(auto_now=True)
+    deleted_at = models.DateTimeField(blank=True, null=True)
+
+    def get_trusted_list(self):
+        try:
+            principals = self.config.get("trustedPrincipals", [])
+            if isinstance(principals, list):
+                return [p.strip() for p in principals if isinstance(p, str) and p.strip()]
+            # Fallback for legacy comma-separated string format
+            return [p.strip() for p in str(principals).split(",") if p.strip()]
+        except Exception:
+            return []
+
 class PersonalSecret(models.Model):
     id = models.TextField(default=uuid4, primary_key=True, editable=False)
     secret = models.ForeignKey(Secret, on_delete=models.CASCADE)

From 6b2de442cdc305b3a085cd1ddf6a5377038d67b4 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:48:52 +0530
Subject: [PATCH 28/80] feat: add cryptographic utility functions for secret
 sharing and key conversion

- Introduced new functions for XORing byte strings, splitting secrets into shares, generating random hex strings, and converting Ed25519 keys to Curve25519 format.
- Enhanced cryptographic capabilities by implementing a wrapping function for encrypting hex-encoded shares, improving the overall utility of the crypto module.
---
 backend/api/utils/crypto.py | 94 +++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/backend/api/utils/crypto.py b/backend/api/utils/crypto.py
index f59757375..3ecfd86d5 100644
--- a/backend/api/utils/crypto.py
+++ b/backend/api/utils/crypto.py
@@ -1,6 +1,7 @@
 import re
 from nacl.hash import blake2b
 from nacl.utils import random
+from nacl.utils import random as random_bytes
 from base64 import b64encode, b64decode
 from django.conf import settings
 from nacl.bindings import (
@@ -12,6 +13,8 @@
     crypto_kx_server_session_keys,
     crypto_secretbox_NONCEBYTES,
     crypto_generichash,
+    crypto_sign_ed25519_pk_to_curve25519,
+    crypto_sign_ed25519_sk_to_curve25519,
 )
 from nacl.encoding import RawEncoder
 from typing import Tuple
@@ -230,3 +233,94 @@ def validate_encrypted_string(encrypted_string):
         return bool(match)
 
     return True
+
+
+def xor_bytes(first: bytes, second: bytes) -> bytes:
+    """
+    XOR two byte strings of equal length.
+
+    Args:
+        first: First byte string.
+        second: Second byte string. Must be the same length as `first`.
+
+    Returns:
+        A new byte string containing the XOR of the inputs.
+
+    Raises:
+        ValueError: If the inputs are not the same length.
+    """
+    if len(first) != len(second):
+        raise ValueError("xor_bytes inputs must be the same length")
+    return bytes(x ^ y for x, y in zip(first, second))
+
+
+def split_secret_hex(secret_hex: str) -> Tuple[str, str]:
+    """
+    Split a secret (hex string) into two additive/XOR shares.
+
+    This uses a one-time pad approach where a uniformly random share is
+    generated and the second share is computed as share2 = random ^ secret.
+
+    Args:
+        secret_hex: Secret as a hex string.
+
+    Returns:
+        Tuple of two hex strings (share_a, share_b).
+    """
+    secret_bytes = bytes.fromhex(secret_hex)
+    random_share = random_bytes(len(secret_bytes))
+    last_share = xor_bytes(random_share, secret_bytes)
+    return random_share.hex(), last_share.hex()
+
+
+def random_hex(nbytes: int = 32) -> str:
+    """
+    Generate a random hex string.
+
+    Args:
+        nbytes: Number of random bytes to generate. Defaults to 32.
+
+    Returns:
+        Hex string of length 2 * nbytes.
+    """
+
+    return random_bytes(nbytes).hex()
+
+
+def ed25519_to_kx(pub_hex: str, priv_hex: str) -> Tuple[str, str]:
+    """
+    Convert an Ed25519 keypair to Curve25519 (key exchange) form.
+
+    This is useful when the stored signing keys are in Ed25519 form but we
+    require Curve25519 keys for symmetric key agreement operations.
+
+    Args:
+        pub_hex: Ed25519 public key in hex.
+        priv_hex: Ed25519 private key in hex.
+
+    Returns:
+        Tuple of hex strings (kx_public_hex, kx_private_hex).
+    """
+
+    pub_kx = crypto_sign_ed25519_pk_to_curve25519(bytes.fromhex(pub_hex)).hex()
+    priv_kx = crypto_sign_ed25519_sk_to_curve25519(bytes.fromhex(priv_hex)).hex()
+    return pub_kx, priv_kx
+
+
+def wrap_share_hex(share_hex: str, wrap_key_hex: str) -> str:
+    """
+    Wrap (encrypt) a hex-encoded share using a symmetric key, returning hex.
+
+    This reuses the module's low-level XChaCha20-Poly1305 helper `encrypt_raw`
+    to avoid duplicate cryptographic code paths.
+
+    Args:
+        share_hex: The plaintext share to encrypt, as a hex string.
+        wrap_key_hex: Symmetric key as a hex string (32-byte key recommended).
+
+    Returns:
+        A hex string representing ciphertext||nonce.
+    """
+    key_bytes = bytes.fromhex(wrap_key_hex)
+    ct_plus_nonce = encrypt_raw(share_hex, key_bytes)
+    return bytes(ct_plus_nonce).hex()

From 8f18ed50d333b230a6ba4b9c6654dfdb4b2c31a3 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:49:20 +0530
Subject: [PATCH 29/80] feat: add function to list STS endpoints from botocore
 metadata

- Introduced a new function `list_sts_endpoints` that retrieves and formats a list of STS endpoints based on botocore's endpoint metadata.
- The function enhances AWS identity management by providing a structured output of available STS endpoints, including region codes and names.
---
 backend/api/utils/identity/aws.py | 43 +++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 backend/api/utils/identity/aws.py

diff --git a/backend/api/utils/identity/aws.py b/backend/api/utils/identity/aws.py
new file mode 100644
index 000000000..80cabef45
--- /dev/null
+++ b/backend/api/utils/identity/aws.py
@@ -0,0 +1,43 @@
+import botocore.loaders
+
+
+def list_sts_endpoints():
+    """
+    Return a list of STS endpoints from botocore's endpoint metadata.
+
+    Output: List[dict(regionCode, regionName, endpoint)]
+    """
+    loader = botocore.loaders.create_loader()
+    endpoints_data = loader.load_data("endpoints")
+    partitions = endpoints_data.get("partitions", [])
+    results = []
+    for part in partitions:
+        services = part.get("services", {})
+        if "sts" not in services:
+            continue
+        service = services["sts"]
+        endpoints = service.get("endpoints", {})
+        for region_code, meta in endpoints.items():
+            hostname = meta.get("hostname")
+            if not hostname:
+                hostname = f"sts.{region_code}.{part.get('dnsSuffix', 'amazonaws.com')}"
+            region_name = region_code
+            results.append(
+                {
+                    "regionCode": region_code,
+                    "regionName": region_name,
+                    "endpoint": f"https://{hostname}",
+                }
+            )
+
+    # Add global legacy first
+    # results.insert(
+    #     0,
+    #     {
+    #         "regionCode": None,
+    #         "regionName": "Global (Legacy)",
+    #         "endpoint": "https://sts.amazonaws.com",
+    #     },
+    # )
+
+    return results

From 3d810efc98d8b8f9522b6ed3aa568acb23719089 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:50:07 +0530
Subject: [PATCH 30/80] feat: implement service account token management
 utilities

- Added functions for resolving service accounts and identities, minting service account tokens, and handling token expiration.
- Enhanced the identity management system by providing a structured approach to create and manage service account tokens, including cryptographic operations for secure token generation.
---
 backend/api/utils/identity/common.py | 77 ++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 backend/api/utils/identity/common.py

diff --git a/backend/api/utils/identity/common.py b/backend/api/utils/identity/common.py
new file mode 100644
index 000000000..ab2cca1e8
--- /dev/null
+++ b/backend/api/utils/identity/common.py
@@ -0,0 +1,77 @@
+import json
+
+from django.utils import timezone
+
+
+def resolve_service_account(account_id):
+    from api.models import ServiceAccount
+
+    try:
+        service_account = ServiceAccount.objects.get(id=account_id)
+    except ServiceAccount.DoesNotExist:
+        return None
+    return service_account
+
+
+def resolve_attached_identity(service_account, provider: str):
+    """Return the first non-deleted identity for the service account and provider."""
+    return service_account.identities.filter(provider=provider, deleted_at=None).first()
+
+
+def mint_service_account_token(service_account, identity, requested_ttl: int, token_name_fallback: str):
+    """
+    Create a ServiceAccountToken for the given service account using the server
+    keyring, honoring the identity's TTL rules. Returns a dict suitable for
+    JSON response containing token strings and TTLs.
+    """
+    from api.utils.crypto import (
+        get_server_keypair,
+        decrypt_asymmetric,
+        split_secret_hex,
+        wrap_share_hex,
+        random_hex,
+        ed25519_to_kx,
+    )
+    from api.models import ServiceAccountToken
+
+    now = timezone.now()
+
+    # Load and unwrap server-managed keyring
+    pk, sk = get_server_keypair()
+    keyring_json = decrypt_asymmetric(
+        service_account.server_wrapped_keyring, sk.hex(), pk.hex()
+    )
+    keyring = json.loads(keyring_json)
+    kx_pub, kx_priv = ed25519_to_kx(keyring["publicKey"], keyring["privateKey"])
+
+    # Compute TTL consistent with limits
+    req_ttl = int(requested_ttl or identity.default_ttl_seconds)
+    ttl = min(req_ttl, identity.max_ttl_seconds)
+    expires_at = now + timezone.timedelta(seconds=ttl)
+
+    # Create token material
+    wrap_key = random_hex(32)
+    token_value = random_hex(32)
+    share_a, share_b = split_secret_hex(kx_priv)
+    wrapped_share_b = wrap_share_hex(share_b, wrap_key)
+
+    ServiceAccountToken.objects.create(
+        service_account=service_account,
+        name=(identity.token_name_pattern or token_name_fallback),
+        identity_key=kx_pub,
+        token=token_value,
+        wrapped_key_share=wrapped_share_b,
+        created_by_service_account=service_account,
+        expires_at=expires_at,
+    )
+
+    full_token = f"pss_service:v2:{token_value}:{kx_pub}:{share_a}:{wrap_key}"
+    bearer = f"ServiceAccount {token_value}"
+
+    return {
+        "tokenType": "ServiceAccount",
+        "token": full_token,
+        "bearerToken": bearer,
+        "TTL": ttl,
+        "maxTTL": identity.max_ttl_seconds,
+    }

From 120ec7fcfd05b6f01256e91855080763db8a0099 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:52:40 +0530
Subject: [PATCH 31/80] feat: implement AWS IAM authentication endpoint for
 service accounts

- Added a new endpoint `aws_iam_auth` to handle SigV4-signed requests for service account authentication.
- Implemented request validation, signature verification, and integration with AWS STS for identity validation.
- Enhanced error handling for various failure scenarios, ensuring robust responses for invalid requests and configurations.
---
 backend/api/views/identities/aws/iam.py | 164 ++++++++++++++++++++++++
 1 file changed, 164 insertions(+)
 create mode 100644 backend/api/views/identities/aws/iam.py

diff --git a/backend/api/views/identities/aws/iam.py b/backend/api/views/identities/aws/iam.py
new file mode 100644
index 000000000..16b2b5d71
--- /dev/null
+++ b/backend/api/views/identities/aws/iam.py
@@ -0,0 +1,164 @@
+import base64
+import json
+import re
+from urllib.parse import urlparse
+
+import requests
+from django.http import JsonResponse
+from django.utils import timezone
+from rest_framework.decorators import api_view, permission_classes
+from rest_framework.permissions import AllowAny
+
+from api.utils.identity.common import (
+    resolve_service_account,
+    resolve_attached_identity,
+    mint_service_account_token,
+)
+
+
+@api_view(["POST"])
+@permission_classes([AllowAny])
+def aws_iam_auth(request):
+    """Accepts SigV4-signed STS GetCallerIdentity request and issues a ServiceAccount token if trusted."""
+    try:
+        payload = json.loads(request.body)
+    except Exception:
+        return JsonResponse({"error": "Invalid JSON"}, status=400)
+
+    account = (payload or {}).get("account", {})
+    aws_iam = (payload or {}).get("awsIam", {})
+    token_req = (payload or {}).get("tokenRequest", {})
+
+    account_type = (account.get("type") or "service").lower()
+    account_id = account.get("id")
+    if account_type != "service" or not account_id:
+        return JsonResponse({"error": "Only service account authentication supported"}, status=400)
+
+    # Decode signed request
+    try:
+        method = aws_iam.get("httpRequestMethod") or "POST"
+        url = base64.b64decode(aws_iam["httpRequestUrl"]).decode("utf-8")
+        headers_json = base64.b64decode(aws_iam["httpRequestHeaders"]).decode("utf-8")
+        body = base64.b64decode(aws_iam.get("httpRequestBody") or b"").decode("utf-8")
+        headers = json.loads(headers_json)
+    except Exception:
+        return JsonResponse({"error": "Invalid awsIam request encoding"}, status=400)
+
+    # Verify signature freshness using X-Amz-Date
+    amz_date = headers.get("X-Amz-Date") or headers.get("x-amz-date")
+    if not amz_date:
+        return JsonResponse({"error": "Missing X-Amz-Date header"}, status=400)
+    try:
+        from datetime import datetime, timezone as dt_timezone
+
+        dt = (
+            datetime.strptime(amz_date.replace("Z", ""), "%Y%m%dT%H%M%S")
+            .replace(tzinfo=dt_timezone.utc)
+        )
+    except Exception:
+        return JsonResponse({"error": "Invalid X-Amz-Date"}, status=400)
+
+    # Resolve account and identity
+    service_account = resolve_service_account(account_id)
+    if service_account is None:
+        return JsonResponse({"error": "Service account not found"}, status=404)
+    if not service_account.server_wrapped_keyring:
+        return JsonResponse({"error": "Server-side key management must be enabled"}, status=403)
+
+    identity = resolve_attached_identity(service_account, "aws_iam")
+    if not identity:
+        return JsonResponse({"error": "No AWS IAM identity attached to this account"}, status=404)
+
+    try:
+        max_skew = int(identity.config.get("signatureTtlSeconds", 60))
+    except Exception:
+        max_skew = 60
+    now = timezone.now()
+    if abs((now - dt).total_seconds()) > max_skew:
+        return JsonResponse({"error": "Signature expired"}, status=401)
+
+    # Enforce that the signed request targets the identity's configured STS endpoint
+    try:
+        configured = identity.config.get("stsEndpoint")
+        if not configured.startswith("http"):
+            configured = f"https://{configured}"
+        request_url = url
+        if not request_url.startswith("http"):
+            request_url = f"https://{request_url}"
+
+        cfg_host = urlparse(configured).netloc.lower()
+        req_host = urlparse(request_url).netloc.lower()
+        header_host = (headers.get("Host") or headers.get("host") or "").lower()
+
+        if req_host != cfg_host or (header_host and header_host != cfg_host):
+            return JsonResponse(
+                {
+                    "error": "STS endpoint mismatch. Please sign the request for the configured STS endpoint.",
+                    "expectedEndpoint": configured,
+                    "receivedEndpoint": request_url,
+                },
+                status=400,
+            )
+    except Exception:
+        return JsonResponse({"error": "Invalid STS endpoint configuration"}, status=400)
+
+    # Forward the signed request to AWS STS
+    try:
+        resp = requests.request(method, url, headers=headers, data=body)
+    except Exception:
+        return JsonResponse({"error": "Failed to contact AWS STS"}, status=502)
+
+    if resp.status_code != 200:
+        return JsonResponse({"error": "AWS STS validation failed", "status": resp.status_code}, status=401)
+
+    # Parse minimal identity info from XML
+    arn = None
+    try:
+        m = re.search(r"<Arn>([^<]+)</Arn>", resp.text)
+        if m:
+            arn = m.group(1)
+    except Exception:
+        pass
+    if arn is None:
+        return JsonResponse({"error": "Unable to parse AWS identity"}, status=500)
+
+    # Trust check
+    import fnmatch
+
+    trusted = identity.get_trusted_list()
+    if any(p == "*" for p in trusted):
+        return JsonResponse({"error": "Invalid trusted principal pattern '*' is not allowed"}, status=400)
+
+    def arn_matches_patterns(value: str, patterns: list[str]) -> bool:
+        for pattern in patterns:
+            if not pattern or pattern == "*":
+                continue
+            if fnmatch.fnmatch(value, pattern):
+                return True
+        return False
+
+    if not arn_matches_patterns(arn, trusted):
+        return JsonResponse({"error": "Untrusted principal"}, status=403)
+
+    # Validate requested TTL
+    requested_ttl = int(token_req.get("ttl") or identity.default_ttl_seconds)
+    max_ttl = identity.max_ttl_seconds
+    
+    if requested_ttl > max_ttl:
+        return JsonResponse({
+            "error": f"Requested TTL ({requested_ttl}s) exceeds maximum allowed TTL ({max_ttl}s)"
+        }, status=400)
+
+    try:
+        auth = mint_service_account_token(
+            service_account,
+            identity,
+            requested_ttl,
+            token_name_fallback="aws-iam",
+        )
+    except Exception:
+        return JsonResponse({"error": "Failed to mint token"}, status=500)
+
+    return JsonResponse({"authentication": auth})
+
+

From f06add9bce773953ae04b19d7eca95af229742d2 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:53:00 +0530
Subject: [PATCH 32/80] feat: add identity management mutations and queries

- Introduced new mutations for creating, updating, and deleting identities, enhancing the identity management capabilities.
- Added queries to retrieve identities, AWS STS endpoints, and identity providers, improving the overall functionality of the identity system.
- Updated the GraphQL schema to include new types and resolvers for better integration with identity-related operations.
---
 backend/backend/schema.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/backend/backend/schema.py b/backend/backend/schema.py
index 9d9a38635..e9efcb9da 100644
--- a/backend/backend/schema.py
+++ b/backend/backend/schema.py
@@ -25,6 +25,9 @@
     CreateNetworkAccessPolicyMutation,
     DeleteCustomRoleMutation,
     DeleteNetworkAccessPolicyMutation,
+    CreateIdentityMutation,
+    UpdateIdentityMutation,
+    DeleteIdentityMutation,
     UpdateAccountNetworkAccessPolicies,
     UpdateCustomRoleMutation,
     UpdateNetworkAccessPolicyMutation,
@@ -68,11 +71,13 @@
     resolve_validate_aws_assume_role_auth,
     resolve_validate_aws_assume_role_credentials,
 )
+from .graphene.queries.identity import resolve_aws_sts_endpoints, resolve_identity_providers
 from .graphene.queries.access import (
     resolve_roles,
     resolve_organisation_global_access_users,
     resolve_network_access_policies,
     resolve_client_ip,
+    resolve_identities,
 )
 from .graphene.queries.service_accounts import (
     resolve_service_accounts,
@@ -166,6 +171,7 @@
     PhaseLicenseType,
     ProviderCredentialsType,
     ProviderType,
+    IdentityProviderType,
     RoleType,
     SecretEventType,
     SecretFolderType,
@@ -179,6 +185,7 @@
     TimeRange,
     UserTokenType,
     AWSValidationResultType,
+    IdentityType,
 )
 import graphene
 from graphql import GraphQLError
@@ -218,6 +225,7 @@ class Query(graphene.ObjectType):
     network_access_policies = graphene.List(
         NetworkAccessPolicyType, organisation_id=graphene.ID()
     )
+    identities = graphene.List(IdentityType, organisation_id=graphene.ID())
 
     organisation_name_available = graphene.Boolean(name=graphene.String())
 
@@ -325,6 +333,8 @@ class Query(graphene.ObjectType):
     providers = graphene.List(ProviderType)
 
     services = graphene.List(ServiceType)
+    aws_sts_endpoints = graphene.List(graphene.JSONString)
+    identity_providers = graphene.List(IdentityProviderType)
 
     saved_credentials = graphene.List(ProviderCredentialsType, org_id=graphene.ID())
 
@@ -448,6 +458,12 @@ def resolve_organisations(root, info):
     resolve_roles = resolve_roles
     resolve_network_access_policies = resolve_network_access_policies
 
+    # Identities
+    resolve_identities = resolve_identities
+    resolve_aws_sts_endpoints = resolve_aws_sts_endpoints
+    resolve_identity_providers = resolve_identity_providers
+
+    
     resolve_organisation_plan = resolve_organisation_plan
 
     def resolve_organisation_name_available(root, info, name):
@@ -930,6 +946,11 @@ class Mutation(graphene.ObjectType):
     delete_network_access_policy = DeleteNetworkAccessPolicyMutation.Field()
     update_account_network_access_policies = UpdateAccountNetworkAccessPolicies.Field()
 
+    # Identities
+    create_identity = CreateIdentityMutation.Field()
+    update_identity = UpdateIdentityMutation.Field()
+    delete_identity = DeleteIdentityMutation.Field()
+
     # Service Accounts
     create_service_account = CreateServiceAccountMutation.Field()
     enable_service_account_server_side_key_management = (

From b9c9a20dff3942eb0dd1e97075c7a267fd2f8505 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:53:25 +0530
Subject: [PATCH 33/80] feat: add AWS IAM authentication route to URL
 configuration

- Added a new URL path for the `aws_iam_auth` endpoint, enabling access to AWS IAM authentication for identity management.
- This integration enhances the existing identity system by providing a dedicated route for service account authentication.
---
 backend/backend/urls.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index eaac0f175..7143946ea 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -12,6 +12,7 @@
     secrets_tokens,
     root_endpoint,
 )
+from api.views.identities.aws.iam import aws_iam_auth
 from api.views.kms import kms
 
 
@@ -30,6 +31,7 @@
     path("secrets/", E2EESecretsView.as_view()),
     path("public/v1/secrets/", PublicSecretsView.as_view()),
     path("secrets/tokens/", secrets_tokens),
+    path("identity/v1/aws/iam/auth", aws_iam_auth),
     path("oauth/github/callback", github_integration_callback),
     path("lockbox/<box_id>", LockboxView.as_view()),
 ]

From 5152e90902e2414d58d188e38d43d9b421135060 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:53:51 +0530
Subject: [PATCH 34/80] feat: add identity management mutations for create,
 update, and delete operations

- Introduced new mutations for creating, updating, and deleting identities, enhancing the identity management capabilities.
- Implemented permission checks to ensure users have the necessary rights for identity operations.
- Updated the GraphQL schema to include the new IdentityType and associated mutations, improving integration with identity-related functionalities.
---
 backend/backend/graphene/mutations/access.py | 169 ++++++++++++++++++-
 1 file changed, 168 insertions(+), 1 deletion(-)

diff --git a/backend/backend/graphene/mutations/access.py b/backend/backend/graphene/mutations/access.py
index ada6f4ee5..57433b20f 100644
--- a/backend/backend/graphene/mutations/access.py
+++ b/backend/backend/graphene/mutations/access.py
@@ -6,7 +6,9 @@
     ServiceAccount,
 )
 from api.utils.access.permissions import user_has_permission
-from backend.graphene.types import NetworkAccessPolicyType, RoleType
+from backend.graphene.types import NetworkAccessPolicyType, RoleType, IdentityType
+from api.models import Identity
+from django.utils import timezone
 import graphene
 from graphql import GraphQLError
 
@@ -221,6 +223,171 @@ def mutate(cls, root, info, id):
         return DeleteNetworkAccessPolicyMutation(ok=True)
 
 
+class CreateIdentityMutation(graphene.Mutation):
+    class Arguments:
+        organisation_id = graphene.ID(required=True)
+        provider = graphene.String(required=True)
+        name = graphene.String(required=True)
+        description = graphene.String(required=False)
+        trusted_principals = graphene.String(required=True)
+        signature_ttl_seconds = graphene.Int(required=False)
+        sts_endpoint = graphene.String(required=False)
+        token_name_pattern = graphene.String(required=False)
+        default_ttl_seconds = graphene.Int(required=True)
+        max_ttl_seconds = graphene.Int(required=True)
+
+    identity = graphene.Field(IdentityType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        organisation_id,
+        provider,
+        name,
+        trusted_principals,
+        default_ttl_seconds,
+        max_ttl_seconds,
+        description=None,
+        signature_ttl_seconds=60,
+        sts_endpoint="https://sts.amazonaws.com",
+        token_name_pattern=None,
+    ):
+        user = info.context.user
+        org = Organisation.objects.get(id=organisation_id)
+
+        if not user_has_permission(user, "create", "Identities", org):
+            raise GraphQLError(
+                "You don't have the permissions required to create identities in this organisation"
+            )
+
+        if default_ttl_seconds is not None and max_ttl_seconds is not None:
+            if int(default_ttl_seconds) > int(max_ttl_seconds):
+                raise GraphQLError(
+                    "Default token expiry must be less than or equal to Maximum token expiry"
+                )
+
+        # Store provider-specific configuration in a generic config field
+        # Convert comma-separated trusted_principals to list for consistency
+        trusted_list = [p.strip() for p in trusted_principals.split(",") if p.strip()]
+        config = {
+            "trustedPrincipals": trusted_list,
+            "signatureTtlSeconds": signature_ttl_seconds,
+            "stsEndpoint": sts_endpoint,
+        }
+
+        identity = Identity.objects.create(
+            organisation=org,
+            provider=provider,
+            name=name,
+            description=description,
+            config=config,
+            token_name_pattern=token_name_pattern,
+            default_ttl_seconds=default_ttl_seconds,
+            max_ttl_seconds=max_ttl_seconds,
+        )
+
+        return CreateIdentityMutation(identity=identity)
+
+
+class UpdateIdentityMutation(graphene.Mutation):
+    class Arguments:
+        id = graphene.ID(required=True)
+        name = graphene.String(required=False)
+        description = graphene.String(required=False)
+        trusted_principals = graphene.String(required=False)
+        signature_ttl_seconds = graphene.Int(required=False)
+        sts_endpoint = graphene.String(required=False)
+        token_name_pattern = graphene.String(required=False)
+        default_ttl_seconds = graphene.Int(required=False)
+        max_ttl_seconds = graphene.Int(required=False)
+
+    identity = graphene.Field(IdentityType)
+
+    @classmethod
+    def mutate(
+        cls,
+        root,
+        info,
+        id,
+        name=None,
+        description=None,
+        trusted_principals=None,
+        signature_ttl_seconds=None,
+        sts_endpoint=None,
+        token_name_pattern=None,
+        default_ttl_seconds=None,
+        max_ttl_seconds=None,
+    ):
+        user = info.context.user
+        identity = Identity.objects.get(id=id, deleted_at=None)
+
+        org = identity.organisation
+        if not user_has_permission(user, "update", "Identities", org):
+            raise GraphQLError(
+                "You don't have the permissions required to update identities in this organisation"
+            )
+
+        # Update basic fields using dictionary unpacking
+        basic_updates = {
+            k: v for k, v in {
+                'name': name,
+                'description': description,
+                'token_name_pattern': token_name_pattern,
+                'default_ttl_seconds': default_ttl_seconds,
+                'max_ttl_seconds': max_ttl_seconds,
+            }.items() if v is not None
+        }
+        for field, value in basic_updates.items():
+            setattr(identity, field, value)
+
+        # Update provider-specific config atomically
+        config_updates = {}
+        if trusted_principals is not None:
+            config_updates["trustedPrincipals"] = [p.strip() for p in trusted_principals.split(",") if p.strip()]
+        if signature_ttl_seconds is not None:
+            config_updates["signatureTtlSeconds"] = signature_ttl_seconds
+        if sts_endpoint is not None:
+            config_updates["stsEndpoint"] = sts_endpoint
+        
+        if config_updates:
+            identity.config = {**(identity.config or {}), **config_updates}
+
+        if identity.default_ttl_seconds is not None and identity.max_ttl_seconds is not None:
+            if int(identity.default_ttl_seconds) > int(identity.max_ttl_seconds):
+                raise GraphQLError(
+                    "Default token expiry must be less than or equal to Maximum token expiry"
+                )
+
+        identity.save()
+
+        return UpdateIdentityMutation(identity=identity)
+
+
+class DeleteIdentityMutation(graphene.Mutation):
+    class Arguments:
+        id = graphene.ID(required=True)
+
+    ok = graphene.Boolean()
+
+    @classmethod
+    def mutate(cls, root, info, id):
+        user = info.context.user
+        identity = Identity.objects.get(id=id, deleted_at=None)
+
+        org = identity.organisation
+        if not user_has_permission(user, "delete", "Identities", org):
+            raise GraphQLError(
+                "You don't have the permissions required to delete identities in this organisation"
+            )
+
+        identity.deleted_at = timezone.now()
+        identity.save()
+
+        return DeleteIdentityMutation(ok=True)
+
+
 class AccountTypeEnum(graphene.Enum):
     USER = "user"
     SERVICE = "service"

From 6027a11d4b969e05fc6db9b601c47f5aff300289 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:55:14 +0530
Subject: [PATCH 35/80] feat: enhance GraphQL schema with Identity and
 IdentityProvider types

- Added IdentityProviderType to represent identity providers with relevant fields.
- Introduced IdentityType to manage identity configurations, including a resolver for provider-specific settings.
- Updated ServiceAccountType to include a list of identities, improving the integration of identity management within service accounts.
---
 backend/backend/graphene/types.py | 52 +++++++++++++++++++++++++++++--
 1 file changed, 50 insertions(+), 2 deletions(-)

diff --git a/backend/backend/graphene/types.py b/backend/backend/graphene/types.py
index 6e32f3202..ec531fd20 100644
--- a/backend/backend/graphene/types.py
+++ b/backend/backend/graphene/types.py
@@ -11,7 +11,6 @@
 from graphene_django import DjangoObjectType
 from api.models import (
     ActivatedPhaseLicense,
-    CustomUser,
     Environment,
     EnvironmentKey,
     EnvironmentSync,
@@ -30,12 +29,12 @@
     SecretEvent,
     SecretFolder,
     SecretTag,
-    ServerEnvironmentKey,
     ServiceAccount,
     ServiceAccountHandler,
     ServiceAccountToken,
     ServiceToken,
     UserToken,
+    Identity,
 )
 from logs.dynamodb_models import KMSLog
 from django.utils import timezone
@@ -327,6 +326,14 @@ class ProviderType(graphene.ObjectType):
     auth_scheme = graphene.String()
 
 
+class IdentityProviderType(graphene.ObjectType):
+    id = graphene.String(required=True)
+    name = graphene.String(required=True)
+    description = graphene.String(required=True)
+    icon_id = graphene.String(required=True)
+    supported = graphene.Boolean(required=True)
+
+
 class ServiceType(ObjectType):
     id = graphene.String()
     name = graphene.String()
@@ -681,6 +688,7 @@ class ServiceAccountType(DjangoObjectType):
     tokens = graphene.List(ServiceAccountTokenType)
     app_memberships = graphene.List(graphene.NonNull(AppMembershipType))
     network_policies = graphene.List(graphene.NonNull(lambda: NetworkAccessPolicyType))
+    identities = graphene.List(graphene.NonNull(lambda: IdentityType))
 
     class Meta:
         model = ServiceAccount
@@ -740,6 +748,9 @@ def resolve_network_policies(self, info):
 
         return list(chain(account_policies, global_policies))
 
+    def resolve_identities(self, info):
+        return self.identities.filter(deleted_at=None)
+
 
 class EnvironmentKeyType(DjangoObjectType):
     class Meta:
@@ -994,3 +1005,40 @@ class AWSValidationResultType(graphene.ObjectType):
     method = graphene.String()
     error = graphene.String()
     assumed_role_arn = graphene.String()
+
+
+class AwsIamConfigType(graphene.ObjectType):
+    trusted_principals = graphene.List(graphene.String)
+    signature_ttl_seconds = graphene.Int()
+    sts_endpoint = graphene.String()
+
+
+class IdentityConfigUnion(graphene.Union):
+    class Meta:
+        types = (AwsIamConfigType,)
+
+
+class IdentityType(DjangoObjectType):
+    config = graphene.Field(IdentityConfigUnion)
+
+    class Meta:
+        model = Identity
+        fields = "__all__"
+
+    def resolve_config(self, info):
+        """Map provider-specific config into typed objects"""
+        provider = (self.provider or '').lower()
+        cfg = self.config or {}
+        
+        if provider == 'aws_iam':
+            try:
+                ttl = int(cfg.get('signatureTtlSeconds', 60))
+            except Exception:
+                ttl = 60
+            return AwsIamConfigType(
+                trusted_principals=self.get_trusted_list(),
+                signature_ttl_seconds=ttl,
+                sts_endpoint=cfg.get('stsEndpoint'),
+            )
+        
+        return None

From 45761adafbedb2535f9cc717e47cfd4272541a02 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:55:35 +0530
Subject: [PATCH 36/80] feat: update UpdateServiceAccountMutation to include
 identity management

- Enhanced the UpdateServiceAccountMutation to accept an optional list of identity IDs.
- Implemented logic to associate specified identities with the service account during the update process, improving identity management capabilities within service accounts.
---
 .../backend/graphene/mutations/service_accounts.py    | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/backend/backend/graphene/mutations/service_accounts.py b/backend/backend/graphene/mutations/service_accounts.py
index 2b8bb9716..2b99c476b 100644
--- a/backend/backend/graphene/mutations/service_accounts.py
+++ b/backend/backend/graphene/mutations/service_accounts.py
@@ -7,6 +7,7 @@
     ServiceAccount,
     ServiceAccountHandler,
     ServiceAccountToken,
+    Identity,
 )
 from api.utils.access.permissions import user_has_permission, user_is_org_member
 from backend.graphene.types import ServiceAccountTokenType, ServiceAccountType
@@ -151,11 +152,12 @@ class Arguments:
         service_account_id = graphene.ID()
         name = graphene.String()
         role_id = graphene.ID()
+        identity_ids = graphene.List(graphene.NonNull(graphene.ID), required=False)
 
     service_account = graphene.Field(ServiceAccountType)
 
     @classmethod
-    def mutate(cls, root, info, service_account_id, name, role_id):
+    def mutate(cls, root, info, service_account_id, name, role_id, identity_ids=None):
         user = info.context.user
         service_account = ServiceAccount.objects.get(id=service_account_id)
 
@@ -169,6 +171,13 @@ def mutate(cls, root, info, service_account_id, name, role_id):
         role = Role.objects.get(id=role_id)
         service_account.name = name
         service_account.role = role
+        if identity_ids is not None:
+            identities = Identity.objects.filter(
+                id__in=identity_ids,
+                organisation=service_account.organisation,
+                deleted_at=None,
+            )
+            service_account.identities.set(identities)
         service_account.save()
 
         return UpdateServiceAccountMutation(service_account=service_account)

From 9725fbbea7b6ebb139b314b9c1f30deab17881e9 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:55:55 +0530
Subject: [PATCH 37/80] feat: add Identities role to default roles
 configuration

- Introduced the "Identities" role with permissions for create, read, update, and delete operations in the default roles configuration.
- Updated multiple sections of the roles.py file to ensure consistent access control for identity management functionalities.
---
 backend/api/utils/access/roles.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/api/utils/access/roles.py b/backend/api/utils/access/roles.py
index b3723fd16..96a213ac4 100644
--- a/backend/api/utils/access/roles.py
+++ b/backend/api/utils/access/roles.py
@@ -12,6 +12,7 @@
             "MemberPersonalAccessTokens": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
+            "Identities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -42,6 +43,7 @@
             "MemberPersonalAccessTokens": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
+            "Identities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -71,6 +73,7 @@
             "Members": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
+            "Identities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -100,6 +103,7 @@
             "Members": ["read"],
             "ServiceAccounts": [],
             "ServiceAccountTokens": [],
+            "Identities": [],
             "Roles": ["read"],
             "IntegrationCredentials": [
                 "create",
@@ -133,6 +137,7 @@
             "Members": ["read"],
             "ServiceAccounts": ["read"],
             "ServiceAccountTokens": ["read"],
+            "Identities": ["read"],
             "Roles": ["read"],
             "IntegrationCredentials": ["read"],
             "NetworkAccessPolicies": ["read"],

From 77d9316a77f5b462be7cd4e4d1318ec14cb5dc61 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:56:39 +0530
Subject: [PATCH 38/80] feat: add resolver for identities in organisation

- Implemented a new resolver function to retrieve identities associated with a specific organisation.
- Added permission checks to ensure users have access to read identities, enhancing security and access control within the identity management system.
---
 backend/backend/graphene/queries/access.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/backend/backend/graphene/queries/access.py b/backend/backend/graphene/queries/access.py
index d7ba3740d..040a0fb91 100644
--- a/backend/backend/graphene/queries/access.py
+++ b/backend/backend/graphene/queries/access.py
@@ -1,5 +1,5 @@
 from api.utils.access.permissions import user_has_permission, user_is_org_member
-from api.models import NetworkAccessPolicy, Organisation, OrganisationMember, Role
+from api.models import NetworkAccessPolicy, Organisation, OrganisationMember, Role, Identity
 from graphql import GraphQLError
 from django.db import transaction
 from api.utils.access.roles import default_roles
@@ -97,3 +97,20 @@ def resolve_client_ip(root, info):
     else:
         ip = request.META.get("REMOTE_ADDR")
     return ip
+
+
+def resolve_identities(root, info, organisation_id):
+    if not user_is_org_member(info.context.user.userId, organisation_id):
+        raise GraphQLError("You don't have access to this organisation")
+
+    if user_has_permission(
+        info.context.user.userId,
+        "read",
+        "Identities",
+        Organisation.objects.get(id=organisation_id),
+    ):
+        return Identity.objects.filter(organisation_id=organisation_id, deleted_at=None)
+    else:
+        raise GraphQLError(
+            "You don't have permission to read identities in this Organisation"
+        )

From 4f7cd2bd39447ae8bd91129659dc33f54c829c3d Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:56:51 +0530
Subject: [PATCH 39/80] feat: add resolvers for AWS STS endpoints and identity
 providers

- Implemented a resolver to dynamically return AWS STS endpoints using botocore's endpoint resolver data.
- Added a resolver to retrieve all supported identity providers, enhancing the identity management capabilities within the GraphQL API.
---
 backend/backend/graphene/queries/identity.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 backend/backend/graphene/queries/identity.py

diff --git a/backend/backend/graphene/queries/identity.py b/backend/backend/graphene/queries/identity.py
new file mode 100644
index 000000000..20490f36b
--- /dev/null
+++ b/backend/backend/graphene/queries/identity.py
@@ -0,0 +1,20 @@
+from graphql import GraphQLError
+from api.identity_providers import IdentityProviders
+from backend.graphene.types import IdentityProviderType
+
+
+def resolve_aws_sts_endpoints(root, info):
+    """Return STS endpoints dynamically using botocore's endpoint resolver data."""
+    try:
+        from api.utils.identity.aws import list_sts_endpoints
+        return list_sts_endpoints()
+    except Exception as ex:
+        raise GraphQLError(f"Failed to load AWS STS endpoints: {ex}")
+
+
+def resolve_identity_providers(root, info):
+    """Get all supported identity providers."""
+    return [
+        IdentityProviderType(**provider)
+        for provider in IdentityProviders.get_supported_providers()
+    ]

From 8e937a8ce1d0280fc0b34d0f06e44422dd8e24dc Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:57:26 +0530
Subject: [PATCH 40/80] feat: implement identity management page for
 organisation

- Created a new IdentityPage component to manage identities within an organisation.
- Integrated permission checks for reading, creating, updating, and deleting identities.
- Added functionality to display, edit, and delete identities, along with a provider selection dialog for creating new identities.
- Enhanced user experience with empty state handling and toast notifications for actions.
---
 .../app/[team]/access/identities/page.tsx     | 279 ++++++++++++++++++
 1 file changed, 279 insertions(+)
 create mode 100644 frontend/app/[team]/access/identities/page.tsx

diff --git a/frontend/app/[team]/access/identities/page.tsx b/frontend/app/[team]/access/identities/page.tsx
new file mode 100644
index 000000000..d3be0376b
--- /dev/null
+++ b/frontend/app/[team]/access/identities/page.tsx
@@ -0,0 +1,279 @@
+'use client'
+
+import { useContext, useState } from 'react'
+import { organisationContext } from '@/contexts/organisationContext'
+import { userHasPermission } from '@/utils/access/permissions'
+import { useMutation, useQuery } from '@apollo/client'
+import GetOrganisationIdentities from '@/graphql/queries/identities/getOrganisationIdentities.gql'
+import DeleteIdentity from '@/graphql/mutations/identities/deleteIdentity.gql'
+import { Button } from '@/components/common/Button'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+import { FaPlus, FaTrashAlt, FaEdit, FaBan } from 'react-icons/fa'
+import { EmptyState } from '@/components/common/EmptyState'
+import { toast } from 'react-toastify'
+import { IdentityProviderSelector } from '@/components/identities/IdentityProviderSelector'
+import { AwsIamIdentityDialog } from '@/components/identities/providers/aws/iam'
+import { ProviderCards } from '@/components/identities/ProviderCards'
+import GetIdentityProviders from '@/graphql/queries/identities/getIdentityProviders.gql'
+
+type AwsIamConfig = {
+  trustedPrincipals: string[]
+  signatureTtlSeconds: number
+  stsEndpoint: string
+}
+
+type Identity = {
+  id: string
+  provider: string
+  name: string
+  description?: string | null
+  config: AwsIamConfig
+  tokenNamePattern?: string | null
+  defaultTtlSeconds: number
+  maxTtlSeconds: number
+}
+
+export default function IdentityPage() {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  // Permission checks
+  const canReadIdentities = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Identities', 'read')
+    : false
+  const canCreateIdentities = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Identities', 'create')
+    : false
+  const canUpdateIdentities = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Identities', 'update')
+    : false
+  const canDeleteIdentities = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Identities', 'delete')
+    : false
+
+  const { data, refetch } = useQuery(GetOrganisationIdentities, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation || !canReadIdentities,
+    fetchPolicy: 'cache-and-network',
+  })
+
+  const { data: providersData } = useQuery(GetIdentityProviders)
+
+  const [deleteIdentity, { loading: deleting }] = useMutation(DeleteIdentity)
+
+  const [providerSelectorOpen, setProviderSelectorOpen] = useState(false)
+  const [awsEditDialogOpen, setAwsEditDialogOpen] = useState(false)
+  const [editingIdentity, setEditingIdentity] = useState<Identity | null>(null)
+
+  const identities: Identity[] = data?.identities ?? []
+  const identityProviders = providersData?.identityProviders ?? []
+
+  // Helper function to get provider info by ID
+  const getProviderInfo = (providerId: string) => {
+    const provider = identityProviders.find((p: any) => p.id === providerId)
+    return provider || { name: providerId, iconId: 'unknown' }
+  }
+
+  const handleCreateIdentity = () => {
+    if (!canCreateIdentities) return
+    // If no identities exist, direct provider selection isn't needed as cards are visible
+    // If identities exist, show provider selector modal
+    if (identities.length > 0) {
+      setProviderSelectorOpen(true)
+    }
+  }
+
+  const handleProviderSelect = (providerId: string) => {
+    setEditingIdentity(null) // Ensure we're creating, not editing
+    if (providerId === 'aws_iam') {
+      setAwsEditDialogOpen(true)
+    }
+    // Future providers can be handled here
+    // Close provider selector if it was open
+    setProviderSelectorOpen(false)
+  }
+
+  const handleEditIdentity = (identity: Identity) => {
+    if (!canUpdateIdentities) return
+    setEditingIdentity(identity)
+    if (identity.provider === 'aws_iam') {
+      setAwsEditDialogOpen(true)
+    }
+  }
+
+  const handleProviderSelectorSuccess = () => {
+    setProviderSelectorOpen(false)
+    refetch()
+  }
+
+  const handleAwsEditSuccess = () => {
+    setAwsEditDialogOpen(false)
+    setEditingIdentity(null)
+    refetch()
+  }
+
+  const handleDelete = async (id: string) => {
+    if (!canDeleteIdentities) return
+    const ok = window.confirm('Delete this identity? This cannot be undone.')
+    if (!ok) return
+    try {
+      await deleteIdentity({
+        variables: { id },
+        refetchQueries: [
+          { query: GetOrganisationIdentities, variables: { organisationId: organisation?.id } },
+        ],
+      })
+      toast.success('Identity deleted')
+    } catch (e) {
+      toast.error('Failed to delete identity')
+    }
+  }
+
+  // Early return if no read permission
+  if (!canReadIdentities) {
+    return (
+      <EmptyState
+        title="Access restricted"
+        subtitle="You don't have the permissions required to view identities in this organisation."
+        graphic={
+          <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+            <FaBan />
+          </div>
+        }
+      >
+        <></>
+      </EmptyState>
+    )
+  }
+
+  return (
+    <section className="space-y-6">
+      {identities.length === 0 ? (
+        <div className="space-y-8">
+          <div>
+            <h3 className="text-black dark:text-white text-2xl font-semibold">
+              Set up a new identity
+            </h3>
+            <div className="text-neutral-500">
+              Third party identity platforms can be used to authenticate clients and provision
+              access tokens. Select a provider below to get started.
+            </div>
+          </div>
+          {canCreateIdentities ? (
+            <ProviderCards onProviderSelect={handleProviderSelect} />
+          ) : (
+            <EmptyState
+              title="Access restricted"
+              subtitle="You don't have the permissions required to create identities in this organisation."
+              graphic={
+                <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                  <FaBan />
+                </div>
+              }
+            >
+              <></>
+            </EmptyState>
+          )}
+        </div>
+      ) : (
+        <div className="space-y-2">
+          <div className="space-y-1">
+            <div className="text-xl font-semibold">Third-party identities</div>
+            <div className="text-neutral-500">Manage identities used for external auth</div>
+          </div>
+          <div className="space-y-4">
+            {canCreateIdentities && (
+              <div className="flex justify-end">
+                <Button variant="primary" onClick={handleCreateIdentity}>
+                  <FaPlus /> Add identity
+                </Button>
+              </div>
+            )}
+            <div className="py-2">
+              <table className="table-auto min-w-full divide-y divide-zinc-500/40 ">
+                <thead>
+                  <tr>
+                    <th className="py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Provider
+                    </th>
+                    <th className="py-3 px-6 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Name
+                    </th>
+                    <th className="py-3 px-6 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                      Description
+                    </th>
+                  </tr>
+                </thead>
+                <tbody className="divide-y divide-zinc-500/20">
+                  {identities.map((idn: Identity) => {
+                    const providerInfo = getProviderInfo(idn.provider)
+                    return (
+                      <tr key={idn.id} className="group">
+                        <td className="text-zinc-900 dark:text-zinc-100 font-medium inline-flex items-center gap-2 break-word">
+                          <div className="text-2xl">
+                            <ProviderIcon providerId={providerInfo.iconId} />
+                          </div>
+                          {providerInfo.name}
+                        </td>
+                        <td className="px-6 py-4">
+                          <button
+                            className="text-left font-medium text-zinc-900 dark:text-zinc-100 hover:underline"
+                            onClick={() => handleEditIdentity(idn)}
+                          >
+                            {idn.name}
+                          </button>
+                        </td>
+                        <td className="px-6 py-4 text-neutral-500 max-w-xl truncate">
+                          {idn.description}
+                        </td>
+                        <td className="px-6 py-4 flex items-center justify-end gap-2">
+                          <div className="opacity-0 group-hover:opacity-100 transition ease flex gap-2">
+                            {canUpdateIdentities && (
+                              <Button variant="secondary" onClick={() => handleEditIdentity(idn)}>
+                                <FaEdit /> Edit identity
+                              </Button>
+                            )}
+                            {canDeleteIdentities && (
+                              <Button
+                                variant="danger"
+                                onClick={(e) => {
+                                  e.preventDefault()
+                                  void handleDelete(idn.id)
+                                }}
+                              >
+                                <FaTrashAlt /> Delete
+                              </Button>
+                            )}
+                          </div>
+                        </td>
+                      </tr>
+                    )
+                  })}
+                </tbody>
+              </table>
+            </div>
+          </div>
+        </div>
+      )}
+
+      {/* Identity Provider Selector */}
+      <IdentityProviderSelector
+        isOpen={providerSelectorOpen}
+        onClose={() => setProviderSelectorOpen(false)}
+        organisationId={organisation?.id || ''}
+        onSuccess={handleProviderSelectorSuccess}
+      />
+
+      {/* AWS IAM Edit Dialog */}
+      <AwsIamIdentityDialog
+        isOpen={awsEditDialogOpen}
+        onClose={() => {
+          setAwsEditDialogOpen(false)
+          setEditingIdentity(null)
+        }}
+        organisationId={organisation?.id || ''}
+        identity={editingIdentity}
+        onSuccess={handleAwsEditSuccess}
+      />
+    </section>
+  )
+}

From 4984b74080de63818577d5cd4744cfb1b4d5fa3b Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:57:51 +0530
Subject: [PATCH 41/80] feat: enhance service account page with identity
 management features

- Added ServiceAccountIdentities component to display associated identities for the service account.
- Integrated a CopyButton for the service account ID, improving user experience by allowing easy copying of the ID to the clipboard.
---
 .../[team]/access/service-accounts/[account]/page.tsx | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index 19c2e44ff..05d0b9473 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -24,6 +24,7 @@ import { IPChip } from '../../network/_components/IPChip'
 import { UpdateAccountNetworkPolicies } from '@/components/access/UpdateAccountNetworkPolicies'
 import { ServiceAccountTokens } from './_components/ServiceAccountTokens'
 import { KeyManagementDialog } from '@/components/service-accounts/KeyManagementDialog'
+import { ServiceAccountIdentities } from './_components/ServiceAccountIdentities'
 
 export default function ServiceAccount({ params }: { params: { team: string; account: string } }) {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -167,7 +168,13 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
                 </div>
               )}
             </h3>
-            <span className="text-neutral-500 text-sm font-mono pl-2">{account.id}</span>
+            <CopyButton
+              value={account.id}
+              buttonVariant="ghost"
+              title="Copy Service Account ID to clipboard"
+            >
+              <span className="text-neutral-500 text-sm font-mono pl-2">{account.id}</span>
+            </CopyButton>
             <div className="flex items-center gap-2 text-sm text-neutral-500 mt-1">
               {account.serverSideKeyManagementEnabled ? (
                 <FaServer className="text-neutral-500" />
@@ -320,6 +327,8 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
           )}
         </div>
 
+        <ServiceAccountIdentities account={account} />
+
         {userCanViewNetworkAccess && (
           <div className="py-4">
             <div className="flex items-center justify-between">

From 61d3b767825fbbb1f774d8bb64d9edb5f1617f32 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:58:13 +0530
Subject: [PATCH 42/80] feat: implement ServiceAccountIdentities component for
 managing associated identities

- Added ServiceAccountIdentities component to manage third-party identities linked to a service account.
- Integrated search functionality and toggle options for selecting identities.
- Enhanced user experience with empty state handling and modal dialogs for identity management.
---
 .../_components/ServiceAccountIdentities.tsx  | 254 ++++++++++++++++++
 1 file changed, 254 insertions(+)
 create mode 100644 frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx

diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
new file mode 100644
index 000000000..9b85fb10b
--- /dev/null
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
@@ -0,0 +1,254 @@
+'use client'
+
+import { ServiceAccountType } from '@/apollo/graphql'
+import { organisationContext } from '@/contexts/organisationContext'
+import { useContext, useMemo, useState } from 'react'
+import { Button } from '@/components/common/Button'
+import { EmptyState } from '@/components/common/EmptyState'
+import { Dialog, Transition } from '@headlessui/react'
+import { Fragment } from 'react'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+import { ToggleSwitch } from '@/components/common/ToggleSwitch'
+import { useMutation, useQuery } from '@apollo/client'
+import GetOrganisationIdentities from '@/graphql/queries/identities/getOrganisationIdentities.gql'
+import { GetServiceAccountDetail } from '@/graphql/queries/service-accounts/getServiceAccountDetail.gql'
+import { toast } from 'react-toastify'
+import { KeyManagementDialog } from '@/components/service-accounts/KeyManagementDialog'
+import UpdateServiceAccount from '@/graphql/mutations/service-accounts/updateServiceAccount.gql'
+import { TbLockShare } from 'react-icons/tb'
+import { FaPlus, FaSearch, FaTimesCircle, FaServer } from 'react-icons/fa'
+import clsx from 'clsx'
+
+export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+  const [isOpen, setIsOpen] = useState(false)
+  const { data } = useQuery(GetOrganisationIdentities, {
+    variables: { organisationId: organisation?.id },
+    skip: !organisation,
+  })
+
+  const [updateAccount, { loading }] = useMutation(UpdateServiceAccount)
+
+  const orgIdentities: any[] = data?.identities ?? []
+  const initialSelected = new Set<string>(
+    (account as any).identities?.map((i: any) => i.id as string) ?? []
+  )
+  const [selected, setSelected] = useState<Set<string>>(initialSelected)
+  const [searchQuery, setSearchQuery] = useState('')
+
+  const toggle = (id: string) => {
+    const s = new Set(selected)
+    s.has(id) ? s.delete(id) : s.add(id)
+    setSelected(s)
+  }
+
+  const open = () => {
+    if (!account.serverSideKeyManagementEnabled) {
+      const dlg = document.getElementById('sa-kms-dialog')
+    }
+    setIsOpen(true)
+  }
+  const close = () => setIsOpen(false)
+
+  // Filter identities based on search query
+  const filteredIdentities = orgIdentities.filter(
+    (identity: any) =>
+      identity.name.toLowerCase().includes(searchQuery.toLowerCase()) ||
+      identity.description?.toLowerCase().includes(searchQuery.toLowerCase())
+  )
+
+  const handleSave = async () => {
+    await updateAccount({
+      variables: {
+        serviceAccountId: account.id,
+        name: account.name,
+        roleId: account.role!.id,
+        identityIds: Array.from(selected),
+      },
+      refetchQueries: [
+        { query: GetServiceAccountDetail, variables: { orgId: organisation?.id, id: account.id } },
+      ],
+    })
+    close()
+    toast.success('Updated identities for this account')
+  }
+
+  if (!account.serverSideKeyManagementEnabled) {
+    return (
+      <div className="py-8">
+        <EmptyState
+          title="Enable server-side key management"
+          subtitle="Identities require server-side key management to be enabled to mint tokens automatically."
+          graphic={
+            <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+              <FaServer />
+            </div>
+          }
+        >
+          <KeyManagementDialog serviceAccount={account} />
+        </EmptyState>
+      </div>
+    )
+  }
+
+  return (
+    <div className="py-4">
+      <div className="space-y-2">
+        <div className="space-y-1">
+          <div className="text-xl font-semibold">Identities</div>
+          <div className="flex items-center justify-between">
+            <div className="text-neutral-500">
+              Manage which third-party identities are trusted for this account
+            </div>
+            {(account as any).identities && (account as any).identities.length > 0 && (
+              <Button variant="primary" onClick={() => setIsOpen(true)}>
+                <TbLockShare /> Manage identities
+              </Button>
+            )}
+          </div>
+        </div>
+        <div className="space-y-4">
+          {(account as any).identities && (account as any).identities.length > 0 ? (
+            <div className="divide-y divide-neutral-500/20 py-6">
+              {(account as any).identities.map((identity: any) => (
+                <div key={identity.id} className="flex items-center justify-between gap-2 py-2">
+                  <div className="flex items-center gap-2">
+                    <div className="text-neutral-500 text-xl">
+                      <ProviderIcon providerId="aws" />
+                    </div>
+                    <div className="font-medium text-zinc-900 dark:text-zinc-100">
+                      {identity.name}
+                    </div>
+                  </div>
+                  <div className="text-sm text-neutral-500 truncate max-w-md">
+                    {identity.description}
+                  </div>
+                </div>
+              ))}
+            </div>
+          ) : (
+            <EmptyState
+              title="No identities"
+              subtitle="No identities are enabled for this account."
+              graphic={
+                <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                  <TbLockShare />
+                </div>
+              }
+            >
+              <Button variant="primary" onClick={() => setIsOpen(true)}>
+                <TbLockShare /> Manage identities
+              </Button>
+            </EmptyState>
+          )}
+        </div>
+      </div>
+
+      <Transition appear show={isOpen} as={Fragment}>
+        <Dialog as="div" className="relative z-10" onClose={close}>
+          <Transition.Child
+            as={Fragment}
+            enter="ease-out duration-300"
+            enterFrom="opacity-0"
+            enterTo="opacity-100"
+            leave="ease-in duration-200"
+            leaveFrom="opacity-100"
+            leaveTo="opacity-0"
+          >
+            <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
+          </Transition.Child>
+          <div className="fixed inset-0 overflow-y-auto">
+            <div className="flex min-h-full items-center justify-center p-4 text-center">
+              <Transition.Child
+                as={Fragment}
+                enter="ease-out duration-300"
+                enterFrom="opacity-0 scale-95"
+                enterTo="opacity-100 scale-100"
+                leave="ease-in duration-200"
+                leaveFrom="opacity-100 scale-100"
+                leaveTo="opacity-0 scale-95"
+              >
+                <Dialog.Panel className="w-full max-w-3xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
+                  <Dialog.Title
+                    as="h3"
+                    className="text-lg font-medium leading-6 text-black dark:text-white "
+                  >
+                    Manage identities
+                  </Dialog.Title>
+                  <div className="py-4">
+                    <div className="flex items-center justify-between mb-3">
+                      <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2 w-full max-w-sm">
+                        <div className="">
+                          <FaSearch className="text-neutral-500" />
+                        </div>
+                        <input
+                          placeholder="Search identities"
+                          className="custom bg-zinc-100 dark:bg-zinc-800"
+                          value={searchQuery}
+                          onChange={(e) => setSearchQuery(e.target.value)}
+                        />
+                        <FaTimesCircle
+                          className={clsx(
+                            'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2',
+                            searchQuery ? 'opacity-100' : 'opacity-0'
+                          )}
+                          role="button"
+                          onClick={() => setSearchQuery('')}
+                        />
+                      </div>
+                    </div>
+                    <table className="table-auto min-w-full divide-y divide-zinc-500/40 ">
+                      <thead>
+                        <tr>
+                          <th className="py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                            Provider
+                          </th>
+                          <th className="py-3 px-6 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                            Name
+                          </th>
+                          <th className="py-3 px-6 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                            Description
+                          </th>
+                          <th className="py-3 px-6 text-right text-xs font-medium text-gray-500 uppercase tracking-wider">
+                            Enabled
+                          </th>
+                        </tr>
+                      </thead>
+                      <tbody className="divide-y divide-zinc-500/20">
+                        {filteredIdentities.map((idn: any) => (
+                          <tr key={idn.id} className="group">
+                            <td className="text-zinc-900 dark:text-zinc-100 font-medium inline-flex items-center gap-1 break-word">
+                              <div className="text-xl">
+                                <ProviderIcon providerId="aws" />
+                              </div>
+                            </td>
+                            <td className="px-6 py-4">{idn.name}</td>
+                            <td className="px-6 py-4 text-neutral-500">{idn.description}</td>
+                            <td className="px-6 py-4 flex items-center justify-end gap-2">
+                              <ToggleSwitch
+                                value={selected.has(idn.id)}
+                                onToggle={() => toggle(idn.id)}
+                              />
+                            </td>
+                          </tr>
+                        ))}
+                      </tbody>
+                    </table>
+                    <div className="flex items-center justify-between mt-4">
+                      <Button variant="secondary" onClick={close}>
+                        Cancel
+                      </Button>
+                      <Button variant="primary" onClick={handleSave} isLoading={loading}>
+                        Save
+                      </Button>
+                    </div>
+                  </div>
+                </Dialog.Panel>
+              </Transition.Child>
+            </div>
+          </div>
+        </Dialog>
+      </Transition>
+    </div>
+  )
+}

From bc0a69bdb4fdaad8b8cf9a745aea0a208b9860ed Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:59:09 +0530
Subject: [PATCH 43/80] feat: add IdentityProviderSelector component for
 selecting identity providers

- Introduced the IdentityProviderSelector component to facilitate the selection of identity providers for creating new identities.
- Integrated AWS IAM provider selection with a dialog for additional configuration.
- Enhanced user experience with a modal interface and improved accessibility for managing identity providers.
---
 .../identities/IdentityProviderSelector.tsx   | 108 ++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 frontend/components/identities/IdentityProviderSelector.tsx

diff --git a/frontend/components/identities/IdentityProviderSelector.tsx b/frontend/components/identities/IdentityProviderSelector.tsx
new file mode 100644
index 000000000..836abf774
--- /dev/null
+++ b/frontend/components/identities/IdentityProviderSelector.tsx
@@ -0,0 +1,108 @@
+import { useState } from 'react'
+import { Dialog, Transition } from '@headlessui/react'
+import { Fragment } from 'react'
+import { Button } from '../common/Button'
+import { FaTimes } from 'react-icons/fa'
+import { AwsIamIdentityDialog } from './providers/aws/iam'
+import { ProviderCards } from './ProviderCards'
+
+interface IdentityProviderSelectorProps {
+  isOpen: boolean
+  onClose: () => void
+  organisationId: string
+  onSuccess: () => void
+}
+
+export const IdentityProviderSelector = ({
+  isOpen,
+  onClose,
+  organisationId,
+  onSuccess,
+}: IdentityProviderSelectorProps) => {
+  const [selectedProvider, setSelectedProvider] = useState<string | null>(null)
+  const [awsIamDialogOpen, setAwsIamDialogOpen] = useState(false)
+
+  const handleProviderSelect = (providerId: string) => {
+    setSelectedProvider(providerId)
+    if (providerId === 'aws_iam') {
+      setAwsIamDialogOpen(true)
+      onClose()
+    }
+    // Future providers can be handled here
+  }
+
+  const handleAwsIamSuccess = () => {
+    setAwsIamDialogOpen(false)
+    setSelectedProvider(null)
+    onSuccess()
+  }
+
+  const handleAwsIamClose = () => {
+    setAwsIamDialogOpen(false)
+    setSelectedProvider(null)
+  }
+
+  return (
+    <>
+      <Transition appear show={isOpen} as={Fragment}>
+        <Dialog as="div" className="relative z-10" onClose={onClose}>
+          <Transition.Child
+            as={Fragment}
+            enter="ease-out duration-300"
+            enterFrom="opacity-0"
+            enterTo="opacity-100"
+            leave="ease-in duration-200"
+            leaveFrom="opacity-100"
+            leaveTo="opacity-0"
+          >
+            <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
+          </Transition.Child>
+          <div className="fixed inset-0 overflow-y-auto">
+            <div className="flex min-h-full items-center justify-center p-4 text-center">
+              <Transition.Child
+                as={Fragment}
+                enter="ease-out duration-300"
+                enterFrom="opacity-0 scale-95"
+                enterTo="opacity-100 scale-100"
+                leave="ease-in duration-200"
+                leaveFrom="opacity-100 scale-100"
+                leaveTo="opacity-0 scale-95"
+              >
+                <Dialog.Panel className="w-full max-w-4xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
+                  <div className="flex items-start justify-between">
+                    <div>
+                      <Dialog.Title
+                        as="h3"
+                        className="text-2xl font-semibold text-black dark:text-white"
+                      >
+                        Add Identity Provider
+                      </Dialog.Title>
+                      <div className="text-neutral-500 text-sm">
+                        Select a provider below to create a new identity.
+                      </div>
+                    </div>
+                    <Button variant="text" onClick={onClose} title="Close">
+                      <FaTimes className="text-zinc-900 dark:text-zinc-400" />
+                    </Button>
+                  </div>
+
+                  <div className="space-y-8 py-8">
+                    <ProviderCards onProviderSelect={handleProviderSelect} />
+                  </div>
+                </Dialog.Panel>
+              </Transition.Child>
+            </div>
+          </div>
+        </Dialog>
+      </Transition>
+
+      {/* AWS IAM Identity Dialog */}
+      <AwsIamIdentityDialog
+        isOpen={awsIamDialogOpen}
+        onClose={handleAwsIamClose}
+        organisationId={organisationId}
+        onSuccess={handleAwsIamSuccess}
+      />
+    </>
+  )
+}

From 5553582135cad78e56312b1a8009df6fb3537ded Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 22:59:29 +0530
Subject: [PATCH 44/80] feat: add ProviderCards component for displaying
 identity providers

- Introduced the ProviderCards component to render a grid of identity providers.
- Integrated Apollo Client to fetch identity provider data via GraphQL.
- Enhanced user interaction with clickable cards for selecting providers, improving the identity selection process.
---
 .../components/identities/ProviderCards.tsx   | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 frontend/components/identities/ProviderCards.tsx

diff --git a/frontend/components/identities/ProviderCards.tsx b/frontend/components/identities/ProviderCards.tsx
new file mode 100644
index 000000000..ee4358b97
--- /dev/null
+++ b/frontend/components/identities/ProviderCards.tsx
@@ -0,0 +1,63 @@
+import { Card } from '../common/Card'
+import { ProviderIcon } from '../syncing/ProviderIcon'
+import { FaArrowRight } from 'react-icons/fa'
+import { useQuery } from '@apollo/client'
+import GetIdentityProviders from '@/graphql/queries/identities/getIdentityProviders.gql'
+
+interface IdentityProvider {
+  id: string
+  name: string
+  description: string
+  iconId: string
+  supported: boolean
+}
+
+const ProviderCard = ({
+  provider,
+  onClick,
+}: {
+  provider: IdentityProvider
+  onClick: () => void
+}) => {
+  return (
+    <Card>
+      <button className="w-full" onClick={onClick}>
+        <div className="flex flex-auto gap-4 cursor-pointer">
+          <div className="text-4xl">
+            <ProviderIcon providerId={provider.iconId} />
+          </div>
+          <div className="flex flex-col gap-6 text-left">
+            <div>
+              <div className="text-black dark:text-white text-lg font-semibold">
+                {provider.name}
+              </div>
+              <div className="text-neutral-500 text-sm">{provider.description}</div>
+            </div>
+            <div className="text-emerald-500 flex items-center gap-1 font-medium text-sm">
+              Create <FaArrowRight />
+            </div>
+          </div>
+        </div>
+      </button>
+    </Card>
+  )
+}
+
+interface ProviderCardsProps {
+  onProviderSelect: (providerId: string) => void
+}
+
+export const ProviderCards = ({ onProviderSelect }: ProviderCardsProps) => {
+  const { data } = useQuery(GetIdentityProviders)
+  const providers: IdentityProvider[] = data?.identityProviders ?? []
+
+  return (
+    <div className="grid grid-cols-1 sm:grid-cols-2 xl:grid-cols-4 gap-8 max-w-screen-lg">
+      {providers.map((provider) => (
+        <div key={provider.id}>
+          <ProviderCard provider={provider} onClick={() => onProviderSelect(provider.id)} />
+        </div>
+      ))}
+    </div>
+  )
+}

From aecfce08a0956fc9d20c08c592942014d0b358e2 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 23:00:26 +0530
Subject: [PATCH 45/80] feat: add AwsIamIdentityDialog component for AWS IAM
 identity management

- Introduced the AwsIamIdentityDialog component to facilitate the creation and updating of AWS IAM identities.
- Integrated Apollo Client for GraphQL mutations and queries to manage identity configurations.
- Enhanced user experience with a modal interface for configuring trusted entities, token settings, and STS endpoints.
- Implemented form validation and state management for identity attributes, improving usability and error handling.
---
 .../identities/providers/aws/iam.tsx          | 580 ++++++++++++++++++
 1 file changed, 580 insertions(+)
 create mode 100644 frontend/components/identities/providers/aws/iam.tsx

diff --git a/frontend/components/identities/providers/aws/iam.tsx b/frontend/components/identities/providers/aws/iam.tsx
new file mode 100644
index 000000000..5a82b8b6c
--- /dev/null
+++ b/frontend/components/identities/providers/aws/iam.tsx
@@ -0,0 +1,580 @@
+'use client'
+
+import { useState, Fragment, useEffect, useMemo } from 'react'
+import { useMutation, useQuery } from '@apollo/client'
+import GetAwsStsEndpoints from '@/graphql/queries/identities/getAwsStsEndpoints.gql'
+import CreateIdentity from '@/graphql/mutations/identities/createIdentity.gql'
+import UpdateIdentity from '@/graphql/mutations/identities/updateIdentity.gql'
+import { Dialog, Transition, Combobox } from '@headlessui/react'
+import { Input } from '@/components/common/Input'
+import { Button } from '@/components/common/Button'
+import { FaTimes, FaChevronDown, FaCheckCircle } from 'react-icons/fa'
+import { LiaAws } from 'react-icons/lia'
+import { toast } from 'react-toastify'
+import clsx from 'clsx'
+import { parseTTL, formatTTL, isValidTTL, getTTLExamples } from '@/utils/ttl'
+
+type AwsIamConfig = {
+  trustedPrincipals: string[]
+  signatureTtlSeconds: number
+  stsEndpoint: string
+}
+
+type Identity = {
+  id: string
+  provider: string
+  name: string
+  description?: string | null
+  config: AwsIamConfig
+  tokenNamePattern?: string | null
+  defaultTtlSeconds: number
+  maxTtlSeconds: number
+}
+
+type AwsStsEndpoint = {
+  regionCode: string | null
+  regionName: string
+  endpoint: string
+}
+
+interface AwsIamIdentityDialogProps {
+  isOpen: boolean
+  onClose: () => void
+  organisationId: string
+  identity?: Identity | null
+  onSuccess: () => void
+}
+
+export const AwsIamIdentityDialog = ({
+  isOpen,
+  onClose,
+  organisationId,
+  identity,
+  onSuccess,
+}: AwsIamIdentityDialogProps) => {
+  const { data: stsData } = useQuery(GetAwsStsEndpoints)
+  const [createIdentity, { loading: creating }] = useMutation(CreateIdentity)
+  const [updateIdentity, { loading: updating }] = useMutation(UpdateIdentity)
+
+  const [initialState, setInitialState] = useState<{
+    name: string
+    description: string
+    trustedPrincipals: string
+    signatureTtlInput: string
+    signatureTtlSeconds: number
+    stsEndpoint: string
+    tokenNamePattern: string
+    defaultTtlInput: string
+    maxTtlInput: string
+    defaultTtlSeconds: number
+    maxTtlSeconds: number
+  } | null>(null)
+
+  // Form state
+  const [name, setName] = useState('')
+  const [description, setDescription] = useState('')
+  const [trustedPrincipals, setTrustedPrincipals] = useState('')
+  const [signatureTtlInput, setSignatureTtlInput] = useState<string>('60s')
+  const [signatureTtlSeconds, setSignatureTtlSeconds] = useState<number>(60)
+  const [useCustomEndpoint, setUseCustomEndpoint] = useState<boolean>(false)
+  const [stsEndpoint, setStsEndpoint] = useState<string>('https://sts.amazonaws.com')
+  const [selectedStsEndpoint, setSelectedStsEndpoint] = useState<AwsStsEndpoint | null>(null)
+  const [stsQuery, setStsQuery] = useState('')
+  const [tokenNamePattern, setTokenNamePattern] = useState('')
+  const [defaultTtlInput, setDefaultTtlInput] = useState<string>('1h')
+  const [maxTtlInput, setMaxTtlInput] = useState<string>('24h')
+  const [defaultTtlSeconds, setDefaultTtlSeconds] = useState<number>(3600)
+  const [maxTtlSeconds, setMaxTtlSeconds] = useState<number>(86400)
+
+  const awsStsEndpoints: AwsStsEndpoint[] = useMemo(() => {
+    try {
+      return (stsData?.awsStsEndpoints || []).map((raw: string) => JSON.parse(raw))
+    } catch {
+      return []
+    }
+  }, [stsData])
+
+  const filteredStsEndpoints = awsStsEndpoints.filter((endpoint) => {
+    if (stsQuery === '') {
+      return true
+    }
+    const queryLower = stsQuery.toLowerCase()
+    const regionNameMatches = endpoint.regionName?.toLowerCase().includes(queryLower) || false
+    const regionCodeMatches = endpoint.regionCode?.toLowerCase().includes(queryLower) || false
+    const endpointMatches = endpoint.endpoint?.toLowerCase().includes(queryLower) || false
+
+    return regionNameMatches || regionCodeMatches || endpointMatches
+  })
+
+  const handleDefaultTtlChange = (value: string) => {
+    setDefaultTtlInput(value)
+    if (isValidTTL(value)) {
+      setDefaultTtlSeconds(parseTTL(value))
+    }
+  }
+
+  const handleMaxTtlChange = (value: string) => {
+    setMaxTtlInput(value)
+    if (isValidTTL(value)) {
+      setMaxTtlSeconds(parseTTL(value))
+    }
+  }
+
+  const handleSignatureTtlChange = (value: string) => {
+    setSignatureTtlInput(value)
+    if (isValidTTL(value)) {
+      setSignatureTtlSeconds(parseTTL(value))
+    }
+  }
+
+  const resetForm = () => {
+    setName('')
+    setDescription('')
+    setTrustedPrincipals('')
+    setSignatureTtlInput('60s')
+    setSignatureTtlSeconds(60)
+    setUseCustomEndpoint(false)
+    setStsEndpoint('https://sts.amazonaws.com')
+    setSelectedStsEndpoint(null)
+    setStsQuery('')
+    setTokenNamePattern('')
+    setDefaultTtlInput('1h')
+    setMaxTtlInput('24h')
+    setDefaultTtlSeconds(3600)
+    setMaxTtlSeconds(86400)
+    setInitialState({
+      name: '',
+      description: '',
+      trustedPrincipals: '',
+      signatureTtlInput: '60s',
+      signatureTtlSeconds: 60,
+      stsEndpoint: 'https://sts.amazonaws.com',
+      tokenNamePattern: '',
+      defaultTtlInput: '1h',
+      maxTtlInput: '24h',
+      defaultTtlSeconds: 3600,
+      maxTtlSeconds: 86400,
+    })
+  }
+
+  useEffect(() => {
+    if (isOpen) {
+      if (identity) {
+        // Populate form with identity data
+        setName(identity.name)
+        setDescription(identity.description || '')
+        setTrustedPrincipals(identity.config.trustedPrincipals.join(', '))
+        setSignatureTtlInput(formatTTL(identity.config.signatureTtlSeconds))
+        setSignatureTtlSeconds(identity.config.signatureTtlSeconds)
+        setStsEndpoint(identity.config.stsEndpoint)
+
+        const existingEndpoint = awsStsEndpoints.find(
+          (ep) => ep.endpoint === identity.config.stsEndpoint
+        )
+        setUseCustomEndpoint(!existingEndpoint)
+        setSelectedStsEndpoint(existingEndpoint || null)
+        setStsQuery('')
+
+        setTokenNamePattern(identity.tokenNamePattern || '')
+        setDefaultTtlInput(formatTTL(identity.defaultTtlSeconds))
+        setMaxTtlInput(formatTTL(identity.maxTtlSeconds))
+        setDefaultTtlSeconds(identity.defaultTtlSeconds)
+        setMaxTtlSeconds(identity.maxTtlSeconds)
+        setInitialState({
+          name: identity.name,
+          description: identity.description || '',
+          trustedPrincipals: identity.config.trustedPrincipals.join(', '),
+          signatureTtlInput: formatTTL(identity.config.signatureTtlSeconds),
+          signatureTtlSeconds: identity.config.signatureTtlSeconds,
+          stsEndpoint: identity.config.stsEndpoint,
+          tokenNamePattern: identity.tokenNamePattern || '',
+          defaultTtlInput: formatTTL(identity.defaultTtlSeconds),
+          maxTtlInput: formatTTL(identity.maxTtlSeconds),
+          defaultTtlSeconds: identity.defaultTtlSeconds,
+          maxTtlSeconds: identity.maxTtlSeconds,
+        })
+      } else {
+        resetForm()
+        // Set default to Global (Legacy) endpoint if available
+        if (awsStsEndpoints.length > 0) {
+          const globalEndpoint = awsStsEndpoints.find(
+            (ep) => ep.endpoint === 'https://sts.amazonaws.com'
+          )
+          if (globalEndpoint) {
+            setSelectedStsEndpoint(globalEndpoint)
+            setStsEndpoint(globalEndpoint.endpoint)
+            setUseCustomEndpoint(false)
+          }
+        }
+      }
+    }
+  }, [isOpen, identity, awsStsEndpoints])
+
+  const handleSave = async () => {
+    // Client-side guard to avoid firing mutation and duplicating toasts
+    if (defaultTtlSeconds > maxTtlSeconds) {
+      toast.error('Default token expiry must be less than or equal to Maximum token expiry')
+      return
+    }
+    if (trustedPrincipals.trim() === '*') {
+      toast.error("'*' is not allowed as a trusted principal pattern")
+      return
+    }
+    if (!stsEndpoint || stsEndpoint.trim() === '') {
+      toast.error('Please select an STS endpoint')
+      return
+    }
+
+    try {
+      if (identity) {
+        await updateIdentity({
+          variables: {
+            id: identity.id,
+            name,
+            description: description || null,
+            trustedPrincipals,
+            signatureTtlSeconds,
+            stsEndpoint,
+            tokenNamePattern: tokenNamePattern || null,
+            defaultTtlSeconds,
+            maxTtlSeconds,
+          },
+        })
+        toast.success('Identity updated')
+      } else {
+        await createIdentity({
+          variables: {
+            organisationId,
+            provider: 'aws_iam',
+            name,
+            description: description || null,
+            trustedPrincipals,
+            signatureTtlSeconds,
+            stsEndpoint,
+            tokenNamePattern: tokenNamePattern || null,
+            defaultTtlSeconds,
+            maxTtlSeconds,
+          },
+        })
+        toast.success('Identity created')
+      }
+      onSuccess()
+      onClose()
+    } catch (e: any) {
+      const hasGraphQLErrors = Array.isArray(e?.graphQLErrors) && e.graphQLErrors.length > 0
+      if (!hasGraphQLErrors) {
+        toast.error('Failed to save identity')
+      } else {
+        toast.error(e.message)
+      }
+    }
+  }
+
+  const isSaving = creating || updating
+
+  const hasChanges = useMemo(() => {
+    if (!initialState) return true
+    return (
+      name !== initialState.name ||
+      description !== initialState.description ||
+      trustedPrincipals !== initialState.trustedPrincipals ||
+      signatureTtlInput !== initialState.signatureTtlInput ||
+      stsEndpoint !== initialState.stsEndpoint ||
+      tokenNamePattern !== initialState.tokenNamePattern ||
+      defaultTtlInput !== initialState.defaultTtlInput ||
+      maxTtlInput !== initialState.maxTtlInput
+    )
+  }, [
+    name,
+    description,
+    trustedPrincipals,
+    signatureTtlInput,
+    stsEndpoint,
+    tokenNamePattern,
+    defaultTtlInput,
+    maxTtlInput,
+    initialState,
+  ])
+
+  return (
+    <Transition appear show={isOpen} as={Fragment}>
+      <Dialog as="div" className="relative z-10" onClose={onClose}>
+        <Transition.Child
+          as={Fragment}
+          enter="ease-out duration-300"
+          enterFrom="opacity-0"
+          enterTo="opacity-100"
+          leave="ease-in duration-200"
+          leaveFrom="opacity-100"
+          leaveTo="opacity-0"
+        >
+          <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
+        </Transition.Child>
+        <div className="fixed inset-0 overflow-y-auto">
+          <div className="flex min-h-full items-center justify-center p-4 text-center">
+            <Transition.Child
+              as={Fragment}
+              enter="ease-out duration-300"
+              enterFrom="opacity-0 scale-95"
+              enterTo="opacity-100 scale-100"
+              leave="ease-in duration-200"
+              leaveFrom="opacity-100 scale-100"
+              leaveTo="opacity-0 scale-95"
+            >
+              <Dialog.Panel className="w-full max-w-2xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
+                <div className="flex items-start justify-between">
+                  <div className="flex items-center gap-3">
+                    <LiaAws className="text-3xl text-orange-500" />
+                    <div>
+                      <Dialog.Title
+                        as="h3"
+                        className="text-2xl font-semibold text-black dark:text-white"
+                      >
+                        AWS IAM Identity
+                      </Dialog.Title>
+                      <div className="text-neutral-500 text-sm">
+                        Configure trusted entities and token settings
+                      </div>
+                    </div>
+                  </div>
+                  <Button variant="text" onClick={onClose} title="Close">
+                    <FaTimes className="text-zinc-900 dark:text-zinc-400" />
+                  </Button>
+                </div>
+
+                <div className="space-y-6 py-4">
+                  <div className="space-y-2">
+                    <Input
+                      value={name}
+                      setValue={setName}
+                      label="Identity name"
+                      placeholder="e.g. prod-ec2-identity"
+                      required
+                      maxLength={100}
+                    />
+                    <Input
+                      value={description}
+                      setValue={setDescription}
+                      label="Description (optional)"
+                      placeholder="e.g. production EC2 autoscaling group"
+                    />
+                  </div>
+
+                  <div className="space-y-2">
+                    <div className="font-medium text-black dark:text-white">Trusted entities</div>
+                    <div className="space-y-2">
+                      <label className="block text-neutral-500 text-sm font-bold mb-2">
+                        Trusted principal ARNs <span className="text-red-500 ml-1">*</span>
+                      </label>
+                      <textarea
+                        rows={2}
+                        value={trustedPrincipals}
+                        className="w-full"
+                        onChange={(e) => setTrustedPrincipals(e.target.value)}
+                        placeholder="arn:aws:iam::123456789012:user/MyUser, arn:aws:sts::123456789012:assumed-role/MyRole/*"
+                        required
+                      />
+                    </div>
+                    <Input
+                      value={signatureTtlInput}
+                      setValue={handleSignatureTtlChange}
+                      label="Signatures expiry"
+                      placeholder={getTTLExamples().join(', ')}
+                      required
+                    />
+                    <div className="relative">
+                      <Combobox
+                        as="div"
+                        value={useCustomEndpoint ? null : selectedStsEndpoint}
+                        onChange={(endpoint: AwsStsEndpoint | null) => {
+                          if (endpoint) {
+                            setSelectedStsEndpoint(endpoint)
+                            setStsEndpoint(endpoint.endpoint)
+                            setUseCustomEndpoint(false)
+                          }
+                        }}
+                      >
+                        {({ open }) => (
+                          <>
+                            <div className="space-y-2">
+                              <Combobox.Label as={Fragment}>
+                                <label className="block text-neutral-500 text-sm">
+                                  STS Endpoint <span className="text-red-500 ml-1">*</span>
+                                </label>
+                              </Combobox.Label>
+                              <div className="w-full relative flex items-center">
+                                <Combobox.Input
+                                  className="w-full"
+                                  onChange={(event) => setStsQuery(event.target.value)}
+                                  required
+                                  placeholder={
+                                    stsQuery || selectedStsEndpoint ? '' : 'Select STS region'
+                                  }
+                                  displayValue={(endpoint: AwsStsEndpoint) => {
+                                    if (useCustomEndpoint) {
+                                      return 'Custom endpoint'
+                                    }
+                                    if (endpoint) {
+                                      return `${endpoint.regionName} — ${endpoint.endpoint}`
+                                    }
+                                    return stsQuery || ''
+                                  }}
+                                />
+                                <div className="absolute inset-y-0 right-2 flex items-center">
+                                  <Combobox.Button>
+                                    <FaChevronDown
+                                      className={clsx(
+                                        'text-neutral-500 transform transition ease cursor-pointer',
+                                        open ? 'rotate-180' : 'rotate-0'
+                                      )}
+                                    />
+                                  </Combobox.Button>
+                                </div>
+                              </div>
+                            </div>
+                            <Transition
+                              enter="transition duration-100 ease-out"
+                              enterFrom="transform scale-95 opacity-0"
+                              enterTo="transform scale-100 opacity-100"
+                              leave="transition duration-75 ease-out"
+                              leaveFrom="transform scale-100 opacity-100"
+                              leaveTo="transform scale-95 opacity-0"
+                            >
+                              <Combobox.Options as={Fragment}>
+                                <div className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-b-md shadow-2xl z-20 absolute max-h-96 overflow-y-auto w-full border border-t-none border-neutral-500/20">
+                                  {filteredStsEndpoints.map((endpoint: AwsStsEndpoint) => (
+                                    <Combobox.Option
+                                      as="div"
+                                      key={`${endpoint.regionName}-${endpoint.regionCode || 'global'}`}
+                                      value={endpoint}
+                                    >
+                                      {({ active, selected }) => (
+                                        <div
+                                          className={clsx(
+                                            'flex items-center justify-between gap-2 p-2 cursor-pointer w-full border-b border-neutral-500/20',
+                                            active && 'bg-zinc-300 dark:bg-zinc-700'
+                                          )}
+                                        >
+                                          <div className="flex items-center gap-2">
+                                            <LiaAws className="shrink-0 text-orange-500" />
+                                            <div>
+                                              <div className="font-semibold text-black dark:text-white">
+                                                {endpoint.regionName}
+                                              </div>
+                                              <div className="text-neutral-500 text-2xs">
+                                                {endpoint.endpoint}
+                                              </div>
+                                            </div>
+                                          </div>
+                                          {selected && (
+                                            <FaCheckCircle className="shrink-0 text-emerald-500" />
+                                          )}
+                                        </div>
+                                      )}
+                                    </Combobox.Option>
+                                  ))}
+                                  <Combobox.Option
+                                    as="div"
+                                    value={null}
+                                    onClick={() => {
+                                      setUseCustomEndpoint(true)
+                                      setSelectedStsEndpoint(null)
+                                      setStsEndpoint('')
+                                      setStsQuery('')
+                                    }}
+                                  >
+                                    {({ active }) => (
+                                      <div
+                                        className={clsx(
+                                          'flex items-center gap-2 p-2 cursor-pointer w-full',
+                                          active && 'bg-zinc-300 dark:bg-zinc-700'
+                                        )}
+                                      >
+                                        <LiaAws className="shrink-0 text-orange-500" />
+                                        <div>
+                                          <div className="font-semibold text-black dark:text-white">
+                                            Custom endpoint
+                                          </div>
+                                          <div className="text-neutral-500 text-2xs">
+                                            Specify your own STS endpoint
+                                          </div>
+                                        </div>
+                                      </div>
+                                    )}
+                                  </Combobox.Option>
+                                </div>
+                              </Combobox.Options>
+                            </Transition>
+                          </>
+                        )}
+                      </Combobox>
+                    </div>
+                    {useCustomEndpoint && (
+                      <Input
+                        value={stsEndpoint}
+                        setValue={setStsEndpoint}
+                        placeholder="https://sts.<region>.amazonaws.com"
+                        required
+                      />
+                    )}
+                  </div>
+
+                  <div className="py-2">
+                    <div className="border-b border-neutral-500/40 w-full"></div>
+                  </div>
+
+                  <div className="space-y-4">
+                    <div className="font-medium text-black dark:text-white">
+                      Token configuration
+                    </div>
+                    <Input
+                      value={tokenNamePattern}
+                      setValue={setTokenNamePattern}
+                      label="Token name prefix or suffix"
+                      placeholder="Optional identifier (e.g. prod, staging)"
+                    />
+                    <div className="grid grid-cols-1 sm:grid-cols-2 gap-4">
+                      <Input
+                        value={defaultTtlInput}
+                        setValue={handleDefaultTtlChange}
+                        label="Default TTL"
+                        placeholder={getTTLExamples().join(', ')}
+                        required
+                      />
+                      <Input
+                        value={maxTtlInput}
+                        setValue={handleMaxTtlChange}
+                        label="Max TTL"
+                        placeholder={getTTLExamples().join(', ')}
+                        required
+                      />
+                    </div>
+                  </div>
+
+                  <div className="flex items-center justify-end mt-4">
+                    <Button
+                      variant="primary"
+                      onClick={handleSave}
+                      isLoading={isSaving}
+                      disabled={
+                        !hasChanges ||
+                        !name ||
+                        !trustedPrincipals ||
+                        !stsEndpoint ||
+                        !isValidTTL(signatureTtlInput) ||
+                        !isValidTTL(defaultTtlInput) ||
+                        !isValidTTL(maxTtlInput)
+                      }
+                    >
+                      Save
+                    </Button>
+                  </div>
+                </div>
+              </Dialog.Panel>
+            </Transition.Child>
+          </div>
+        </div>
+      </Dialog>
+    </Transition>
+  )
+}

From 6d9c348e3c9b8644e0a84a882c888aa1cd479b60 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 23:01:10 +0530
Subject: [PATCH 46/80] feat: add GraphQL mutations and queries for identity
 management

- Introduced mutations for creating, updating, and deleting identities, enhancing the identity management capabilities.
- Added queries to retrieve AWS STS endpoints, identity providers, and organisation-specific identities, improving data accessibility.
- Enhanced the service account detail query to include associated identities, providing a comprehensive view of identity relationships.
---
 .../mutations/identities/createIdentity.gql   | 42 +++++++++++++++++++
 .../mutations/identities/deleteIdentity.gql   |  5 +++
 .../mutations/identities/updateIdentity.gql   | 39 +++++++++++++++++
 .../service-accounts/updateServiceAccount.gql |  5 ++-
 .../queries/identities/getAwsStsEndpoints.gql |  3 ++
 .../identities/getIdentityProviders.gql       |  9 ++++
 .../identities/getOrganisationIdentities.gql  | 19 +++++++++
 .../getServiceAccountDetail.gql               |  1 +
 8 files changed, 121 insertions(+), 2 deletions(-)
 create mode 100644 frontend/graphql/mutations/identities/createIdentity.gql
 create mode 100644 frontend/graphql/mutations/identities/deleteIdentity.gql
 create mode 100644 frontend/graphql/mutations/identities/updateIdentity.gql
 create mode 100644 frontend/graphql/queries/identities/getAwsStsEndpoints.gql
 create mode 100644 frontend/graphql/queries/identities/getIdentityProviders.gql
 create mode 100644 frontend/graphql/queries/identities/getOrganisationIdentities.gql

diff --git a/frontend/graphql/mutations/identities/createIdentity.gql b/frontend/graphql/mutations/identities/createIdentity.gql
new file mode 100644
index 000000000..31be99b2d
--- /dev/null
+++ b/frontend/graphql/mutations/identities/createIdentity.gql
@@ -0,0 +1,42 @@
+mutation CreateIdentity(
+  $organisationId: ID!
+  $provider: String!
+  $name: String!
+  $description: String
+  $trustedPrincipals: String!
+  $signatureTtlSeconds: Int
+  $stsEndpoint: String
+  $tokenNamePattern: String
+  $defaultTtlSeconds: Int!
+  $maxTtlSeconds: Int!
+) {
+  createIdentity(
+    organisationId: $organisationId
+    provider: $provider
+    name: $name
+    description: $description
+    trustedPrincipals: $trustedPrincipals
+    signatureTtlSeconds: $signatureTtlSeconds
+    stsEndpoint: $stsEndpoint
+    tokenNamePattern: $tokenNamePattern
+    defaultTtlSeconds: $defaultTtlSeconds
+    maxTtlSeconds: $maxTtlSeconds
+  ) {
+    identity {
+      id
+      provider
+      name
+      description
+      config {
+        ... on AwsIamConfigType {
+          trustedPrincipals
+          signatureTtlSeconds
+          stsEndpoint
+        }
+      }
+      tokenNamePattern
+      defaultTtlSeconds
+      maxTtlSeconds
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/identities/deleteIdentity.gql b/frontend/graphql/mutations/identities/deleteIdentity.gql
new file mode 100644
index 000000000..17b0a3ed1
--- /dev/null
+++ b/frontend/graphql/mutations/identities/deleteIdentity.gql
@@ -0,0 +1,5 @@
+mutation DeleteIdentity($id: ID!) {
+  deleteIdentity(id: $id) {
+    ok
+  }
+}
\ No newline at end of file
diff --git a/frontend/graphql/mutations/identities/updateIdentity.gql b/frontend/graphql/mutations/identities/updateIdentity.gql
new file mode 100644
index 000000000..7ba379c80
--- /dev/null
+++ b/frontend/graphql/mutations/identities/updateIdentity.gql
@@ -0,0 +1,39 @@
+mutation UpdateIdentity(
+  $id: ID!
+  $name: String
+  $description: String
+  $trustedPrincipals: String
+  $signatureTtlSeconds: Int
+  $stsEndpoint: String
+  $tokenNamePattern: String
+  $defaultTtlSeconds: Int
+  $maxTtlSeconds: Int
+) {
+  updateIdentity(
+    id: $id
+    name: $name
+    description: $description
+    trustedPrincipals: $trustedPrincipals
+    signatureTtlSeconds: $signatureTtlSeconds
+    stsEndpoint: $stsEndpoint
+    tokenNamePattern: $tokenNamePattern
+    defaultTtlSeconds: $defaultTtlSeconds
+    maxTtlSeconds: $maxTtlSeconds
+  ) {
+    identity {
+      id
+      name
+      description
+      config {
+        ... on AwsIamConfigType {
+          trustedPrincipals
+          signatureTtlSeconds
+          stsEndpoint
+        }
+      }
+      tokenNamePattern
+      defaultTtlSeconds
+      maxTtlSeconds
+    }
+  }
+}
diff --git a/frontend/graphql/mutations/service-accounts/updateServiceAccount.gql b/frontend/graphql/mutations/service-accounts/updateServiceAccount.gql
index d88859d4a..a378b102b 100644
--- a/frontend/graphql/mutations/service-accounts/updateServiceAccount.gql
+++ b/frontend/graphql/mutations/service-accounts/updateServiceAccount.gql
@@ -1,5 +1,5 @@
-mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!) {
-  updateServiceAccount(serviceAccountId: $serviceAccountId, name: $name, roleId: $roleId) {
+mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {
+  updateServiceAccount(serviceAccountId: $serviceAccountId, name: $name, roleId: $roleId, identityIds: $identityIds) {
     serviceAccount {
       id
       name
@@ -9,6 +9,7 @@ mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId:
         description
         permissions
       }
+      identities { id name }
     }
   }
 }
diff --git a/frontend/graphql/queries/identities/getAwsStsEndpoints.gql b/frontend/graphql/queries/identities/getAwsStsEndpoints.gql
new file mode 100644
index 000000000..8521c57a5
--- /dev/null
+++ b/frontend/graphql/queries/identities/getAwsStsEndpoints.gql
@@ -0,0 +1,3 @@
+query GetAwsStsEndpoints {
+  awsStsEndpoints
+}
diff --git a/frontend/graphql/queries/identities/getIdentityProviders.gql b/frontend/graphql/queries/identities/getIdentityProviders.gql
new file mode 100644
index 000000000..6d0eb173d
--- /dev/null
+++ b/frontend/graphql/queries/identities/getIdentityProviders.gql
@@ -0,0 +1,9 @@
+query GetIdentityProviders {
+  identityProviders {
+    id
+    name
+    description
+    iconId
+    supported
+  }
+}
diff --git a/frontend/graphql/queries/identities/getOrganisationIdentities.gql b/frontend/graphql/queries/identities/getOrganisationIdentities.gql
new file mode 100644
index 000000000..4656d1eb9
--- /dev/null
+++ b/frontend/graphql/queries/identities/getOrganisationIdentities.gql
@@ -0,0 +1,19 @@
+query GetOrganisationIdentities($organisationId: ID!) {
+  identities(organisationId: $organisationId) {
+    id
+    provider
+    name
+    description
+    config {
+      ... on AwsIamConfigType {
+        trustedPrincipals
+        signatureTtlSeconds
+        stsEndpoint
+      }
+    }
+    tokenNamePattern
+    defaultTtlSeconds
+    maxTtlSeconds
+    createdAt
+  }
+}
diff --git a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
index 791c432c9..76e0261fd 100644
--- a/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
+++ b/frontend/graphql/queries/service-accounts/getServiceAccountDetail.gql
@@ -35,5 +35,6 @@ query GetServiceAccountDetail($orgId: ID!, $id: ID) {
       allowedIps
       isGlobal
     }
+    identities { id name description }
   }
 }

From c34a3dd913de100bc0db77df52759c20dabe3c5c Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 23:02:43 +0530
Subject: [PATCH 47/80] feat: update AccessLayout component to include
 third-party identities tab

- Removed unused organisation context import and related code for improved clarity.
- Added a new tab for 'Third-party Identities' to enhance navigation within the access layout.
---
 frontend/app/[team]/access/layout.tsx | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/app/[team]/access/layout.tsx b/frontend/app/[team]/access/layout.tsx
index 119b59fc9..88e16c0f4 100644
--- a/frontend/app/[team]/access/layout.tsx
+++ b/frontend/app/[team]/access/layout.tsx
@@ -5,7 +5,6 @@ import { Tab } from '@headlessui/react'
 import clsx from 'clsx'
 import Link from 'next/link'
 import { usePathname } from 'next/navigation'
-import { organisationContext } from '@/contexts/organisationContext'
 
 export default function AccessLayout({
   params,
@@ -15,9 +14,6 @@ export default function AccessLayout({
   children: React.ReactNode
 }) {
   const path = usePathname()
-  //const router = useRouter()
-
-  const { activeOrganisation } = useContext(organisationContext)
 
   const [tabIndex, setTabIndex] = useState(0)
 
@@ -35,6 +31,10 @@ export default function AccessLayout({
         name: 'Roles',
         link: 'roles',
       },
+      {
+        name: 'Third-party Identities',
+        link: 'identities',
+      },
       {
         name: 'Authentication',
         link: 'authentication',

From 1e18debf544757bf67d5d9533d6c73b58fc73951 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 23:03:02 +0530
Subject: [PATCH 48/80] feat: enhance GraphQL schema with identity management
 features

- Added new queries for retrieving identities associated with an organisation and AWS STS endpoints, improving data accessibility.
- Introduced new types for Identity and IdentityProvider, enhancing the schema for identity management.
- Updated existing queries and mutations for better readability and structure, facilitating easier maintenance and understanding of the schema.
---
 frontend/apollo/schema.graphql | 484 ++++++++++++++++++++++++++++-----
 1 file changed, 417 insertions(+), 67 deletions(-)

diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 40a41f322..05bf60a76 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -3,6 +3,7 @@ type Query {
   organisations: [OrganisationType]
   roles(orgId: ID): [RoleType]
   networkAccessPolicies(organisationId: ID): [NetworkAccessPolicyType]
+  identities(organisationId: ID): [IdentityType]
   organisationNameAvailable(name: String): Boolean
   license: PhaseLicenseType
   organisationLicense(organisationId: ID): ActivatedPhaseLicenseType
@@ -13,9 +14,22 @@ type Query {
   validateInvite(inviteId: ID): OrganisationMemberInviteType
   apps(organisationId: ID, appId: ID): [AppType]
   kmsLogs(appId: ID, start: BigInt, end: BigInt): KMSLogsResponseType
-  secretLogs(appId: ID, start: BigInt, end: BigInt, eventTypes: [String], memberId: ID, memberType: MemberType, environmentId: ID): SecretLogsResponseType
+  secretLogs(
+    appId: ID
+    start: BigInt
+    end: BigInt
+    eventTypes: [String]
+    memberId: ID
+    memberType: MemberType
+    environmentId: ID
+  ): SecretLogsResponseType
   appActivityChart(appId: ID, period: TimeRange): [ChartDataPointType]
-  appEnvironments(appId: ID, environmentId: ID, memberId: ID, memberType: MemberType): [EnvironmentType]
+  appEnvironments(
+    appId: ID
+    environmentId: ID
+    memberId: ID
+    memberType: MemberType
+  ): [EnvironmentType]
   appUsers(appId: ID): [OrganisationMemberType]
   appServiceAccounts(appId: ID): [ServiceAccountType]
   secrets(envId: ID, path: String, id: ID): [SecretType]
@@ -32,6 +46,8 @@ type Query {
   sseEnabled(appId: ID): Boolean
   providers: [ProviderType]
   services: [ServiceType]
+  awsStsEndpoints: [JSONString]
+  identityProviders: [IdentityProviderType]
   savedCredentials(orgId: ID): [ProviderCredentialsType]
   syncs(orgId: ID, appId: ID, envId: ID): [EnvironmentSyncType]
   envSyncs(envId: ID): [EnvironmentSyncType]
@@ -49,7 +65,11 @@ type Query {
   testVaultCreds(credentialId: ID): Boolean
   testNomadCreds(credentialId: ID): Boolean
   validateAwsAssumeRoleAuth: AWSValidationResultType
-  validateAwsAssumeRoleCredentials(roleArn: String!, region: String, externalId: String): AWSValidationResultType
+  validateAwsAssumeRoleCredentials(
+    roleArn: String!
+    region: String
+    externalId: String
+  ): AWSValidationResultType
   stripeCheckoutDetails(stripeSessionId: String!): StripeCheckoutDetails
   stripeSubscriptionDetails(organisationId: ID): StripeSubscriptionDetails
   stripeCustomerPortalUrl(organisationId: ID!): String
@@ -76,13 +96,19 @@ value as specified by
 scalar DateTime
 
 enum ApiOrganisationPlanChoices {
-  """Free"""
+  """
+  Free
+  """
   FR
 
-  """Pro"""
+  """
+  Pro
+  """
   PR
 
-  """Enterprise"""
+  """
+  Enterprise
+  """
   EN
 }
 
@@ -183,16 +209,24 @@ type EnvironmentType {
 }
 
 enum ApiEnvironmentEnvTypeChoices {
-  """Development"""
+  """
+  Development
+  """
   DEV
 
-  """Staging"""
+  """
+  Staging
+  """
   STAGING
 
-  """Production"""
+  """
+  Production
+  """
   PROD
 
-  """Custom"""
+  """
+  Custom
+  """
   CUSTOM
 }
 
@@ -285,6 +319,7 @@ type ServiceAccountType {
   tokens: [ServiceAccountTokenType]
   appMemberships: [AppMembershipType!]
   networkPolicies: [NetworkAccessPolicyType!]
+  identities: [IdentityType!]
 }
 
 type ServiceAccountHandlerType {
@@ -314,17 +349,49 @@ type ServiceAccountTokenType {
   lastUsed: DateTime
 }
 
+type IdentityType {
+  id: String!
+  organisation: OrganisationType!
+  provider: String!
+  name: String!
+  description: String
+  config: IdentityConfigUnion
+  tokenNamePattern: String
+  defaultTtlSeconds: Int!
+  maxTtlSeconds: Int!
+  createdAt: DateTime
+  updatedAt: DateTime!
+  deletedAt: DateTime
+  serviceAccounts: [ServiceAccountType!]!
+}
+
+union IdentityConfigUnion = AwsIamConfigType
+
+type AwsIamConfigType {
+  trustedPrincipals: [String]
+  signatureTtlSeconds: Int
+  stsEndpoint: String
+}
+
 enum ApiSecretEventEventTypeChoices {
-  """Create"""
+  """
+  Create
+  """
   C
 
-  """Read"""
+  """
+  Read
+  """
   R
 
-  """Update"""
+  """
+  Update
+  """
   U
 
-  """Delete"""
+  """
+  Delete
+  """
   D
 }
 
@@ -371,19 +438,29 @@ type ProviderType {
 }
 
 enum ApiEnvironmentSyncStatusChoices {
-  """In progress"""
+  """
+  In progress
+  """
   IN_PROGRESS
 
-  """Completed"""
+  """
+  Completed
+  """
   COMPLETED
 
-  """cancelled"""
+  """
+  cancelled
+  """
   CANCELLED
 
-  """Timed out"""
+  """
+  Timed out
+  """
   TIMED_OUT
 
-  """Failed"""
+  """
+  Failed
+  """
   FAILED
 }
 
@@ -404,19 +481,29 @@ type EnvironmentSyncEventType {
 }
 
 enum ApiEnvironmentSyncEventStatusChoices {
-  """In progress"""
+  """
+  In progress
+  """
   IN_PROGRESS
 
-  """Completed"""
+  """
+  Completed
+  """
   COMPLETED
 
-  """cancelled"""
+  """
+  cancelled
+  """
   CANCELLED
 
-  """Timed out"""
+  """
+  Timed out
+  """
   TIMED_OUT
 
-  """Failed"""
+  """
+  Failed
+  """
   FAILED
 }
 
@@ -479,13 +566,19 @@ type ActivatedPhaseLicenseType {
 }
 
 enum ApiActivatedPhaseLicensePlanChoices {
-  """Free"""
+  """
+  Free
+  """
   FR
 
-  """Pro"""
+  """
+  Pro
+  """
   PR
 
-  """Enterprise"""
+  """
+  Enterprise
+  """
   EN
 }
 
@@ -540,9 +633,13 @@ type KMSLogType implements Node {
   longitude: Float
 }
 
-"""An object with an ID"""
+"""
+An object with an ID
+"""
 interface Node {
-  """The ID of the object"""
+  """
+  The ID of the object
+  """
   id: ID!
 }
 
@@ -598,6 +695,14 @@ type EnvironmentTokenType {
   updatedAt: DateTime!
 }
 
+type IdentityProviderType {
+  id: String!
+  name: String!
+  description: String!
+  iconId: String!
+  supported: Boolean!
+}
+
 type CloudFlarePagesType {
   name: String
   deploymentId: String
@@ -773,63 +878,285 @@ enum PlanTypeEnum {
 }
 
 type Mutation {
-  createOrganisation(id: ID!, identityKey: String!, name: String!, wrappedKeyring: String!, wrappedRecovery: String!): CreateOrganisationMutation
-  bulkInviteOrganisationMembers(invites: [InviteInput]!, orgId: ID!): BulkInviteOrganisationMembersMutation
-  createOrganisationMember(identityKey: String!, inviteId: ID!, orgId: ID!, wrappedKeyring: String, wrappedRecovery: String): CreateOrganisationMemberMutation
+  createOrganisation(
+    id: ID!
+    identityKey: String!
+    name: String!
+    wrappedKeyring: String!
+    wrappedRecovery: String!
+  ): CreateOrganisationMutation
+  bulkInviteOrganisationMembers(
+    invites: [InviteInput]!
+    orgId: ID!
+  ): BulkInviteOrganisationMembersMutation
+  createOrganisationMember(
+    identityKey: String!
+    inviteId: ID!
+    orgId: ID!
+    wrappedKeyring: String
+    wrappedRecovery: String
+  ): CreateOrganisationMemberMutation
   deleteOrganisationMember(memberId: ID!): DeleteOrganisationMemberMutation
   updateOrganisationMemberRole(memberId: ID!, roleId: ID!): UpdateOrganisationMemberRole
-  updateMemberWrappedSecrets(orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
+  updateMemberWrappedSecrets(
+    orgId: ID!
+    wrappedKeyring: String!
+    wrappedRecovery: String!
+  ): UpdateUserWrappedSecretsMutation
   deleteInvitation(inviteId: ID!): DeleteInviteMutation
-  createApp(appSeed: String!, appToken: String!, appVersion: Int!, id: ID!, identityKey: String!, name: String!, organisationId: ID!, wrappedKeyShare: String!): CreateAppMutation
+  createApp(
+    appSeed: String!
+    appToken: String!
+    appVersion: Int!
+    id: ID!
+    identityKey: String!
+    name: String!
+    organisationId: ID!
+    wrappedKeyShare: String!
+  ): CreateAppMutation
   rotateAppKeys(appToken: String!, id: ID!, wrappedKeyShare: String!): RotateAppKeysMutation
   deleteApp(id: ID!): DeleteAppMutation
   updateAppName(id: ID!, name: String!): UpdateAppNameMutation
-  addAppMember(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): AddAppMemberMutation
+  addAppMember(
+    appId: ID
+    envKeys: [EnvironmentKeyInput]
+    memberId: ID
+    memberType: MemberType
+  ): AddAppMemberMutation
   bulkAddAppMembers(appId: ID!, members: [AppMemberInputType]!): BulkAddAppMembersMutation
   removeAppMember(appId: ID, memberId: ID, memberType: MemberType): RemoveAppMemberMutation
-  updateMemberEnvironmentScope(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): UpdateMemberEnvScopeMutation
-  createEnvironment(adminKeys: [EnvironmentKeyInput], environmentData: EnvironmentInput!, wrappedSalt: String, wrappedSeed: String): CreateEnvironmentMutation
+  updateMemberEnvironmentScope(
+    appId: ID
+    envKeys: [EnvironmentKeyInput]
+    memberId: ID
+    memberType: MemberType
+  ): UpdateMemberEnvScopeMutation
+  createEnvironment(
+    adminKeys: [EnvironmentKeyInput]
+    environmentData: EnvironmentInput!
+    wrappedSalt: String
+    wrappedSeed: String
+  ): CreateEnvironmentMutation
   deleteEnvironment(environmentId: ID!): DeleteEnvironmentMutation
   renameEnvironment(environmentId: ID!, name: String!): RenameEnvironmentMutation
   swapEnvironmentOrder(environment1Id: ID!, environment2Id: ID!): SwapEnvironmentOrderMutation
-  createEnvironmentKey(envId: ID!, identityKey: String!, userId: ID, wrappedSalt: String!, wrappedSeed: String!): CreateEnvironmentKeyMutation
-  createEnvironmentToken(envId: ID!, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateEnvironmentTokenMutation
-  createCustomRole(color: String, description: String, name: String, organisationId: ID!, permissions: JSONString): CreateCustomRoleMutation
-  updateCustomRole(color: String, description: String, id: ID!, name: String, permissions: JSONString): UpdateCustomRoleMutation
+  createEnvironmentKey(
+    envId: ID!
+    identityKey: String!
+    userId: ID
+    wrappedSalt: String!
+    wrappedSeed: String!
+  ): CreateEnvironmentKeyMutation
+  createEnvironmentToken(
+    envId: ID!
+    identityKey: String!
+    name: String!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateEnvironmentTokenMutation
+  createCustomRole(
+    color: String
+    description: String
+    name: String
+    organisationId: ID!
+    permissions: JSONString
+  ): CreateCustomRoleMutation
+  updateCustomRole(
+    color: String
+    description: String
+    id: ID!
+    name: String
+    permissions: JSONString
+  ): UpdateCustomRoleMutation
   deleteCustomRole(id: ID!): DeleteCustomRoleMutation
-  createNetworkAccessPolicy(allowedIps: String!, isGlobal: Boolean!, name: String, organisationId: ID!): CreateNetworkAccessPolicyMutation
+  createNetworkAccessPolicy(
+    allowedIps: String!
+    isGlobal: Boolean!
+    name: String
+    organisationId: ID!
+  ): CreateNetworkAccessPolicyMutation
   updateNetworkAccessPolicy(policyInputs: [UpdatePolicyInput]): UpdateNetworkAccessPolicyMutation
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
-  updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
-  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
-  enableServiceAccountServerSideKeyManagement(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountServerSideKeyManagementMutation
-  enableServiceAccountClientSideKeyManagement(serviceAccountId: ID): EnableServiceAccountClientSideKeyManagementMutation
-  updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
-  updateServiceAccount(name: String, roleId: ID, serviceAccountId: ID): UpdateServiceAccountMutation
+  updateAccountNetworkAccessPolicies(
+    accountInputs: [AccountPolicyInput]
+    organisationId: ID!
+  ): UpdateAccountNetworkAccessPolicies
+  createIdentity(
+    defaultTtlSeconds: Int!
+    description: String
+    maxTtlSeconds: Int!
+    name: String!
+    organisationId: ID!
+    provider: String!
+    signatureTtlSeconds: Int
+    stsEndpoint: String
+    tokenNamePattern: String
+    trustedPrincipals: String!
+  ): CreateIdentityMutation
+  updateIdentity(
+    defaultTtlSeconds: Int
+    description: String
+    id: ID!
+    maxTtlSeconds: Int
+    name: String
+    signatureTtlSeconds: Int
+    stsEndpoint: String
+    tokenNamePattern: String
+    trustedPrincipals: String
+  ): UpdateIdentityMutation
+  deleteIdentity(id: ID!): DeleteIdentityMutation
+  createServiceAccount(
+    handlers: [ServiceAccountHandlerInput]
+    identityKey: String
+    name: String
+    organisationId: ID
+    roleId: ID
+    serverWrappedKeyring: String
+    serverWrappedRecovery: String
+  ): CreateServiceAccountMutation
+  enableServiceAccountServerSideKeyManagement(
+    serverWrappedKeyring: String
+    serverWrappedRecovery: String
+    serviceAccountId: ID
+  ): EnableServiceAccountServerSideKeyManagementMutation
+  enableServiceAccountClientSideKeyManagement(
+    serviceAccountId: ID
+  ): EnableServiceAccountClientSideKeyManagementMutation
+  updateServiceAccountHandlers(
+    handlers: [ServiceAccountHandlerInput]
+    organisationId: ID
+  ): UpdateServiceAccountHandlersMutation
+  updateServiceAccount(
+    identityIds: [ID!]
+    name: String
+    roleId: ID
+    serviceAccountId: ID
+  ): UpdateServiceAccountMutation
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
-  createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
+  createServiceAccountToken(
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    serviceAccountId: ID
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
   toggleSyncActive(syncId: ID): ToggleSyncActive
   updateSyncAuthentication(credentialId: ID, syncId: ID): UpdateSyncAuthentication
-  createProviderCredentials(credentials: JSONString, name: String, orgId: ID, provider: String): CreateProviderCredentials
-  updateProviderCredentials(credentialId: ID, credentials: JSONString, name: String): UpdateProviderCredentials
+  createProviderCredentials(
+    credentials: JSONString
+    name: String
+    orgId: ID
+    provider: String
+  ): CreateProviderCredentials
+  updateProviderCredentials(
+    credentialId: ID
+    credentials: JSONString
+    name: String
+  ): UpdateProviderCredentials
   deleteProviderCredentials(credentialId: ID): DeleteProviderCredentials
-  createCloudflarePagesSync(credentialId: ID, deploymentId: ID, envId: ID, path: String, projectEnv: String, projectName: String): CreateCloudflarePagesSync
-  createCloudflareWorkersSync(credentialId: ID, envId: ID, path: String, workerName: String): CreateCloudflareWorkersSync
-  createAwsSecretSync(credentialId: ID, envId: ID, kmsId: String, path: String, secretName: String): CreateAWSSecretsManagerSync
-  createGhActionsSync(credentialId: ID, envId: ID, owner: String, path: String, repoName: String): CreateGitHubActionsSync
-  createVaultSync(credentialId: ID, engine: String, envId: ID, path: String, vaultPath: String): CreateVaultSync
-  createNomadSync(credentialId: ID, envId: ID, nomadNamespace: String, nomadPath: String, path: String): CreateNomadSync
-  createGitlabCiSync(credentialId: ID, envId: ID, isGroup: Boolean, masked: Boolean, path: String, protected: Boolean, resourceId: String, resourcePath: String): CreateGitLabCISync
-  createRailwaySync(credentialId: ID, envId: ID, path: String, railwayEnvironment: RailwayResourceInput, railwayProject: RailwayResourceInput, railwayService: RailwayResourceInput): CreateRailwaySync
-  createVercelSync(credentialId: ID, envId: ID, environment: String, path: String, projectId: String, projectName: String, secretType: String, teamId: String, teamName: String): CreateVercelSync
-  createRenderSync(credentialId: ID, envId: ID, path: String, resourceId: String, resourceName: String, resourceType: RenderResourceType, secretFileName: String): CreateRenderSync
-  createUserToken(expiry: BigInt, identityKey: String!, name: String!, orgId: ID!, token: String!, wrappedKeyShare: String!): CreateUserTokenMutation
+  createCloudflarePagesSync(
+    credentialId: ID
+    deploymentId: ID
+    envId: ID
+    path: String
+    projectEnv: String
+    projectName: String
+  ): CreateCloudflarePagesSync
+  createCloudflareWorkersSync(
+    credentialId: ID
+    envId: ID
+    path: String
+    workerName: String
+  ): CreateCloudflareWorkersSync
+  createAwsSecretSync(
+    credentialId: ID
+    envId: ID
+    kmsId: String
+    path: String
+    secretName: String
+  ): CreateAWSSecretsManagerSync
+  createGhActionsSync(
+    credentialId: ID
+    envId: ID
+    owner: String
+    path: String
+    repoName: String
+  ): CreateGitHubActionsSync
+  createVaultSync(
+    credentialId: ID
+    engine: String
+    envId: ID
+    path: String
+    vaultPath: String
+  ): CreateVaultSync
+  createNomadSync(
+    credentialId: ID
+    envId: ID
+    nomadNamespace: String
+    nomadPath: String
+    path: String
+  ): CreateNomadSync
+  createGitlabCiSync(
+    credentialId: ID
+    envId: ID
+    isGroup: Boolean
+    masked: Boolean
+    path: String
+    protected: Boolean
+    resourceId: String
+    resourcePath: String
+  ): CreateGitLabCISync
+  createRailwaySync(
+    credentialId: ID
+    envId: ID
+    path: String
+    railwayEnvironment: RailwayResourceInput
+    railwayProject: RailwayResourceInput
+    railwayService: RailwayResourceInput
+  ): CreateRailwaySync
+  createVercelSync(
+    credentialId: ID
+    envId: ID
+    environment: String
+    path: String
+    projectId: String
+    projectName: String
+    secretType: String
+    teamId: String
+    teamName: String
+  ): CreateVercelSync
+  createRenderSync(
+    credentialId: ID
+    envId: ID
+    path: String
+    resourceId: String
+    resourceName: String
+    resourceType: RenderResourceType
+    secretFileName: String
+  ): CreateRenderSync
+  createUserToken(
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    orgId: ID!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateUserTokenMutation
   deleteUserToken(tokenId: ID!): DeleteUserTokenMutation
-  createServiceToken(appId: ID!, environmentKeys: [EnvironmentKeyInput], expiry: BigInt, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateServiceTokenMutation
+  createServiceToken(
+    appId: ID!
+    environmentKeys: [EnvironmentKeyInput]
+    expiry: BigInt
+    identityKey: String!
+    name: String!
+    token: String!
+    wrappedKeyShare: String!
+  ): CreateServiceTokenMutation
   deleteServiceToken(tokenId: ID!): DeleteServiceTokenMutation
   createSecretFolder(envId: ID, name: String, path: String): CreateSecretFolderMutation
   deleteSecretFolder(folderId: ID): DeleteSecretFolderMutation
@@ -844,16 +1171,27 @@ type Mutation {
   createOverride(overrideData: PersonalSecretInput): CreatePersonalSecretMutation
   removeOverride(secretId: ID): DeletePersonalSecretMutation
   createLockbox(input: LockboxInput): CreateLockboxMutation
-  createSubscriptionCheckoutSession(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum): CreateSubscriptionCheckoutSession
+  createSubscriptionCheckoutSession(
+    billingPeriod: BillingPeriodEnum
+    organisationId: ID!
+    planType: PlanTypeEnum
+  ): CreateSubscriptionCheckoutSession
   deletePaymentMethod(organisationId: ID, paymentMethodId: String): DeletePaymentMethodMutation
   cancelSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
   resumeSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
-  modifySubscription(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum, subscriptionId: String!): UpdateSubscriptionResponse
+  modifySubscription(
+    billingPeriod: BillingPeriodEnum
+    organisationId: ID!
+    planType: PlanTypeEnum
+    subscriptionId: String!
+  ): UpdateSubscriptionResponse
   createSetupIntent(organisationId: ID): CreateSetupIntentMutation
   setDefaultPaymentMethod(
     organisationId: ID
 
-    """Payment Method ID to set as default"""
+    """
+    Payment Method ID to set as default
+    """
     paymentMethodId: String!
   ): SetDefaultPaymentMethodMutation
 }
@@ -1017,6 +1355,18 @@ enum AccountTypeEnum {
   SERVICE
 }
 
+type CreateIdentityMutation {
+  identity: IdentityType
+}
+
+type UpdateIdentityMutation {
+  identity: IdentityType
+}
+
+type DeleteIdentityMutation {
+  ok: Boolean
+}
+
 type CreateServiceAccountMutation {
   serviceAccount: ServiceAccountType
 }
@@ -1260,4 +1610,4 @@ type CreateSetupIntentMutation {
 
 type SetDefaultPaymentMethodMutation {
   ok: Boolean
-}
\ No newline at end of file
+}

From 690591d7774adc148a248a4fe10207c216093607 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 23:04:21 +0530
Subject: [PATCH 49/80] feat: expand GraphQL schema with identity management
 mutations and queries

- Added mutations for creating, updating, and deleting identities, enhancing identity management capabilities.
- Introduced new queries for retrieving AWS STS endpoints, identity providers, and organisation-specific identities, improving data accessibility.
- Updated service account detail query to include associated identities, providing a comprehensive view of identity relationships.
---
 frontend/apollo/gql.ts     |  38 ++++++++-
 frontend/apollo/graphql.ts | 165 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 195 insertions(+), 8 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 11620e7a3..39316dbc4 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -55,6 +55,9 @@ const documents = {
     "mutation RenameEnv($environmentId: ID!, $name: String!) {\n  renameEnvironment(environmentId: $environmentId, name: $name) {\n    environment {\n      id\n      name\n      updatedAt\n    }\n  }\n}": types.RenameEnvDocument,
     "mutation CreateSharedSecret($input: LockboxInput!) {\n  createLockbox(input: $input) {\n    lockbox {\n      id\n      allowedViews\n      expiresAt\n    }\n  }\n}": types.CreateSharedSecretDocument,
     "mutation SwapEnvOrder($environment1Id: ID!, $environment2Id: ID!) {\n  swapEnvironmentOrder(\n    environment1Id: $environment1Id\n    environment2Id: $environment2Id\n  ) {\n    ok\n  }\n}": types.SwapEnvOrderDocument,
+    "mutation CreateIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.CreateIdentityDocument,
+    "mutation DeleteIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}": types.DeleteIdentityDocument,
+    "mutation UpdateIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.UpdateIdentityDocument,
     "mutation AcceptOrganisationInvite($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!, $inviteId: ID!) {\n  createOrganisationMember(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n    inviteId: $inviteId\n  ) {\n    orgMember {\n      id\n      email\n      createdAt\n      role {\n        name\n      }\n    }\n  }\n}": types.AcceptOrganisationInviteDocument,
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": types.DeleteOrgInviteDocument,
@@ -69,7 +72,7 @@ const documents = {
     "mutation EnableSAClientKeyManagement($serviceAccountId: ID!) {\n  enableServiceAccountClientSideKeyManagement(serviceAccountId: $serviceAccountId) {\n    serviceAccount {\n      id\n      name\n      identityKey\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaClientKeyManagementDocument,
     "mutation EnableSAServerKeyManagement($serviceAccountId: ID!, $serverWrappedKeyring: String!, $serverWrappedRecovery: String!) {\n  enableServiceAccountServerSideKeyManagement(\n    serviceAccountId: $serviceAccountId\n    serverWrappedKeyring: $serverWrappedKeyring\n    serverWrappedRecovery: $serverWrappedRecovery\n  ) {\n    serviceAccount {\n      id\n      name\n      serverSideKeyManagementEnabled\n    }\n  }\n}": types.EnableSaServerKeyManagementDocument,
     "mutation UpdateServiceAccountHandlerKeys($orgId: ID!, $handlers: [ServiceAccountHandlerInput]) {\n  updateServiceAccountHandlers(organisationId: $orgId, handlers: $handlers) {\n    ok\n  }\n}": types.UpdateServiceAccountHandlerKeysDocument,
-    "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
+    "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}": types.UpdateServiceAccountOpDocument,
     "mutation CreateNewAWSSecretsSync($envId: ID!, $path: String!, $credentialId: ID!, $secretName: String!, $kmsId: String) {\n  createAwsSecretSync(\n    envId: $envId\n    path: $path\n    credentialId: $credentialId\n    secretName: $secretName\n    kmsId: $kmsId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewAwsSecretsSyncDocument,
     "mutation CreateNewCfPagesSync($envId: ID!, $path: String!, $projectName: String!, $deploymentId: ID!, $projectEnv: String!, $credentialId: ID!) {\n  createCloudflarePagesSync(\n    envId: $envId\n    path: $path\n    projectName: $projectName\n    deploymentId: $deploymentId\n    projectEnv: $projectEnv\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfPagesSyncDocument,
     "mutation CreateNewCfWorkersSync($envId: ID!, $path: String!, $workerName: String!, $credentialId: ID!) {\n  createCloudflareWorkersSync(\n    envId: $envId\n    path: $path\n    workerName: $workerName\n    credentialId: $credentialId\n  ) {\n    sync {\n      id\n      environment {\n        id\n        name\n        envType\n      }\n      serviceInfo {\n        id\n        name\n      }\n      isActive\n      lastSync\n      createdAt\n    }\n  }\n}": types.CreateNewCfWorkersSyncDocument,
@@ -104,6 +107,9 @@ const documents = {
     "query GetApps($organisationId: ID!, $appId: ID) {\n  apps(organisationId: $organisationId, appId: $appId) {\n    id\n    name\n    identityKey\n    createdAt\n    updatedAt\n    sseEnabled\n    members {\n      id\n      email\n      fullName\n      avatarUrl\n    }\n    serviceAccounts {\n      id\n      name\n    }\n    environments {\n      id\n      name\n      envType\n      syncs {\n        id\n        serviceInfo {\n          id\n          name\n          provider {\n            id\n            name\n          }\n        }\n        status\n      }\n    }\n  }\n}": types.GetAppsDocument,
     "query GetDashboard($organisationId: ID!) {\n  apps(organisationId: $organisationId) {\n    id\n    name\n    sseEnabled\n  }\n  userTokens(organisationId: $organisationId) {\n    id\n  }\n  organisationInvites(orgId: $organisationId) {\n    id\n  }\n  organisationMembers(organisationId: $organisationId, role: null) {\n    id\n  }\n  savedCredentials(orgId: $organisationId) {\n    id\n  }\n  syncs(orgId: $organisationId) {\n    id\n  }\n}": types.GetDashboardDocument,
     "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n  }\n}": types.GetOrganisationsDocument,
+    "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}": types.GetAwsStsEndpointsDocument,
+    "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}": types.GetIdentityProvidersDocument,
+    "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}": types.GetOrganisationIdentitiesDocument,
     "query CheckOrganisationNameAvailability($name: String!) {\n  organisationNameAvailable(name: $name)\n}": types.CheckOrganisationNameAvailabilityDocument,
     "query GetGlobalAccessUsers($organisationId: ID!) {\n  organisationGlobalAccessUsers(organisationId: $organisationId) {\n    id\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetGlobalAccessUsersDocument,
     "query GetInvites($orgId: ID!) {\n  organisationInvites(orgId: $orgId) {\n    id\n    createdAt\n    expiresAt\n    invitedBy {\n      email\n      fullName\n      self\n    }\n    inviteeEmail\n    role {\n      id\n      name\n      description\n      color\n    }\n  }\n}": types.GetInvitesDocument,
@@ -125,7 +131,7 @@ const documents = {
     "query GetSecretTags($orgId: ID!) {\n  secretTags(orgId: $orgId) {\n    id\n    name\n    color\n  }\n}": types.GetSecretTagsDocument,
     "query GetSecrets($appId: ID!, $envId: ID!, $path: String) {\n  secrets(envId: $envId, path: $path) {\n    id\n    key\n    value\n    path\n    tags {\n      id\n      name\n      color\n    }\n    comment\n    createdAt\n    updatedAt\n    override {\n      value\n      isActive\n    }\n    environment {\n      id\n      app {\n        id\n      }\n    }\n  }\n  folders(envId: $envId, path: $path) {\n    id\n    name\n    path\n    createdAt\n    folderCount\n    secretCount\n  }\n  appEnvironments(appId: $appId, environmentId: $envId) {\n    id\n    name\n    envType\n    identityKey\n    app {\n      name\n    }\n  }\n  environmentKeys(appId: $appId, environmentId: $envId) {\n    id\n    identityKey\n    wrappedSeed\n    wrappedSalt\n  }\n  envSyncs(envId: $envId) {\n    id\n    environment {\n      id\n      name\n      envType\n    }\n    serviceInfo {\n      id\n      name\n    }\n    options\n    isActive\n    status\n    lastSync\n    createdAt\n  }\n}": types.GetSecretsDocument,
     "query GetServiceTokens($appId: ID!) {\n  serviceTokens(appId: $appId) {\n    id\n    name\n    createdAt\n    createdBy {\n      fullName\n      avatarUrl\n      self\n    }\n    expiresAt\n    keys {\n      id\n      identityKey\n    }\n  }\n}": types.GetServiceTokensDocument,
-    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
+    "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}": types.GetServiceAccountDetailDocument,
     "query GetServiceAccountHandlers($orgId: ID!) {\n  serviceAccountHandlers(orgId: $orgId) {\n    id\n    email\n    role {\n      name\n      permissions\n    }\n    identityKey\n    self\n  }\n}": types.GetServiceAccountHandlersDocument,
     "query GetServiceAccountTokens($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    tokens {\n      id\n      name\n      createdAt\n      expiresAt\n      createdBy {\n        fullName\n        avatarUrl\n        self\n      }\n      createdByServiceAccount {\n        id\n        name\n        identityKey\n      }\n      lastUsed\n    }\n  }\n}": types.GetServiceAccountTokensDocument,
     "query GetServiceAccounts($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    role {\n      id\n      name\n      description\n      color\n    }\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    createdAt\n  }\n}": types.GetServiceAccountsDocument,
@@ -333,6 +339,18 @@ export function graphql(source: "mutation CreateSharedSecret($input: LockboxInpu
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "mutation SwapEnvOrder($environment1Id: ID!, $environment2Id: ID!) {\n  swapEnvironmentOrder(\n    environment1Id: $environment1Id\n    environment2Id: $environment2Id\n  ) {\n    ok\n  }\n}"): (typeof documents)["mutation SwapEnvOrder($environment1Id: ID!, $environment2Id: ID!) {\n  swapEnvironmentOrder(\n    environment1Id: $environment1Id\n    environment2Id: $environment2Id\n  ) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation CreateIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation CreateIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation DeleteIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "mutation UpdateIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation UpdateIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -392,7 +410,7 @@ export function graphql(source: "mutation UpdateServiceAccountHandlerKeys($orgId
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n    }\n  }\n}"];
+export function graphql(source: "mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"): (typeof documents)["mutation UpdateServiceAccountOp($serviceAccountId: ID!, $name: String!, $roleId: ID!, $identityIds: [ID!]) {\n  updateServiceAccount(\n    serviceAccountId: $serviceAccountId\n    name: $name\n    roleId: $roleId\n    identityIds: $identityIds\n  ) {\n    serviceAccount {\n      id\n      name\n      role {\n        id\n        name\n        description\n        permissions\n      }\n      identities {\n        id\n        name\n      }\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -529,6 +547,18 @@ export function graphql(source: "query GetDashboard($organisationId: ID!) {\n  a
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
 export function graphql(source: "query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n  }\n}"): (typeof documents)["query GetOrganisations {\n  organisations {\n    id\n    name\n    identityKey\n    createdAt\n    plan\n    planDetail {\n      name\n      maxUsers\n      maxApps\n      maxEnvsPerApp\n      seatsUsed {\n        users\n        serviceAccounts\n        total\n      }\n      appCount\n    }\n    role {\n      name\n      description\n      color\n      permissions\n    }\n    memberId\n    keyring\n    recovery\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetAwsStsEndpoints {\n  awsStsEndpoints\n}"): (typeof documents)["query GetAwsStsEndpoints {\n  awsStsEndpoints\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}"): (typeof documents)["query GetIdentityProviders {\n  identityProviders {\n    id\n    name\n    description\n    iconId\n    supported\n  }\n}"];
+/**
+ * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
+ */
+export function graphql(source: "query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"): (typeof documents)["query GetOrganisationIdentities($organisationId: ID!) {\n  identities(organisationId: $organisationId) {\n    id\n    provider\n    name\n    description\n    config {\n      ... on AwsIamConfigType {\n        trustedPrincipals\n        signatureTtlSeconds\n        stsEndpoint\n      }\n    }\n    tokenNamePattern\n    defaultTtlSeconds\n    maxTtlSeconds\n    createdAt\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
@@ -616,7 +646,7 @@ export function graphql(source: "query GetServiceTokens($appId: ID!) {\n  servic
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n  }\n}"];
+export function graphql(source: "query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}"): (typeof documents)["query GetServiceAccountDetail($orgId: ID!, $id: ID) {\n  serviceAccounts(orgId: $orgId, serviceAccountId: $id) {\n    id\n    name\n    identityKey\n    serverSideKeyManagementEnabled\n    role {\n      id\n      name\n      description\n      color\n      permissions\n    }\n    createdAt\n    handlers {\n      id\n      wrappedKeyring\n      wrappedRecovery\n      user {\n        self\n      }\n    }\n    appMemberships {\n      id\n      name\n      environments {\n        id\n        name\n      }\n      sseEnabled\n    }\n    networkPolicies {\n      id\n      name\n      allowedIps\n      isGlobal\n    }\n    identities {\n      id\n      name\n      description\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index b43cbb13a..cdaa78ed7 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -187,6 +187,13 @@ export type AppType = {
   wrappedKeyShare: Scalars['String']['output'];
 };
 
+export type AwsIamConfigType = {
+  __typename?: 'AwsIamConfigType';
+  signatureTtlSeconds?: Maybe<Scalars['Int']['output']>;
+  stsEndpoint?: Maybe<Scalars['String']['output']>;
+  trustedPrincipals?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
+};
+
 export enum BillingPeriodEnum {
   Monthly = 'MONTHLY',
   Yearly = 'YEARLY'
@@ -287,6 +294,11 @@ export type CreateGitLabCiSync = {
   sync?: Maybe<EnvironmentSyncType>;
 };
 
+export type CreateIdentityMutation = {
+  __typename?: 'CreateIdentityMutation';
+  identity?: Maybe<IdentityType>;
+};
+
 export type CreateLockboxMutation = {
   __typename?: 'CreateLockboxMutation';
   lockbox?: Maybe<LockboxType>;
@@ -403,6 +415,11 @@ export type DeleteEnvironmentMutation = {
   ok?: Maybe<Scalars['Boolean']['output']>;
 };
 
+export type DeleteIdentityMutation = {
+  __typename?: 'DeleteIdentityMutation';
+  ok?: Maybe<Scalars['Boolean']['output']>;
+};
+
 export type DeleteInviteMutation = {
   __typename?: 'DeleteInviteMutation';
   ok?: Maybe<Scalars['Boolean']['output']>;
@@ -629,6 +646,34 @@ export type GitLabProjectType = {
   webUrl?: Maybe<Scalars['String']['output']>;
 };
 
+export type IdentityConfigUnion = AwsIamConfigType;
+
+export type IdentityProviderType = {
+  __typename?: 'IdentityProviderType';
+  description: Scalars['String']['output'];
+  iconId: Scalars['String']['output'];
+  id: Scalars['String']['output'];
+  name: Scalars['String']['output'];
+  supported: Scalars['Boolean']['output'];
+};
+
+export type IdentityType = {
+  __typename?: 'IdentityType';
+  config?: Maybe<IdentityConfigUnion>;
+  createdAt?: Maybe<Scalars['DateTime']['output']>;
+  defaultTtlSeconds: Scalars['Int']['output'];
+  deletedAt?: Maybe<Scalars['DateTime']['output']>;
+  description?: Maybe<Scalars['String']['output']>;
+  id: Scalars['String']['output'];
+  maxTtlSeconds: Scalars['Int']['output'];
+  name: Scalars['String']['output'];
+  organisation: OrganisationType;
+  provider: Scalars['String']['output'];
+  serviceAccounts: Array<ServiceAccountType>;
+  tokenNamePattern?: Maybe<Scalars['String']['output']>;
+  updatedAt: Scalars['DateTime']['output'];
+};
+
 export type InitEnvSync = {
   __typename?: 'InitEnvSync';
   app?: Maybe<AppType>;
@@ -701,6 +746,7 @@ export type Mutation = {
   createEnvironmentToken?: Maybe<CreateEnvironmentTokenMutation>;
   createGhActionsSync?: Maybe<CreateGitHubActionsSync>;
   createGitlabCiSync?: Maybe<CreateGitLabCiSync>;
+  createIdentity?: Maybe<CreateIdentityMutation>;
   createLockbox?: Maybe<CreateLockboxMutation>;
   createNetworkAccessPolicy?: Maybe<CreateNetworkAccessPolicyMutation>;
   createNomadSync?: Maybe<CreateNomadSync>;
@@ -726,6 +772,7 @@ export type Mutation = {
   deleteCustomRole?: Maybe<DeleteCustomRoleMutation>;
   deleteEnvSync?: Maybe<DeleteSync>;
   deleteEnvironment?: Maybe<DeleteEnvironmentMutation>;
+  deleteIdentity?: Maybe<DeleteIdentityMutation>;
   deleteInvitation?: Maybe<DeleteInviteMutation>;
   deleteNetworkAccessPolicy?: Maybe<DeleteNetworkAccessPolicyMutation>;
   deleteOrganisationMember?: Maybe<DeleteOrganisationMemberMutation>;
@@ -757,6 +804,7 @@ export type Mutation = {
   updateAccountNetworkAccessPolicies?: Maybe<UpdateAccountNetworkAccessPolicies>;
   updateAppName?: Maybe<UpdateAppNameMutation>;
   updateCustomRole?: Maybe<UpdateCustomRoleMutation>;
+  updateIdentity?: Maybe<UpdateIdentityMutation>;
   updateMemberEnvironmentScope?: Maybe<UpdateMemberEnvScopeMutation>;
   updateMemberWrappedSecrets?: Maybe<UpdateUserWrappedSecretsMutation>;
   updateNetworkAccessPolicy?: Maybe<UpdateNetworkAccessPolicyMutation>;
@@ -889,6 +937,20 @@ export type MutationCreateGitlabCiSyncArgs = {
 };
 
 
+export type MutationCreateIdentityArgs = {
+  defaultTtlSeconds: Scalars['Int']['input'];
+  description?: InputMaybe<Scalars['String']['input']>;
+  maxTtlSeconds: Scalars['Int']['input'];
+  name: Scalars['String']['input'];
+  organisationId: Scalars['ID']['input'];
+  provider: Scalars['String']['input'];
+  signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+  stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
+  trustedPrincipals: Scalars['String']['input'];
+};
+
+
 export type MutationCreateLockboxArgs = {
   input?: InputMaybe<LockboxInput>;
 };
@@ -1083,6 +1145,11 @@ export type MutationDeleteEnvironmentArgs = {
 };
 
 
+export type MutationDeleteIdentityArgs = {
+  id: Scalars['ID']['input'];
+};
+
+
 export type MutationDeleteInvitationArgs = {
   inviteId: Scalars['ID']['input'];
 };
@@ -1260,6 +1327,19 @@ export type MutationUpdateCustomRoleArgs = {
 };
 
 
+export type MutationUpdateIdentityArgs = {
+  defaultTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+  description?: InputMaybe<Scalars['String']['input']>;
+  id: Scalars['ID']['input'];
+  maxTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+  name?: InputMaybe<Scalars['String']['input']>;
+  signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+  stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
+  trustedPrincipals?: InputMaybe<Scalars['String']['input']>;
+};
+
+
 export type MutationUpdateMemberEnvironmentScopeArgs = {
   appId?: InputMaybe<Scalars['ID']['input']>;
   envKeys?: InputMaybe<Array<InputMaybe<EnvironmentKeyInput>>>;
@@ -1294,6 +1374,7 @@ export type MutationUpdateProviderCredentialsArgs = {
 
 
 export type MutationUpdateServiceAccountArgs = {
+  identityIds?: InputMaybe<Array<Scalars['ID']['input']>>;
   name?: InputMaybe<Scalars['String']['input']>;
   roleId?: InputMaybe<Scalars['ID']['input']>;
   serviceAccountId?: InputMaybe<Scalars['ID']['input']>;
@@ -1483,6 +1564,7 @@ export type Query = {
   appUsers?: Maybe<Array<Maybe<OrganisationMemberType>>>;
   apps?: Maybe<Array<Maybe<AppType>>>;
   awsSecrets?: Maybe<Array<Maybe<AwsSecretType>>>;
+  awsStsEndpoints?: Maybe<Array<Maybe<Scalars['JSONString']['output']>>>;
   clientIp?: Maybe<Scalars['String']['output']>;
   cloudflarePagesProjects?: Maybe<Array<Maybe<CloudFlarePagesType>>>;
   cloudflareWorkers?: Maybe<Array<Maybe<CloudflareWorkerType>>>;
@@ -1493,6 +1575,8 @@ export type Query = {
   githubRepos?: Maybe<Array<Maybe<GitHubRepoType>>>;
   gitlabGroups?: Maybe<Array<Maybe<GitLabGroupType>>>;
   gitlabProjects?: Maybe<Array<Maybe<GitLabProjectType>>>;
+  identities?: Maybe<Array<Maybe<IdentityType>>>;
+  identityProviders?: Maybe<Array<Maybe<IdentityProviderType>>>;
   kmsLogs?: Maybe<KmsLogsResponseType>;
   license?: Maybe<PhaseLicenseType>;
   networkAccessPolicies?: Maybe<Array<Maybe<NetworkAccessPolicyType>>>;
@@ -1617,6 +1701,11 @@ export type QueryGitlabProjectsArgs = {
 };
 
 
+export type QueryIdentitiesArgs = {
+  organisationId?: InputMaybe<Scalars['ID']['input']>;
+};
+
+
 export type QueryKmsLogsArgs = {
   appId?: InputMaybe<Scalars['ID']['input']>;
   end?: InputMaybe<Scalars['BigInt']['input']>;
@@ -2007,6 +2096,7 @@ export type ServiceAccountType = {
   deletedAt?: Maybe<Scalars['DateTime']['output']>;
   handlers?: Maybe<Array<Maybe<ServiceAccountHandlerType>>>;
   id: Scalars['String']['output'];
+  identities?: Maybe<Array<IdentityType>>;
   identityKey?: Maybe<Scalars['String']['output']>;
   name: Scalars['String']['output'];
   networkPolicies?: Maybe<Array<NetworkAccessPolicyType>>;
@@ -2108,6 +2198,11 @@ export type UpdateCustomRoleMutation = {
   role?: Maybe<RoleType>;
 };
 
+export type UpdateIdentityMutation = {
+  __typename?: 'UpdateIdentityMutation';
+  identity?: Maybe<IdentityType>;
+};
+
 export type UpdateMemberEnvScopeMutation = {
   __typename?: 'UpdateMemberEnvScopeMutation';
   app?: Maybe<AppType>;
@@ -2557,6 +2652,44 @@ export type SwapEnvOrderMutationVariables = Exact<{
 
 export type SwapEnvOrderMutation = { __typename?: 'Mutation', swapEnvironmentOrder?: { __typename?: 'SwapEnvironmentOrderMutation', ok?: boolean | null } | null };
 
+export type CreateIdentityMutationVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+  provider: Scalars['String']['input'];
+  name: Scalars['String']['input'];
+  description?: InputMaybe<Scalars['String']['input']>;
+  trustedPrincipals: Scalars['String']['input'];
+  signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+  stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
+  defaultTtlSeconds: Scalars['Int']['input'];
+  maxTtlSeconds: Scalars['Int']['input'];
+}>;
+
+
+export type CreateIdentityMutation = { __typename?: 'Mutation', createIdentity?: { __typename?: 'CreateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
+
+export type DeleteIdentityMutationVariables = Exact<{
+  id: Scalars['ID']['input'];
+}>;
+
+
+export type DeleteIdentityMutation = { __typename?: 'Mutation', deleteIdentity?: { __typename?: 'DeleteIdentityMutation', ok?: boolean | null } | null };
+
+export type UpdateIdentityMutationVariables = Exact<{
+  id: Scalars['ID']['input'];
+  name?: InputMaybe<Scalars['String']['input']>;
+  description?: InputMaybe<Scalars['String']['input']>;
+  trustedPrincipals?: InputMaybe<Scalars['String']['input']>;
+  signatureTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+  stsEndpoint?: InputMaybe<Scalars['String']['input']>;
+  tokenNamePattern?: InputMaybe<Scalars['String']['input']>;
+  defaultTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+  maxTtlSeconds?: InputMaybe<Scalars['Int']['input']>;
+}>;
+
+
+export type UpdateIdentityMutation = { __typename?: 'Mutation', updateIdentity?: { __typename?: 'UpdateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
+
 export type AcceptOrganisationInviteMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
   identityKey: Scalars['String']['input'];
@@ -2683,10 +2816,11 @@ export type UpdateServiceAccountOpMutationVariables = Exact<{
   serviceAccountId: Scalars['ID']['input'];
   name: Scalars['String']['input'];
   roleId: Scalars['ID']['input'];
+  identityIds?: InputMaybe<Array<Scalars['ID']['input']> | Scalars['ID']['input']>;
 }>;
 
 
-export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null } | null } | null };
+export type UpdateServiceAccountOpMutation = { __typename?: 'Mutation', updateServiceAccount?: { __typename?: 'UpdateServiceAccountMutation', serviceAccount?: { __typename?: 'ServiceAccountType', id: string, name: string, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, permissions?: any | null } | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string }> | null } | null } | null };
 
 export type CreateNewAwsSecretsSyncMutationVariables = Exact<{
   envId: Scalars['ID']['input'];
@@ -2989,6 +3123,23 @@ export type GetOrganisationsQueryVariables = Exact<{ [key: string]: never; }>;
 
 export type GetOrganisationsQuery = { __typename?: 'Query', organisations?: Array<{ __typename?: 'OrganisationType', id: string, name: string, identityKey: string, createdAt?: any | null, plan: ApiOrganisationPlanChoices, memberId?: string | null, keyring?: string | null, recovery?: string | null, planDetail?: { __typename?: 'OrganisationPlanType', name?: string | null, maxUsers?: number | null, maxApps?: number | null, maxEnvsPerApp?: number | null, appCount?: number | null, seatsUsed?: { __typename?: 'SeatsUsed', users?: number | null, serviceAccounts?: number | null, total?: number | null } | null } | null, role?: { __typename?: 'RoleType', name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null } | null> | null };
 
+export type GetAwsStsEndpointsQueryVariables = Exact<{ [key: string]: never; }>;
+
+
+export type GetAwsStsEndpointsQuery = { __typename?: 'Query', awsStsEndpoints?: Array<any | null> | null };
+
+export type GetIdentityProvidersQueryVariables = Exact<{ [key: string]: never; }>;
+
+
+export type GetIdentityProvidersQuery = { __typename?: 'Query', identityProviders?: Array<{ __typename?: 'IdentityProviderType', id: string, name: string, description: string, iconId: string, supported: boolean } | null> | null };
+
+export type GetOrganisationIdentitiesQueryVariables = Exact<{
+  organisationId: Scalars['ID']['input'];
+}>;
+
+
+export type GetOrganisationIdentitiesQuery = { __typename?: 'Query', identities?: Array<{ __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, createdAt?: any | null, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null> | null };
+
 export type CheckOrganisationNameAvailabilityQueryVariables = Exact<{
   name: Scalars['String']['input'];
 }>;
@@ -3158,7 +3309,7 @@ export type GetServiceAccountDetailQueryVariables = Exact<{
 }>;
 
 
-export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null } | null> | null };
+export type GetServiceAccountDetailQuery = { __typename?: 'Query', serviceAccounts?: Array<{ __typename?: 'ServiceAccountType', id: string, name: string, identityKey?: string | null, serverSideKeyManagementEnabled?: boolean | null, createdAt?: any | null, role?: { __typename?: 'RoleType', id: string, name?: string | null, description?: string | null, color?: string | null, permissions?: any | null } | null, handlers?: Array<{ __typename?: 'ServiceAccountHandlerType', id: string, wrappedKeyring: string, wrappedRecovery: string, user: { __typename?: 'OrganisationMemberType', self?: boolean | null } } | null> | null, appMemberships?: Array<{ __typename?: 'AppMembershipType', id: string, name: string, sseEnabled: boolean, environments: Array<{ __typename?: 'EnvironmentType', id: string, name: string } | null> }> | null, networkPolicies?: Array<{ __typename?: 'NetworkAccessPolicyType', id: string, name: string, allowedIps: string, isGlobal: boolean }> | null, identities?: Array<{ __typename?: 'IdentityType', id: string, name: string, description?: string | null }> | null } | null> | null };
 
 export type GetServiceAccountHandlersQueryVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3361,6 +3512,9 @@ export const RemovePersonalSecretDocument = {"kind":"Document","definitions":[{"
 export const RenameEnvDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RenameEnv"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renameEnvironment"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}}]}}]}}]}}]} as unknown as DocumentNode<RenameEnvMutation, RenameEnvMutationVariables>;
 export const CreateSharedSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSharedSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"input"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"LockboxInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createLockbox"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"input"},"value":{"kind":"Variable","name":{"kind":"Name","value":"input"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lockbox"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"allowedViews"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSharedSecretMutation, CreateSharedSecretMutationVariables>;
 export const SwapEnvOrderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"SwapEnvOrder"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environment1Id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environment2Id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"swapEnvironmentOrder"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environment1Id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environment1Id"}}},{"kind":"Argument","name":{"kind":"Name","value":"environment2Id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environment2Id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<SwapEnvOrderMutation, SwapEnvOrderMutationVariables>;
+export const CreateIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"provider"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"provider"},"value":{"kind":"Variable","name":{"kind":"Name","value":"provider"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<CreateIdentityMutation, CreateIdentityMutationVariables>;
+export const DeleteIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteIdentityMutation, DeleteIdentityMutationVariables>;
+export const UpdateIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateIdentityMutation, UpdateIdentityMutationVariables>;
 export const AcceptOrganisationInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"AcceptOrganisationInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createOrganisationMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<AcceptOrganisationInviteMutation, AcceptOrganisationInviteMutationVariables>;
 export const BulkInviteMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"BulkInviteMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"invites"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"InviteInput"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"bulkInviteOrganisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"invites"},"value":{"kind":"Variable","name":{"kind":"Name","value":"invites"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"invites"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<BulkInviteMembersMutation, BulkInviteMembersMutationVariables>;
 export const DeleteOrgInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteOrgInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteInvitation"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteOrgInviteMutation, DeleteOrgInviteMutationVariables>;
@@ -3375,7 +3529,7 @@ export const DeleteServiceAccountTokenOpDocument = {"kind":"Document","definitio
 export const EnableSaClientKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAClientKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountClientSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaClientKeyManagementMutation, EnableSaClientKeyManagementMutationVariables>;
 export const EnableSaServerKeyManagementDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"EnableSAServerKeyManagement"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"enableServiceAccountServerSideKeyManagement"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"serverWrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serverWrappedRecovery"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}}]}}]}}]}}]} as unknown as DocumentNode<EnableSaServerKeyManagementMutation, EnableSaServerKeyManagementMutationVariables>;
 export const UpdateServiceAccountHandlerKeysDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountHandlerKeys"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}},"type":{"kind":"ListType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ServiceAccountHandlerInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"handlers"},"value":{"kind":"Variable","name":{"kind":"Name","value":"handlers"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountHandlerKeysMutation, UpdateServiceAccountHandlerKeysMutationVariables>;
-export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
+export const UpdateServiceAccountOpDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateServiceAccountOp"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}},"type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateServiceAccount"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"serviceAccountId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"roleId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"roleId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityIds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityIds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<UpdateServiceAccountOpMutation, UpdateServiceAccountOpMutationVariables>;
 export const CreateNewAwsSecretsSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewAWSSecretsSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createAwsSecretSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}},{"kind":"Argument","name":{"kind":"Name","value":"secretName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"secretName"}}},{"kind":"Argument","name":{"kind":"Name","value":"kmsId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"kmsId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewAwsSecretsSyncMutation, CreateNewAwsSecretsSyncMutationVariables>;
 export const CreateNewCfPagesSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfPagesSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflarePagesSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectName"}}},{"kind":"Argument","name":{"kind":"Name","value":"deploymentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"deploymentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"projectEnv"},"value":{"kind":"Variable","name":{"kind":"Name","value":"projectEnv"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfPagesSyncMutation, CreateNewCfPagesSyncMutationVariables>;
 export const CreateNewCfWorkersSyncDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateNewCfWorkersSync"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"workerName"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createCloudflareWorkersSync"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}},{"kind":"Argument","name":{"kind":"Name","value":"workerName"},"value":{"kind":"Variable","name":{"kind":"Name","value":"workerName"}}},{"kind":"Argument","name":{"kind":"Name","value":"credentialId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"credentialId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"sync"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateNewCfWorkersSyncMutation, CreateNewCfWorkersSyncMutationVariables>;
@@ -3410,6 +3564,9 @@ export const GetAppKmsLogsDocument = {"kind":"Document","definitions":[{"kind":"
 export const GetAppsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetApps"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"members"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"provider"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"status"}}]}}]}}]}}]}}]} as unknown as DocumentNode<GetAppsQuery, GetAppsQueryVariables>;
 export const GetDashboardDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetDashboard"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"apps"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"userTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"organisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"role"},"value":{"kind":"NullValue"}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"savedCredentials"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}},{"kind":"Field","name":{"kind":"Name","value":"syncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]} as unknown as DocumentNode<GetDashboardQuery, GetDashboardQueryVariables>;
 export const GetOrganisationsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisations"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"plan"}},{"kind":"Field","name":{"kind":"Name","value":"planDetail"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"maxUsers"}},{"kind":"Field","name":{"kind":"Name","value":"maxApps"}},{"kind":"Field","name":{"kind":"Name","value":"maxEnvsPerApp"}},{"kind":"Field","name":{"kind":"Name","value":"seatsUsed"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"users"}},{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"}},{"kind":"Field","name":{"kind":"Name","value":"total"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"memberId"}},{"kind":"Field","name":{"kind":"Name","value":"keyring"}},{"kind":"Field","name":{"kind":"Name","value":"recovery"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationsQuery, GetOrganisationsQueryVariables>;
+export const GetAwsStsEndpointsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetAwsStsEndpoints"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"awsStsEndpoints"}}]}}]} as unknown as DocumentNode<GetAwsStsEndpointsQuery, GetAwsStsEndpointsQueryVariables>;
+export const GetIdentityProvidersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetIdentityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identityProviders"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"iconId"}},{"kind":"Field","name":{"kind":"Name","value":"supported"}}]}}]}}]} as unknown as DocumentNode<GetIdentityProvidersQuery, GetIdentityProvidersQueryVariables>;
+export const GetOrganisationIdentitiesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetOrganisationIdentities"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identities"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetOrganisationIdentitiesQuery, GetOrganisationIdentitiesQueryVariables>;
 export const CheckOrganisationNameAvailabilityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"CheckOrganisationNameAvailability"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationNameAvailable"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}}]}]}}]} as unknown as DocumentNode<CheckOrganisationNameAvailabilityQuery, CheckOrganisationNameAvailabilityQueryVariables>;
 export const GetGlobalAccessUsersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetGlobalAccessUsers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationGlobalAccessUsers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetGlobalAccessUsersQuery, GetGlobalAccessUsersQueryVariables>;
 export const GetInvitesDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetInvites"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"organisationInvites"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"invitedBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]}}]} as unknown as DocumentNode<GetInvitesQuery, GetInvitesQueryVariables>;
@@ -3431,7 +3588,7 @@ export const GetEnvSecretsKvDocument = {"kind":"Document","definitions":[{"kind"
 export const GetSecretTagsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecretTags"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secretTags"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}}]}}]} as unknown as DocumentNode<GetSecretTagsQuery, GetSecretTagsQueryVariables>;
 export const GetSecretsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetSecrets"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"envId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"path"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"secrets"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"key"}},{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"tags"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"comment"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}},{"kind":"Field","name":{"kind":"Name","value":"override"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"value"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}}]}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}}]}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"folders"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}},{"kind":"Argument","name":{"kind":"Name","value":"path"},"value":{"kind":"Variable","name":{"kind":"Name","value":"path"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"path"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"folderCount"}},{"kind":"Field","name":{"kind":"Name","value":"secretCount"}}]}},{"kind":"Field","name":{"kind":"Name","value":"appEnvironments"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"app"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"environmentKeys"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}},{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSeed"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedSalt"}}]}},{"kind":"Field","name":{"kind":"Name","value":"envSyncs"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"envId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"envId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"envType"}}]}},{"kind":"Field","name":{"kind":"Name","value":"serviceInfo"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"options"}},{"kind":"Field","name":{"kind":"Name","value":"isActive"}},{"kind":"Field","name":{"kind":"Name","value":"status"}},{"kind":"Field","name":{"kind":"Name","value":"lastSync"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetSecretsQuery, GetSecretsQueryVariables>;
 export const GetServiceTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"appId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceTokens"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"appId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"appId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"keys"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceTokensQuery, GetServiceTokensQueryVariables>;
-export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
+export const GetServiceAccountDetailDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountDetail"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"serverSideKeyManagementEnabled"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"appMemberships"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"environments"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}}]}},{"kind":"Field","name":{"kind":"Name","value":"sseEnabled"}}]}},{"kind":"Field","name":{"kind":"Name","value":"networkPolicies"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"allowedIps"}},{"kind":"Field","name":{"kind":"Name","value":"isGlobal"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identities"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountDetailQuery, GetServiceAccountDetailQueryVariables>;
 export const GetServiceAccountHandlersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountHandlers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccountHandlers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"permissions"}}]}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountHandlersQuery, GetServiceAccountHandlersQueryVariables>;
 export const GetServiceAccountTokensDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccountTokens"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"tokens"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}},{"kind":"Field","name":{"kind":"Name","value":"createdBy"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"fullName"}},{"kind":"Field","name":{"kind":"Name","value":"avatarUrl"}},{"kind":"Field","name":{"kind":"Name","value":"self"}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdByServiceAccount"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}}]}},{"kind":"Field","name":{"kind":"Name","value":"lastUsed"}}]}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountTokensQuery, GetServiceAccountTokensQueryVariables>;
 export const GetServiceAccountsDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"query","name":{"kind":"Name","value":"GetServiceAccounts"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"serviceAccounts"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"serviceAccountId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"identityKey"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"color"}}]}},{"kind":"Field","name":{"kind":"Name","value":"handlers"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedKeyring"}},{"kind":"Field","name":{"kind":"Name","value":"wrappedRecovery"}},{"kind":"Field","name":{"kind":"Name","value":"user"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"self"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}}]}}]}}]} as unknown as DocumentNode<GetServiceAccountsQuery, GetServiceAccountsQueryVariables>;

From c975241f92e83b4f2731018b659d8a1fef693e9c Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Mon, 25 Aug 2025 23:05:30 +0530
Subject: [PATCH 50/80] feat: add Identity model and service account identities
 relationship

- Introduced the Identity model to manage identity attributes, including provider, name, and configuration.
- Established a ManyToMany relationship between ServiceAccount and Identity, allowing for better management of associated identities.
---
 ...0107_identity_serviceaccount_identities.py | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 backend/api/migrations/0107_identity_serviceaccount_identities.py

diff --git a/backend/api/migrations/0107_identity_serviceaccount_identities.py b/backend/api/migrations/0107_identity_serviceaccount_identities.py
new file mode 100644
index 000000000..48ad2fefa
--- /dev/null
+++ b/backend/api/migrations/0107_identity_serviceaccount_identities.py
@@ -0,0 +1,37 @@
+# Generated by Django 4.2.22 on 2025-08-25 13:24
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0106_serviceaccounttoken_created_by_service_account'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Identity',
+            fields=[
+                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('provider', models.CharField(max_length=64)),
+                ('name', models.CharField(max_length=100)),
+                ('description', models.TextField(blank=True, null=True)),
+                ('config', models.JSONField(default=dict)),
+                ('token_name_pattern', models.CharField(blank=True, max_length=128, null=True)),
+                ('default_ttl_seconds', models.IntegerField(default=3600)),
+                ('max_ttl_seconds', models.IntegerField(default=86400)),
+                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
+                ('updated_at', models.DateTimeField(auto_now=True)),
+                ('deleted_at', models.DateTimeField(blank=True, null=True)),
+                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.organisation')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='serviceaccount',
+            name='identities',
+            field=models.ManyToManyField(blank=True, related_name='service_accounts', to='api.identity'),
+        ),
+    ]

From a8ac59cfad38250e9e49f66025750d474b4c811c Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Tue, 26 Aug 2025 22:49:45 +0530
Subject: [PATCH 51/80] refactor: remove unused third-party authentication
 toggle from CreateServiceAccountDialog

- Eliminated commented-out code for the third-party authentication toggle to improve code clarity and maintainability.
---
 .../_components/CreateServiceAccountDialog.tsx              | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
index 2b1f2d68c..6bac30866 100644
--- a/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
+++ b/frontend/app/[team]/access/service-accounts/_components/CreateServiceAccountDialog.tsx
@@ -221,12 +221,6 @@ export const CreateServiceAccountDialog = () => {
               )}
             </Listbox>
           </div>
-          {/* <div>
-            <label className="block text-neutral-500 text-sm mb-2" htmlFor="role">
-              Enable third-party authentication
-            </label>
-            <ToggleSwitch value={thirdParty} onToggle={() => setThirdParty(!thirdParty)} />
-          </div> */}
         </div>
         <div className="flex justify-end items-center gap-2 pt-8">
           <Button type="submit" variant="primary" isLoading={createPending}>

From cb70d5b6cae2e23b7a04c7f07960e45ebf5cf7c6 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Tue, 26 Aug 2025 22:50:04 +0530
Subject: [PATCH 52/80] fix: update terminology for identity management in
 ServiceAccountIdentities component

- Changed the label from "third-party identities" to "external identities" for improved clarity and consistency in terminology.
---
 .../[account]/_components/ServiceAccountIdentities.tsx          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
index 9b85fb10b..25239b77e 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
@@ -98,7 +98,7 @@ export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountT
           <div className="text-xl font-semibold">Identities</div>
           <div className="flex items-center justify-between">
             <div className="text-neutral-500">
-              Manage which third-party identities are trusted for this account
+              Manage which external identities are trusted for this account
             </div>
             {(account as any).identities && (account as any).identities.length > 0 && (
               <Button variant="primary" onClick={() => setIsOpen(true)}>

From eb5a70ec0e115a98ba140f1f0fbd461ba92b0615 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Tue, 26 Aug 2025 22:50:14 +0530
Subject: [PATCH 53/80] fix: update label for identity management in
 AccessLayout component

- Changed the label from "Third-party Identities" to "External Identities" for improved clarity and consistency in terminology.
---
 frontend/app/[team]/access/layout.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/app/[team]/access/layout.tsx b/frontend/app/[team]/access/layout.tsx
index 88e16c0f4..8b15a4f46 100644
--- a/frontend/app/[team]/access/layout.tsx
+++ b/frontend/app/[team]/access/layout.tsx
@@ -32,7 +32,7 @@ export default function AccessLayout({
         link: 'roles',
       },
       {
-        name: 'Third-party Identities',
+        name: 'External Identities',
         link: 'identities',
       },
       {

From 64c46f387a54a50336e21d7eb2edc6b710c56d7c Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Tue, 26 Aug 2025 22:50:24 +0530
Subject: [PATCH 54/80] fix: update label for identity management in
 IdentityPage component

- Changed the label from "Third-party identities" to "External identities" for improved clarity and consistency in terminology.
---
 frontend/app/[team]/access/identities/page.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/app/[team]/access/identities/page.tsx b/frontend/app/[team]/access/identities/page.tsx
index d3be0376b..9fcd07e77 100644
--- a/frontend/app/[team]/access/identities/page.tsx
+++ b/frontend/app/[team]/access/identities/page.tsx
@@ -177,7 +177,7 @@ export default function IdentityPage() {
       ) : (
         <div className="space-y-2">
           <div className="space-y-1">
-            <div className="text-xl font-semibold">Third-party identities</div>
+            <div className="text-xl font-semibold">External identities</div>
             <div className="text-neutral-500">Manage identities used for external auth</div>
           </div>
           <div className="space-y-4">

From 19b06e5ad17336de69ffb9ca80cced22836601d2 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 14:25:54 +0530
Subject: [PATCH 55/80] feat: add unit tests for AWS IAM authentication

- Introduced comprehensive unit tests for the AWS IAM authentication functionality, covering various scenarios including valid authentication, error handling for malformed requests, and validation of service account configurations.
- Ensured robust testing for edge cases such as missing headers, invalid payloads, and service account resolution failures, enhancing the reliability of the authentication process.
---
 .../api/views/identities/aws/__init__.py      |   0
 .../api/views/identities/aws/test_iam.py      | 801 ++++++++++++++++++
 2 files changed, 801 insertions(+)
 create mode 100644 backend/tests/api/views/identities/aws/__init__.py
 create mode 100644 backend/tests/api/views/identities/aws/test_iam.py

diff --git a/backend/tests/api/views/identities/aws/__init__.py b/backend/tests/api/views/identities/aws/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/tests/api/views/identities/aws/test_iam.py b/backend/tests/api/views/identities/aws/test_iam.py
new file mode 100644
index 000000000..56c3be26f
--- /dev/null
+++ b/backend/tests/api/views/identities/aws/test_iam.py
@@ -0,0 +1,801 @@
+import unittest
+import json
+import base64
+from unittest.mock import patch, MagicMock, Mock
+from datetime import datetime, timezone
+from django.test import TestCase
+from django.http import JsonResponse
+from rest_framework.test import APIRequestFactory
+from api.views.identities.aws.iam import aws_iam_auth
+
+
+class TestAwsIamAuth(TestCase):
+    def setUp(self):
+        self.factory = APIRequestFactory()
+        self.service_account_id = "2115a1fc-0a78-4a7b-ad8c-6fa6cc15f489"
+        
+        # Valid AWS STS response XML
+        self.valid_aws_response = """
+        <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+          <GetCallerIdentityResult>
+            <Arn>arn:aws:iam::499502749186:user/testing-phase-cli-tessaract-auth-mode</Arn>
+            <UserId>AIDAXITFPCYBFEX7357DX</UserId>
+            <Account>499502749186</Account>
+          </GetCallerIdentityResult>
+          <ResponseMetadata>
+            <RequestId>38cb043b-e164-4c96-842a-f264208507cf</RequestId>
+          </ResponseMetadata>
+        </GetCallerIdentityResponse>
+
+        """
+
+        # Valid request payload
+        self.valid_payload = {
+            "account": {
+                "type": "service",
+                "id": self.service_account_id
+            },
+            "awsIam": {
+                "httpRequestMethod": "POST",
+                "httpRequestUrl": "aHR0cHM6Ly9zdHMuYXAtc291dGgtMS5hbWF6b25hd3MuY29t",
+                "httpRequestHeaders": "eyJDb250ZW50LVR5cGUiOiAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkOyBjaGFyc2V0PXV0Zi04IiwgIlgtQW16LURhdGUiOiAiMjAyNTA4MjdUMDgwNzE5WiIsICJBdXRob3JpemF0aW9uIjogIkFXUzQtSE1BQy1TSEEyNTYgQ3JlZGVudGlhbD1BS0lBWElURlBDWUJFTEtBNk41Vi8yMDI1MDgyNy9hcC1zb3V0aC0xL3N0cy9hd3M0X3JlcXVlc3QsIFNpZ25lZEhlYWRlcnM9Y29udGVudC10eXBlO2hvc3Q7eC1hbXotZGF0ZSwgU2lnbmF0dXJlPWFkZjdhNzM0MDFlNjNhODRkNWJhNzA3MTQ4MjU3ZGFjMjcyNzhiM2Y3MDEzNWRmMDMyZTBlMDczMzIwNTIwMzgiLCAiQ29udGVudC1MZW5ndGgiOiAiNDMifQ==",
+                "httpRequestBody": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ=="
+            },
+            "tokenRequest": {
+                "ttl": 60
+            }
+        }
+
+        # Decoded headers for verification
+        self.decoded_headers = {
+            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+            "X-Amz-Date": "20250827T080719Z",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=AKIAXITFPCYBELKA6N5V/20250827/ap-south-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=adf7a73401e63a84d5ba70714825dabc27278b3f70135df032e0e073320520338",
+            "Content-Length": "43"
+        }
+
+    def test_valid_authentication_success(self):
+        """Test successful AWS IAM authentication with valid request"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+
+        # Mock service account
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+
+        # Mock identity
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        mock_identity.default_ttl_seconds = 3600
+        mock_identity.max_ttl_seconds = 86400
+        mock_identity.get_trusted_list.return_value = [
+            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
+        ]
+
+        # Mock AWS response
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+
+        # Mock token minting
+        mock_auth_token = {
+            "tokenType": "ServiceAccount",
+            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
+            "bearerToken": "ServiceAccount token123",
+            "TTL": 60,
+            "maxTTL": 86400
+        }
+
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            # Mock current time to be close to X-Amz-Date
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 200)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["authentication"], mock_auth_token)
+
+    def test_invalid_json_payload(self):
+        """Test handling of malformed JSON payload"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data="invalid json",
+            content_type='application/json'
+        )
+        
+        response = aws_iam_auth(request)
+        
+        self.assertEqual(response.status_code, 400)
+        response_data = json.loads(response.content)
+        self.assertEqual(response_data["error"], "Invalid JSON")
+
+    def test_missing_account_id(self):
+        """Test handling of missing service account ID"""
+        payload = self.valid_payload.copy()
+        payload["account"]["id"] = None
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        response = aws_iam_auth(request)
+        
+        self.assertEqual(response.status_code, 400)
+        response_data = json.loads(response.content)
+        self.assertEqual(response_data["error"], "Only service account authentication supported")
+
+    def test_invalid_account_type(self):
+        """Test handling of invalid account type"""
+        payload = self.valid_payload.copy()
+        payload["account"]["type"] = "user"
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        response = aws_iam_auth(request)
+        
+        self.assertEqual(response.status_code, 400)
+        response_data = json.loads(response.content)
+        self.assertEqual(response_data["error"], "Only service account authentication supported")
+
+    def test_invalid_base64_encoding(self):
+        """Test handling of invalid base64 encoding in AWS IAM data"""
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestUrl"] = "invalid_base64!!!"
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        response = aws_iam_auth(request)
+        
+        self.assertEqual(response.status_code, 400)
+        response_data = json.loads(response.content)
+        self.assertEqual(response_data["error"], "Invalid awsIam request encoding")
+
+    def test_missing_amz_date_header(self):
+        """Test handling of missing X-Amz-Date header"""
+        headers_without_date = {
+            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=...",
+            "Content-Length": "43"
+        }
+        encoded_headers = base64.b64encode(json.dumps(headers_without_date).encode()).decode()
+        
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        response = aws_iam_auth(request)
+        
+        self.assertEqual(response.status_code, 400)
+        response_data = json.loads(response.content)
+        self.assertEqual(response_data["error"], "Missing X-Amz-Date header")
+
+    def test_invalid_amz_date_format(self):
+        """Test handling of invalid X-Amz-Date format"""
+        headers_invalid_date = self.decoded_headers.copy()
+        headers_invalid_date["X-Amz-Date"] = "invalid-date-format"
+        encoded_headers = base64.b64encode(json.dumps(headers_invalid_date).encode()).decode()
+        
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        response = aws_iam_auth(request)
+        
+        self.assertEqual(response.status_code, 400)
+        response_data = json.loads(response.content)
+        self.assertEqual(response_data["error"], "Invalid X-Amz-Date")
+
+    def test_service_account_not_found(self):
+        """Test handling of non-existent service account"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=None):
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 404)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Service account not found")
+
+    def test_server_side_key_management_required(self):
+        """Test requirement for server-side key management"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = None  # No server-side keyring
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account):
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 403)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Server-side key management must be enabled")
+
+    def test_no_aws_iam_identity_attached(self):
+        """Test handling of service account without AWS IAM identity"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=None):
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 404)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "No AWS IAM identity attached to this account")
+
+    def test_signature_expired(self):
+        """Test handling of expired signature"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {"signatureTtlSeconds": 60}
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            # Mock current time to be way after X-Amz-Date (signature expired)
+            mock_now = datetime(2025, 8, 27, 10, 0, 0, tzinfo=timezone.utc)  # 2 hours later
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 401)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Signature expired")
+
+    def test_sts_endpoint_mismatch(self):
+        """Test handling of STS endpoint mismatch"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        # Configure identity with different STS endpoint
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.us-east-1.amazonaws.com"  # Different from request
+        }
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 400)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "STS endpoint mismatch. Please sign the request for the configured STS endpoint.")
+            self.assertIn("expectedEndpoint", response_data)
+            self.assertIn("receivedEndpoint", response_data)
+
+    def test_aws_sts_request_failure(self):
+        """Test handling of AWS STS request failure"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', side_effect=Exception("Connection failed")), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 502)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Failed to contact AWS STS")
+
+    def test_aws_sts_validation_failed(self):
+        """Test handling of AWS STS validation failure"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        
+        # Mock AWS response with error
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 403
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 401)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "AWS STS validation failed")
+            self.assertEqual(response_data["status"], 403)
+
+    def test_unable_to_parse_aws_identity(self):
+        """Test handling of malformed AWS STS response"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        
+        # Mock AWS response without ARN
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = "<GetCallerIdentityResponse>Invalid</GetCallerIdentityResponse>"
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 500)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Unable to parse AWS identity")
+
+    def test_wildcard_trusted_principal_rejected(self):
+        """Test rejection of wildcard trusted principal patterns"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        mock_identity.get_trusted_list.return_value = ["*"]  # Wildcard not allowed
+        
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 400)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Invalid trusted principal pattern '*' is not allowed")
+
+    def test_untrusted_principal(self):
+        """Test rejection of untrusted AWS principal"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        # Principal in response doesn't match trusted patterns
+        mock_identity.get_trusted_list.return_value = [
+            "arn:aws:iam::111111111111:user/allowed-user"
+        ]
+        
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 403)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Untrusted principal")
+
+    def test_ttl_exceeds_maximum(self):
+        """Test handling of TTL request exceeding maximum allowed"""
+        payload = self.valid_payload.copy()
+        payload["tokenRequest"]["ttl"] = 100000  # Exceeds max TTL
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        mock_identity.default_ttl_seconds = 3600
+        mock_identity.max_ttl_seconds = 86400  # 24 hours max
+        mock_identity.get_trusted_list.return_value = [
+            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
+        ]
+        
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 400)
+            response_data = json.loads(response.content)
+            self.assertIn("Requested TTL", response_data["error"])
+            self.assertIn("exceeds maximum allowed TTL", response_data["error"])
+
+    def test_token_minting_failure(self):
+        """Test handling of token minting failure"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        mock_identity.default_ttl_seconds = 3600
+        mock_identity.max_ttl_seconds = 86400
+        mock_identity.get_trusted_list.return_value = [
+            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
+        ]
+        
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.mint_service_account_token', side_effect=Exception("Token mint failed")), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 500)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["error"], "Failed to mint token")
+
+    def test_default_signature_ttl_when_not_configured(self):
+        """Test default signature TTL when not configured in identity"""
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(self.valid_payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        # Identity without signatureTtlSeconds config
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            # No signatureTtlSeconds - should default to 60
+        }
+        mock_identity.default_ttl_seconds = 3600
+        mock_identity.max_ttl_seconds = 86400
+        mock_identity.get_trusted_list.return_value = [
+            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
+        ]
+        
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+        
+        mock_auth_token = {
+            "tokenType": "ServiceAccount",
+            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
+            "bearerToken": "ServiceAccount token123",
+            "TTL": 60,
+            "maxTTL": 86400
+        }
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 200)
+            response_data = json.loads(response.content)
+            self.assertEqual(response_data["authentication"], mock_auth_token)
+
+    def test_default_ttl_when_not_requested(self):
+        """Test using default TTL when not specified in request"""
+        payload = self.valid_payload.copy()
+        del payload["tokenRequest"]  # No TTL requested
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        mock_identity.default_ttl_seconds = 3600  # Should use this
+        mock_identity.max_ttl_seconds = 86400
+        mock_identity.get_trusted_list.return_value = [
+            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
+        ]
+        
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+        
+        mock_auth_token = {
+            "tokenType": "ServiceAccount",
+            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
+            "bearerToken": "ServiceAccount token123",
+            "TTL": 3600,  # Should match default_ttl_seconds
+            "maxTTL": 86400
+        }
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
+             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token) as mock_mint, \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 200)
+            # Verify that mint_service_account_token was called with default TTL
+            mock_mint.assert_called_once()
+            call_args = mock_mint.call_args[0]
+            requested_ttl = call_args[2]  # Third argument is requested_ttl
+            self.assertEqual(requested_ttl, 3600)  # Should be default_ttl_seconds
+
+    def test_case_insensitive_header_matching(self):
+        """Test case-insensitive matching for X-Amz-Date header"""
+        headers_lowercase = {
+            "content-type": "application/x-www-form-urlencoded; charset=utf-8",
+            "x-amz-date": "20250827T080719Z",  # lowercase
+            "authorization": "AWS4-HMAC-SHA256 Credential=...",
+            "content-length": "43"
+        }
+        encoded_headers = base64.b64encode(json.dumps(headers_lowercase).encode()).decode()
+        
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            # Should not fail on missing X-Amz-Date since it finds x-amz-date
+            response = aws_iam_auth(request)
+            
+            # Should pass the header validation and continue to next steps
+            self.assertNotEqual(response.status_code, 400)
+
+    def test_get_method_support(self):
+        """Test support for GET method in addition to POST"""
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestMethod"] = "GET"
+        
+        request = self.factory.post(
+            '/identity/v1/aws/iam/auth',
+            data=json.dumps(payload),
+            content_type='application/json'
+        )
+        
+        mock_service_account = MagicMock()
+        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+        
+        mock_identity = MagicMock()
+        mock_identity.config = {
+            "signatureTtlSeconds": 300,
+            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+        }
+        mock_identity.default_ttl_seconds = 3600
+        mock_identity.max_ttl_seconds = 86400
+        mock_identity.get_trusted_list.return_value = [
+            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
+        ]
+        
+        mock_aws_response = MagicMock()
+        mock_aws_response.status_code = 200
+        mock_aws_response.text = self.valid_aws_response
+        
+        mock_auth_token = {
+            "tokenType": "ServiceAccount",
+            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
+            "bearerToken": "ServiceAccount token123",
+            "TTL": 60,
+            "maxTTL": 86400
+        }
+        
+        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
+             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
+             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response) as mock_request, \
+             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token), \
+             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
+            
+            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+            mock_timezone.now.return_value = mock_now
+            
+            response = aws_iam_auth(request)
+            
+            self.assertEqual(response.status_code, 200)
+            # Verify that GET method was used in the AWS request
+            mock_request.assert_called_once()
+            call_args = mock_request.call_args[0]
+            method = call_args[0]
+            self.assertEqual(method, "GET")
+
+
+if __name__ == '__main__':
+    unittest.main()

From 1a5d3cabb2c7d3202de039142a154aea1ce89c56 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 14:44:43 +0530
Subject: [PATCH 56/80] feat: implement unit tests for AWS IAM authentication
 logic

- Added a new test suite for the AWS IAM authentication logic, covering various scenarios including invalid JSON payloads, missing account IDs, and signature expiration.
- Ensured comprehensive testing of edge cases such as STS endpoint mismatches, untrusted principals, and token minting failures, enhancing the reliability of the authentication process.
- Removed the previous test file for AWS IAM authentication to consolidate testing efforts in a single location.
---
 .../api/views/identities/aws/test_iam.py      | 801 ------------------
 .../api/views/identities/aws/test_iam_unit.py | 685 +++++++++++++++
 2 files changed, 685 insertions(+), 801 deletions(-)
 delete mode 100644 backend/tests/api/views/identities/aws/test_iam.py
 create mode 100644 backend/tests/api/views/identities/aws/test_iam_unit.py

diff --git a/backend/tests/api/views/identities/aws/test_iam.py b/backend/tests/api/views/identities/aws/test_iam.py
deleted file mode 100644
index 56c3be26f..000000000
--- a/backend/tests/api/views/identities/aws/test_iam.py
+++ /dev/null
@@ -1,801 +0,0 @@
-import unittest
-import json
-import base64
-from unittest.mock import patch, MagicMock, Mock
-from datetime import datetime, timezone
-from django.test import TestCase
-from django.http import JsonResponse
-from rest_framework.test import APIRequestFactory
-from api.views.identities.aws.iam import aws_iam_auth
-
-
-class TestAwsIamAuth(TestCase):
-    def setUp(self):
-        self.factory = APIRequestFactory()
-        self.service_account_id = "2115a1fc-0a78-4a7b-ad8c-6fa6cc15f489"
-        
-        # Valid AWS STS response XML
-        self.valid_aws_response = """
-        <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
-          <GetCallerIdentityResult>
-            <Arn>arn:aws:iam::499502749186:user/testing-phase-cli-tessaract-auth-mode</Arn>
-            <UserId>AIDAXITFPCYBFEX7357DX</UserId>
-            <Account>499502749186</Account>
-          </GetCallerIdentityResult>
-          <ResponseMetadata>
-            <RequestId>38cb043b-e164-4c96-842a-f264208507cf</RequestId>
-          </ResponseMetadata>
-        </GetCallerIdentityResponse>
-
-        """
-
-        # Valid request payload
-        self.valid_payload = {
-            "account": {
-                "type": "service",
-                "id": self.service_account_id
-            },
-            "awsIam": {
-                "httpRequestMethod": "POST",
-                "httpRequestUrl": "aHR0cHM6Ly9zdHMuYXAtc291dGgtMS5hbWF6b25hd3MuY29t",
-                "httpRequestHeaders": "eyJDb250ZW50LVR5cGUiOiAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkOyBjaGFyc2V0PXV0Zi04IiwgIlgtQW16LURhdGUiOiAiMjAyNTA4MjdUMDgwNzE5WiIsICJBdXRob3JpemF0aW9uIjogIkFXUzQtSE1BQy1TSEEyNTYgQ3JlZGVudGlhbD1BS0lBWElURlBDWUJFTEtBNk41Vi8yMDI1MDgyNy9hcC1zb3V0aC0xL3N0cy9hd3M0X3JlcXVlc3QsIFNpZ25lZEhlYWRlcnM9Y29udGVudC10eXBlO2hvc3Q7eC1hbXotZGF0ZSwgU2lnbmF0dXJlPWFkZjdhNzM0MDFlNjNhODRkNWJhNzA3MTQ4MjU3ZGFjMjcyNzhiM2Y3MDEzNWRmMDMyZTBlMDczMzIwNTIwMzgiLCAiQ29udGVudC1MZW5ndGgiOiAiNDMifQ==",
-                "httpRequestBody": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ=="
-            },
-            "tokenRequest": {
-                "ttl": 60
-            }
-        }
-
-        # Decoded headers for verification
-        self.decoded_headers = {
-            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
-            "X-Amz-Date": "20250827T080719Z",
-            "Authorization": "AWS4-HMAC-SHA256 Credential=AKIAXITFPCYBELKA6N5V/20250827/ap-south-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=adf7a73401e63a84d5ba70714825dabc27278b3f70135df032e0e073320520338",
-            "Content-Length": "43"
-        }
-
-    def test_valid_authentication_success(self):
-        """Test successful AWS IAM authentication with valid request"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-
-        # Mock service account
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-
-        # Mock identity
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        mock_identity.default_ttl_seconds = 3600
-        mock_identity.max_ttl_seconds = 86400
-        mock_identity.get_trusted_list.return_value = [
-            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
-        ]
-
-        # Mock AWS response
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-
-        # Mock token minting
-        mock_auth_token = {
-            "tokenType": "ServiceAccount",
-            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
-            "bearerToken": "ServiceAccount token123",
-            "TTL": 60,
-            "maxTTL": 86400
-        }
-
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            # Mock current time to be close to X-Amz-Date
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 200)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["authentication"], mock_auth_token)
-
-    def test_invalid_json_payload(self):
-        """Test handling of malformed JSON payload"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data="invalid json",
-            content_type='application/json'
-        )
-        
-        response = aws_iam_auth(request)
-        
-        self.assertEqual(response.status_code, 400)
-        response_data = json.loads(response.content)
-        self.assertEqual(response_data["error"], "Invalid JSON")
-
-    def test_missing_account_id(self):
-        """Test handling of missing service account ID"""
-        payload = self.valid_payload.copy()
-        payload["account"]["id"] = None
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        response = aws_iam_auth(request)
-        
-        self.assertEqual(response.status_code, 400)
-        response_data = json.loads(response.content)
-        self.assertEqual(response_data["error"], "Only service account authentication supported")
-
-    def test_invalid_account_type(self):
-        """Test handling of invalid account type"""
-        payload = self.valid_payload.copy()
-        payload["account"]["type"] = "user"
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        response = aws_iam_auth(request)
-        
-        self.assertEqual(response.status_code, 400)
-        response_data = json.loads(response.content)
-        self.assertEqual(response_data["error"], "Only service account authentication supported")
-
-    def test_invalid_base64_encoding(self):
-        """Test handling of invalid base64 encoding in AWS IAM data"""
-        payload = self.valid_payload.copy()
-        payload["awsIam"]["httpRequestUrl"] = "invalid_base64!!!"
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        response = aws_iam_auth(request)
-        
-        self.assertEqual(response.status_code, 400)
-        response_data = json.loads(response.content)
-        self.assertEqual(response_data["error"], "Invalid awsIam request encoding")
-
-    def test_missing_amz_date_header(self):
-        """Test handling of missing X-Amz-Date header"""
-        headers_without_date = {
-            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
-            "Authorization": "AWS4-HMAC-SHA256 Credential=...",
-            "Content-Length": "43"
-        }
-        encoded_headers = base64.b64encode(json.dumps(headers_without_date).encode()).decode()
-        
-        payload = self.valid_payload.copy()
-        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        response = aws_iam_auth(request)
-        
-        self.assertEqual(response.status_code, 400)
-        response_data = json.loads(response.content)
-        self.assertEqual(response_data["error"], "Missing X-Amz-Date header")
-
-    def test_invalid_amz_date_format(self):
-        """Test handling of invalid X-Amz-Date format"""
-        headers_invalid_date = self.decoded_headers.copy()
-        headers_invalid_date["X-Amz-Date"] = "invalid-date-format"
-        encoded_headers = base64.b64encode(json.dumps(headers_invalid_date).encode()).decode()
-        
-        payload = self.valid_payload.copy()
-        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        response = aws_iam_auth(request)
-        
-        self.assertEqual(response.status_code, 400)
-        response_data = json.loads(response.content)
-        self.assertEqual(response_data["error"], "Invalid X-Amz-Date")
-
-    def test_service_account_not_found(self):
-        """Test handling of non-existent service account"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=None):
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 404)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Service account not found")
-
-    def test_server_side_key_management_required(self):
-        """Test requirement for server-side key management"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = None  # No server-side keyring
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account):
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 403)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Server-side key management must be enabled")
-
-    def test_no_aws_iam_identity_attached(self):
-        """Test handling of service account without AWS IAM identity"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=None):
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 404)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "No AWS IAM identity attached to this account")
-
-    def test_signature_expired(self):
-        """Test handling of expired signature"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {"signatureTtlSeconds": 60}
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            # Mock current time to be way after X-Amz-Date (signature expired)
-            mock_now = datetime(2025, 8, 27, 10, 0, 0, tzinfo=timezone.utc)  # 2 hours later
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 401)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Signature expired")
-
-    def test_sts_endpoint_mismatch(self):
-        """Test handling of STS endpoint mismatch"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        # Configure identity with different STS endpoint
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.us-east-1.amazonaws.com"  # Different from request
-        }
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 400)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "STS endpoint mismatch. Please sign the request for the configured STS endpoint.")
-            self.assertIn("expectedEndpoint", response_data)
-            self.assertIn("receivedEndpoint", response_data)
-
-    def test_aws_sts_request_failure(self):
-        """Test handling of AWS STS request failure"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', side_effect=Exception("Connection failed")), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 502)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Failed to contact AWS STS")
-
-    def test_aws_sts_validation_failed(self):
-        """Test handling of AWS STS validation failure"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        
-        # Mock AWS response with error
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 403
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 401)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "AWS STS validation failed")
-            self.assertEqual(response_data["status"], 403)
-
-    def test_unable_to_parse_aws_identity(self):
-        """Test handling of malformed AWS STS response"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        
-        # Mock AWS response without ARN
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = "<GetCallerIdentityResponse>Invalid</GetCallerIdentityResponse>"
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 500)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Unable to parse AWS identity")
-
-    def test_wildcard_trusted_principal_rejected(self):
-        """Test rejection of wildcard trusted principal patterns"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        mock_identity.get_trusted_list.return_value = ["*"]  # Wildcard not allowed
-        
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 400)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Invalid trusted principal pattern '*' is not allowed")
-
-    def test_untrusted_principal(self):
-        """Test rejection of untrusted AWS principal"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        # Principal in response doesn't match trusted patterns
-        mock_identity.get_trusted_list.return_value = [
-            "arn:aws:iam::111111111111:user/allowed-user"
-        ]
-        
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 403)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Untrusted principal")
-
-    def test_ttl_exceeds_maximum(self):
-        """Test handling of TTL request exceeding maximum allowed"""
-        payload = self.valid_payload.copy()
-        payload["tokenRequest"]["ttl"] = 100000  # Exceeds max TTL
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        mock_identity.default_ttl_seconds = 3600
-        mock_identity.max_ttl_seconds = 86400  # 24 hours max
-        mock_identity.get_trusted_list.return_value = [
-            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
-        ]
-        
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 400)
-            response_data = json.loads(response.content)
-            self.assertIn("Requested TTL", response_data["error"])
-            self.assertIn("exceeds maximum allowed TTL", response_data["error"])
-
-    def test_token_minting_failure(self):
-        """Test handling of token minting failure"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        mock_identity.default_ttl_seconds = 3600
-        mock_identity.max_ttl_seconds = 86400
-        mock_identity.get_trusted_list.return_value = [
-            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
-        ]
-        
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.mint_service_account_token', side_effect=Exception("Token mint failed")), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 500)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["error"], "Failed to mint token")
-
-    def test_default_signature_ttl_when_not_configured(self):
-        """Test default signature TTL when not configured in identity"""
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(self.valid_payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        # Identity without signatureTtlSeconds config
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-            # No signatureTtlSeconds - should default to 60
-        }
-        mock_identity.default_ttl_seconds = 3600
-        mock_identity.max_ttl_seconds = 86400
-        mock_identity.get_trusted_list.return_value = [
-            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
-        ]
-        
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-        
-        mock_auth_token = {
-            "tokenType": "ServiceAccount",
-            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
-            "bearerToken": "ServiceAccount token123",
-            "TTL": 60,
-            "maxTTL": 86400
-        }
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 200)
-            response_data = json.loads(response.content)
-            self.assertEqual(response_data["authentication"], mock_auth_token)
-
-    def test_default_ttl_when_not_requested(self):
-        """Test using default TTL when not specified in request"""
-        payload = self.valid_payload.copy()
-        del payload["tokenRequest"]  # No TTL requested
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        mock_identity.default_ttl_seconds = 3600  # Should use this
-        mock_identity.max_ttl_seconds = 86400
-        mock_identity.get_trusted_list.return_value = [
-            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
-        ]
-        
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-        
-        mock_auth_token = {
-            "tokenType": "ServiceAccount",
-            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
-            "bearerToken": "ServiceAccount token123",
-            "TTL": 3600,  # Should match default_ttl_seconds
-            "maxTTL": 86400
-        }
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response), \
-             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token) as mock_mint, \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 200)
-            # Verify that mint_service_account_token was called with default TTL
-            mock_mint.assert_called_once()
-            call_args = mock_mint.call_args[0]
-            requested_ttl = call_args[2]  # Third argument is requested_ttl
-            self.assertEqual(requested_ttl, 3600)  # Should be default_ttl_seconds
-
-    def test_case_insensitive_header_matching(self):
-        """Test case-insensitive matching for X-Amz-Date header"""
-        headers_lowercase = {
-            "content-type": "application/x-www-form-urlencoded; charset=utf-8",
-            "x-amz-date": "20250827T080719Z",  # lowercase
-            "authorization": "AWS4-HMAC-SHA256 Credential=...",
-            "content-length": "43"
-        }
-        encoded_headers = base64.b64encode(json.dumps(headers_lowercase).encode()).decode()
-        
-        payload = self.valid_payload.copy()
-        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            # Should not fail on missing X-Amz-Date since it finds x-amz-date
-            response = aws_iam_auth(request)
-            
-            # Should pass the header validation and continue to next steps
-            self.assertNotEqual(response.status_code, 400)
-
-    def test_get_method_support(self):
-        """Test support for GET method in addition to POST"""
-        payload = self.valid_payload.copy()
-        payload["awsIam"]["httpRequestMethod"] = "GET"
-        
-        request = self.factory.post(
-            '/identity/v1/aws/iam/auth',
-            data=json.dumps(payload),
-            content_type='application/json'
-        )
-        
-        mock_service_account = MagicMock()
-        mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
-        
-        mock_identity = MagicMock()
-        mock_identity.config = {
-            "signatureTtlSeconds": 300,
-            "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
-        }
-        mock_identity.default_ttl_seconds = 3600
-        mock_identity.max_ttl_seconds = 86400
-        mock_identity.get_trusted_list.return_value = [
-            "arn:aws:iam::499502749186:user/testing-phase-cli-*"
-        ]
-        
-        mock_aws_response = MagicMock()
-        mock_aws_response.status_code = 200
-        mock_aws_response.text = self.valid_aws_response
-        
-        mock_auth_token = {
-            "tokenType": "ServiceAccount",
-            "token": "pss_service:v2:token123:pubkey:share:wrapkey",
-            "bearerToken": "ServiceAccount token123",
-            "TTL": 60,
-            "maxTTL": 86400
-        }
-        
-        with patch('api.views.identities.aws.iam.resolve_service_account', return_value=mock_service_account), \
-             patch('api.views.identities.aws.iam.resolve_attached_identity', return_value=mock_identity), \
-             patch('api.views.identities.aws.iam.requests.request', return_value=mock_aws_response) as mock_request, \
-             patch('api.views.identities.aws.iam.mint_service_account_token', return_value=mock_auth_token), \
-             patch('api.views.identities.aws.iam.timezone') as mock_timezone:
-            
-            mock_now = datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
-            mock_timezone.now.return_value = mock_now
-            
-            response = aws_iam_auth(request)
-            
-            self.assertEqual(response.status_code, 200)
-            # Verify that GET method was used in the AWS request
-            mock_request.assert_called_once()
-            call_args = mock_request.call_args[0]
-            method = call_args[0]
-            self.assertEqual(method, "GET")
-
-
-if __name__ == '__main__':
-    unittest.main()
diff --git a/backend/tests/api/views/identities/aws/test_iam_unit.py b/backend/tests/api/views/identities/aws/test_iam_unit.py
new file mode 100644
index 000000000..e94c35c04
--- /dev/null
+++ b/backend/tests/api/views/identities/aws/test_iam_unit.py
@@ -0,0 +1,685 @@
+import unittest
+import json
+import base64
+import re
+from datetime import datetime, timezone
+from unittest.mock import MagicMock, Mock
+
+
+class MockRequest:
+    """Mock request object for testing"""
+    def __init__(self, body):
+        self.body = body
+
+
+class MockJsonResponse:
+    """Mock JsonResponse for testing"""
+    def __init__(self, data, status=200):
+        self.status_code = status
+        self.content = json.dumps(data)
+        self.data = data
+
+
+def aws_iam_auth_logic(request_body, resolve_service_account_func, resolve_attached_identity_func, 
+                      mint_service_account_token_func, requests_func, timezone_func):
+    """
+    Simulates the AWS IAM authentication.
+    """
+    try:
+        payload = json.loads(request_body)
+    except Exception:
+        return MockJsonResponse({"error": "Invalid JSON"}, status=400)
+
+    account = (payload or {}).get("account", {})
+    aws_iam = (payload or {}).get("awsIam", {})
+    token_req = (payload or {}).get("tokenRequest", {})
+
+    account_type = (account.get("type") or "service").lower()
+    account_id = account.get("id")
+    if account_type != "service" or not account_id:
+        return MockJsonResponse({"error": "Only service account authentication supported"}, status=400)
+
+    # Decode signed request
+    try:
+        method = aws_iam.get("httpRequestMethod") or "POST"
+        url = base64.b64decode(aws_iam["httpRequestUrl"]).decode("utf-8")
+        headers_json = base64.b64decode(aws_iam["httpRequestHeaders"]).decode("utf-8")
+        body = base64.b64decode(aws_iam.get("httpRequestBody") or b"").decode("utf-8")
+        headers = json.loads(headers_json)
+    except Exception:
+        return MockJsonResponse({"error": "Invalid awsIam request encoding"}, status=400)
+
+    # Verify signature freshness using X-Amz-Date
+    amz_date = headers.get("X-Amz-Date") or headers.get("x-amz-date")
+    if not amz_date:
+        return MockJsonResponse({"error": "Missing X-Amz-Date header"}, status=400)
+    
+    try:
+        dt = (
+            datetime.strptime(amz_date.replace("Z", ""), "%Y%m%dT%H%M%S")
+            .replace(tzinfo=timezone.utc)
+        )
+    except Exception:
+        return MockJsonResponse({"error": "Invalid X-Amz-Date"}, status=400)
+
+    # Resolve account and identity
+    service_account = resolve_service_account_func(account_id)
+    if service_account is None:
+        return MockJsonResponse({"error": "Service account not found"}, status=404)
+    if not service_account.server_wrapped_keyring:
+        return MockJsonResponse({"error": "Server-side key management must be enabled"}, status=403)
+
+    identity = resolve_attached_identity_func(service_account, "aws_iam")
+    if not identity:
+        return MockJsonResponse({"error": "No AWS IAM identity attached to this account"}, status=404)
+
+    try:
+        max_skew = int(identity.config.get("signatureTtlSeconds", 60))
+    except Exception:
+        max_skew = 60
+    
+    now = timezone_func()
+    if abs((now - dt).total_seconds()) > max_skew:
+        return MockJsonResponse({"error": "Signature expired"}, status=401)
+
+    # Enforce that the signed request targets the identity's configured STS endpoint
+    try:
+        from urllib.parse import urlparse
+        configured = identity.config.get("stsEndpoint")
+        if not configured.startswith("http"):
+            configured = f"https://{configured}"
+        request_url = url
+        if not request_url.startswith("http"):
+            request_url = f"https://{request_url}"
+
+        cfg_host = urlparse(configured).netloc.lower()
+        req_host = urlparse(request_url).netloc.lower()
+        header_host = (headers.get("Host") or headers.get("host") or "").lower()
+
+        if req_host != cfg_host or (header_host and header_host != cfg_host):
+            return MockJsonResponse(
+                {
+                    "error": "STS endpoint mismatch. Please sign the request for the configured STS endpoint.",
+                    "expectedEndpoint": configured,
+                    "receivedEndpoint": request_url,
+                },
+                status=400,
+            )
+    except Exception:
+        return MockJsonResponse({"error": "Invalid STS endpoint configuration"}, status=400)
+
+    # Forward the signed request to AWS STS
+    try:
+        resp = requests_func(method, url, headers=headers, data=body)
+    except Exception:
+        return MockJsonResponse({"error": "Failed to contact AWS STS"}, status=502)
+
+    if resp.status_code != 200:
+        return MockJsonResponse({"error": "AWS STS validation failed", "status": resp.status_code}, status=401)
+
+    # Parse minimal identity info from XML
+    arn = None
+    try:
+        m = re.search(r"<Arn>([^<]+)</Arn>", resp.text)
+        if m:
+            arn = m.group(1)
+    except Exception:
+        pass
+    if arn is None:
+        return MockJsonResponse({"error": "Unable to parse AWS identity"}, status=500)
+
+    # Trust check
+    import fnmatch
+    trusted = identity.get_trusted_list()
+    if any(p == "*" for p in trusted):
+        return MockJsonResponse({"error": "Invalid trusted principal pattern '*' is not allowed"}, status=400)
+
+    def arn_matches_patterns(value: str, patterns: list[str]) -> bool:
+        for pattern in patterns:
+            if not pattern or pattern == "*":
+                continue
+            if fnmatch.fnmatch(value, pattern):
+                return True
+        return False
+
+    if not arn_matches_patterns(arn, trusted):
+        return MockJsonResponse({"error": "Untrusted principal"}, status=403)
+
+    # Validate requested TTL
+    requested_ttl = int(token_req.get("ttl") or identity.default_ttl_seconds)
+    max_ttl = identity.max_ttl_seconds
+    
+    if requested_ttl > max_ttl:
+        return MockJsonResponse({
+            "error": f"Requested TTL ({requested_ttl}s) exceeds maximum allowed TTL ({max_ttl}s)"
+        }, status=400)
+
+    try:
+        auth = mint_service_account_token_func(
+            service_account,
+            identity,
+            requested_ttl,
+            token_name_fallback="aws-iam",
+        )
+    except Exception:
+        return MockJsonResponse({"error": "Failed to mint token"}, status=500)
+
+    return MockJsonResponse({"authentication": auth})
+
+
+class TestAwsIamAuthLogic(unittest.TestCase):
+    def setUp(self):
+        self.service_account_id = "12345678-1234-1234-1234-123456789abc"
+        
+        # Valid AWS STS response XML (anonymized)
+        self.valid_aws_response = """<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+  <GetCallerIdentityResult>
+    <Arn>arn:aws:iam::123456789012:user/test-user</Arn>
+    <UserId>AIDACKCEVSQ6C2EXAMPLE</UserId>
+    <Account>123456789012</Account>
+  </GetCallerIdentityResult>
+  <ResponseMetadata>
+    <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
+  </ResponseMetadata>
+</GetCallerIdentityResponse>"""
+
+        # Valid request payload (anonymized)
+        self.valid_payload = {
+            "account": {
+                "type": "service",
+                "id": self.service_account_id
+            },
+            "awsIam": {
+                "httpRequestMethod": "POST",
+                "httpRequestUrl": "aHR0cHM6Ly9zdHMuYXAtc291dGgtMS5hbWF6b25hd3MuY29t",  # https://sts.ap-south-1.amazonaws.com
+                "httpRequestHeaders": "eyJDb250ZW50LVR5cGUiOiAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkOyBjaGFyc2V0PXV0Zi04IiwgIlgtQW16LURhdGUiOiAiMjAyNTA4MjdUMDgwNzE5WiIsICJBdXRob3JpemF0aW9uIjogIkFXUzQtSE1BQy1TSEEyNTYgQ3JlZGVudGlhbD1BS0lBRVhBTVBMRTEyMzQ1LzIwMjUwODI3L2FwLXNvdXRoLTEvc3RzL2F3czRfcmVxdWVzdCwgU2lnbmVkSGVhZGVycz1jb250ZW50LXR5cGU7aG9zdDt4LWFtei1kYXRlLCBTaWduYXR1cmU9ZXhhbXBsZXNpZ25hdHVyZTEyMzQ1Njc4OTBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiIsICJDb250ZW50LUxlbmd0aCI6ICI0MyJ9",
+                "httpRequestBody": "QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ=="  # Action=GetCallerIdentity&Version=2011-06-15
+            },
+            "tokenRequest": {
+                "ttl": 60
+            }
+        }
+
+        # Decoded headers for verification (anonymized)
+        self.decoded_headers = {
+            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+            "X-Amz-Date": "20250827T080719Z",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=AKIAEXAMPLE12345/20250827/ap-south-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=examplesignature1234567890abcdefghijklmnopqrstuvwxyz",
+            "Content-Length": "43"
+        }
+
+    def test_invalid_json_payload(self):
+        """Test handling of malformed JSON payload"""
+        response = aws_iam_auth_logic(
+            b"invalid json",
+            None, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Invalid JSON", response.content)
+
+    def test_missing_account_id(self):
+        """Test handling of missing service account ID"""
+        payload = self.valid_payload.copy()
+        payload["account"]["id"] = None
+        
+        response = aws_iam_auth_logic(
+            json.dumps(payload).encode(),
+            None, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Only service account authentication supported", response.content)
+
+    def test_invalid_account_type(self):
+        """Test handling of invalid account type"""
+        payload = self.valid_payload.copy()
+        payload["account"]["type"] = "user"
+        
+        response = aws_iam_auth_logic(
+            json.dumps(payload).encode(),
+            None, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Only service account authentication supported", response.content)
+
+    def test_invalid_base64_encoding(self):
+        """Test handling of invalid base64 encoding in AWS IAM data"""
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestUrl"] = "invalid_base64!!!"
+        
+        response = aws_iam_auth_logic(
+            json.dumps(payload).encode(),
+            None, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Invalid awsIam request encoding", response.content)
+
+    def test_missing_amz_date_header(self):
+        """Test handling of missing X-Amz-Date header"""
+        headers_without_date = {
+            "Content-Type": "application/x-www-form-urlencoded; charset=utf-8",
+            "Authorization": "AWS4-HMAC-SHA256 Credential=...",
+            "Content-Length": "43"
+        }
+        encoded_headers = base64.b64encode(json.dumps(headers_without_date).encode()).decode()
+        
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
+        
+        response = aws_iam_auth_logic(
+            json.dumps(payload).encode(),
+            None, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Missing X-Amz-Date header", response.content)
+
+    def test_invalid_amz_date_format(self):
+        """Test handling of invalid X-Amz-Date format"""
+        headers_invalid_date = self.decoded_headers.copy()
+        headers_invalid_date["X-Amz-Date"] = "invalid-date-format"
+        encoded_headers = base64.b64encode(json.dumps(headers_invalid_date).encode()).decode()
+        
+        payload = self.valid_payload.copy()
+        payload["awsIam"]["httpRequestHeaders"] = encoded_headers
+        
+        response = aws_iam_auth_logic(
+            json.dumps(payload).encode(),
+            None, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Invalid X-Amz-Date", response.content)
+
+    def test_service_account_not_found(self):
+        """Test handling of non-existent service account"""
+        def mock_resolve_service_account(account_id):
+            return None
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 404)
+        self.assertIn("Service account not found", response.content)
+
+    def test_server_side_key_management_required(self):
+        """Test requirement for server-side key management"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = None  # No server-side keyring
+            return mock_service_account
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, None, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 403)
+        self.assertIn("Server-side key management must be enabled", response.content)
+
+    def test_no_aws_iam_identity_attached(self):
+        """Test handling of service account without AWS IAM identity"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            return None
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, None, None
+        )
+        
+        self.assertEqual(response.status_code, 404)
+        self.assertIn("No AWS IAM identity attached to this account", response.content)
+
+    def test_signature_expired(self):
+        """Test handling of expired signature"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {"signatureTtlSeconds": 60}
+            return mock_identity
+        
+        def mock_timezone_now():
+            # Mock current time to be way after X-Amz-Date (signature expired)
+            return datetime(2025, 8, 27, 10, 0, 0, tzinfo=timezone.utc)  # 2 hours later
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, None, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 401)
+        self.assertIn("Signature expired", response.content)
+
+    def test_sts_endpoint_mismatch(self):
+        """Test handling of STS endpoint mismatch"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.us-east-1.amazonaws.com"  # Different from request
+            }
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, None, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("STS endpoint mismatch", response.content)
+
+    def test_aws_sts_request_failure(self):
+        """Test handling of AWS STS request failure"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            raise Exception("Connection failed")
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 502)
+        self.assertIn("Failed to contact AWS STS", response.content)
+
+    def test_aws_sts_validation_failed(self):
+        """Test handling of AWS STS validation failure"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            mock_response = MagicMock()
+            mock_response.status_code = 403
+            return mock_response
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 401)
+        self.assertIn("AWS STS validation failed", response.content)
+
+    def test_unable_to_parse_aws_identity(self):
+        """Test handling of malformed AWS STS response"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.text = "<GetCallerIdentityResponse>Invalid</GetCallerIdentityResponse>"
+            return mock_response
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 500)
+        self.assertIn("Unable to parse AWS identity", response.content)
+
+    def test_wildcard_trusted_principal_rejected(self):
+        """Test rejection of wildcard trusted principal patterns"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            mock_identity.get_trusted_list.return_value = ["*"]  # Wildcard not allowed
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.text = self.valid_aws_response
+            return mock_response
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Invalid trusted principal pattern '*' is not allowed", response.content)
+
+    def test_untrusted_principal(self):
+        """Test rejection of untrusted AWS principal"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            # Principal in response doesn't match trusted patterns
+            mock_identity.get_trusted_list.return_value = [
+                "arn:aws:iam::111111111111:user/allowed-user"
+            ]
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.text = self.valid_aws_response
+            return mock_response
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 403)
+        self.assertIn("Untrusted principal", response.content)
+
+    def test_ttl_exceeds_maximum(self):
+        """Test handling of TTL request exceeding maximum allowed"""
+        payload = self.valid_payload.copy()
+        payload["tokenRequest"]["ttl"] = 100000  # Exceeds max TTL
+        
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            mock_identity.default_ttl_seconds = 3600
+            mock_identity.max_ttl_seconds = 86400  # 24 hours max
+            mock_identity.get_trusted_list.return_value = [
+                "arn:aws:iam::123456789012:user/test-*"
+            ]
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.text = self.valid_aws_response
+            return mock_response
+        
+        response = aws_iam_auth_logic(
+            json.dumps(payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, None, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("Requested TTL", response.content)
+        self.assertIn("exceeds maximum allowed TTL", response.content)
+
+    def test_token_minting_failure(self):
+        """Test handling of token minting failure"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            mock_identity.default_ttl_seconds = 3600
+            mock_identity.max_ttl_seconds = 86400
+            mock_identity.get_trusted_list.return_value = [
+                "arn:aws:iam::123456789012:user/test-*"
+            ]
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.text = self.valid_aws_response
+            return mock_response
+        
+        def mock_mint_token(service_account, identity, requested_ttl, token_name_fallback):
+            raise Exception("Token mint failed")
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, mock_mint_token, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 500)
+        self.assertIn("Failed to mint token", response.content)
+
+    def test_valid_authentication_success(self):
+        """Test successful AWS IAM authentication with valid request"""
+        def mock_resolve_service_account(account_id):
+            mock_service_account = MagicMock()
+            mock_service_account.server_wrapped_keyring = "encrypted_keyring_data"
+            return mock_service_account
+        
+        def mock_resolve_attached_identity(service_account, provider):
+            mock_identity = MagicMock()
+            mock_identity.config = {
+                "signatureTtlSeconds": 300,
+                "stsEndpoint": "https://sts.ap-south-1.amazonaws.com"
+            }
+            mock_identity.default_ttl_seconds = 3600
+            mock_identity.max_ttl_seconds = 86400
+            mock_identity.get_trusted_list.return_value = [
+                "arn:aws:iam::123456789012:user/test-*"
+            ]
+            return mock_identity
+        
+        def mock_timezone_now():
+            return datetime(2025, 8, 27, 8, 7, 30, tzinfo=timezone.utc)
+        
+        def mock_requests(method, url, headers=None, data=None):
+            mock_response = MagicMock()
+            mock_response.status_code = 200
+            mock_response.text = self.valid_aws_response
+            return mock_response
+        
+        def mock_mint_token(service_account, identity, requested_ttl, token_name_fallback):
+            return {
+                "tokenType": "ServiceAccount",
+                "token": "pss_service:v2:token123:pubkey:share:wrapkey",
+                "bearerToken": "ServiceAccount token123",
+                "TTL": 60,
+                "maxTTL": 86400
+            }
+        
+        response = aws_iam_auth_logic(
+            json.dumps(self.valid_payload).encode(),
+            mock_resolve_service_account, mock_resolve_attached_identity, mock_mint_token, mock_requests, mock_timezone_now
+        )
+        
+        self.assertEqual(response.status_code, 200)
+        response_data = json.loads(response.content)
+        self.assertIn("authentication", response_data)
+        self.assertEqual(response_data["authentication"]["tokenType"], "ServiceAccount")
+
+
+if __name__ == '__main__':
+    unittest.main()

From cd1bc801ef60fb451c452a1584ecc99cfcf582cc Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 14:44:50 +0530
Subject: [PATCH 57/80] feat: add initial identity and AWS identity modules

- Created new modules for identity management and AWS identity handling, laying the groundwork for future authentication and identity features.
- These modules will facilitate the implementation of identity-related functionalities in the backend API.
---
 backend/api/views/identities/__init__.py     | 0
 backend/api/views/identities/aws/__init__.py | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 backend/api/views/identities/__init__.py
 create mode 100644 backend/api/views/identities/aws/__init__.py

diff --git a/backend/api/views/identities/__init__.py b/backend/api/views/identities/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/api/views/identities/aws/__init__.py b/backend/api/views/identities/aws/__init__.py
new file mode 100644
index 000000000..e69de29bb

From 933972ce2f0e7437a5eb3aae31daa07a8c85222d Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 14:53:39 +0530
Subject: [PATCH 58/80] fix: init modules

---
 backend/tests/utils/__init__.py         | 0
 backend/tests/utils/syncing/__init__.py | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 backend/tests/utils/__init__.py
 create mode 100644 backend/tests/utils/syncing/__init__.py

diff --git a/backend/tests/utils/__init__.py b/backend/tests/utils/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/backend/tests/utils/syncing/__init__.py b/backend/tests/utils/syncing/__init__.py
new file mode 100644
index 000000000..e69de29bb

From 78685f43e08b9968d7ad24678ab78488e7843de5 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 15:36:22 +0530
Subject: [PATCH 59/80] refactor: rename identity mutation operations for
 consistency

- Updated mutation names for creating, deleting, and updating identities to include "Ext" prefix, enhancing clarity and consistency in the identity management module.
---
 frontend/graphql/mutations/identities/createIdentity.gql | 2 +-
 frontend/graphql/mutations/identities/deleteIdentity.gql | 2 +-
 frontend/graphql/mutations/identities/updateIdentity.gql | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/frontend/graphql/mutations/identities/createIdentity.gql b/frontend/graphql/mutations/identities/createIdentity.gql
index 31be99b2d..542c797a2 100644
--- a/frontend/graphql/mutations/identities/createIdentity.gql
+++ b/frontend/graphql/mutations/identities/createIdentity.gql
@@ -1,4 +1,4 @@
-mutation CreateIdentity(
+mutation CreateExtIdentity(
   $organisationId: ID!
   $provider: String!
   $name: String!
diff --git a/frontend/graphql/mutations/identities/deleteIdentity.gql b/frontend/graphql/mutations/identities/deleteIdentity.gql
index 17b0a3ed1..548889c4a 100644
--- a/frontend/graphql/mutations/identities/deleteIdentity.gql
+++ b/frontend/graphql/mutations/identities/deleteIdentity.gql
@@ -1,4 +1,4 @@
-mutation DeleteIdentity($id: ID!) {
+mutation DeleteExtIdentity($id: ID!) {
   deleteIdentity(id: $id) {
     ok
   }
diff --git a/frontend/graphql/mutations/identities/updateIdentity.gql b/frontend/graphql/mutations/identities/updateIdentity.gql
index 7ba379c80..727e17d7d 100644
--- a/frontend/graphql/mutations/identities/updateIdentity.gql
+++ b/frontend/graphql/mutations/identities/updateIdentity.gql
@@ -1,4 +1,4 @@
-mutation UpdateIdentity(
+mutation UpdateExtIdentity(
   $id: ID!
   $name: String
   $description: String

From cc660ad4e90513e1859d824663faf90e16ef4eea Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 15:36:41 +0530
Subject: [PATCH 60/80] refactor: update identity mutation operations to
 include "Ext" prefix

- Renamed mutation operations for creating, deleting, and updating identities to include the "Ext" prefix, enhancing clarity and consistency in the identity management module.
- Updated corresponding types and documents to reflect these changes.
---
 frontend/apollo/gql.ts     | 12 ++++++------
 frontend/apollo/graphql.ts | 18 +++++++++---------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/frontend/apollo/gql.ts b/frontend/apollo/gql.ts
index 39316dbc4..fea46e9a5 100644
--- a/frontend/apollo/gql.ts
+++ b/frontend/apollo/gql.ts
@@ -55,9 +55,9 @@ const documents = {
     "mutation RenameEnv($environmentId: ID!, $name: String!) {\n  renameEnvironment(environmentId: $environmentId, name: $name) {\n    environment {\n      id\n      name\n      updatedAt\n    }\n  }\n}": types.RenameEnvDocument,
     "mutation CreateSharedSecret($input: LockboxInput!) {\n  createLockbox(input: $input) {\n    lockbox {\n      id\n      allowedViews\n      expiresAt\n    }\n  }\n}": types.CreateSharedSecretDocument,
     "mutation SwapEnvOrder($environment1Id: ID!, $environment2Id: ID!) {\n  swapEnvironmentOrder(\n    environment1Id: $environment1Id\n    environment2Id: $environment2Id\n  ) {\n    ok\n  }\n}": types.SwapEnvOrderDocument,
-    "mutation CreateIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.CreateIdentityDocument,
-    "mutation DeleteIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}": types.DeleteIdentityDocument,
-    "mutation UpdateIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.UpdateIdentityDocument,
+    "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.CreateExtIdentityDocument,
+    "mutation DeleteExtIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}": types.DeleteExtIdentityDocument,
+    "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}": types.UpdateExtIdentityDocument,
     "mutation AcceptOrganisationInvite($orgId: ID!, $identityKey: String!, $wrappedKeyring: String!, $wrappedRecovery: String!, $inviteId: ID!) {\n  createOrganisationMember(\n    orgId: $orgId\n    identityKey: $identityKey\n    wrappedKeyring: $wrappedKeyring\n    wrappedRecovery: $wrappedRecovery\n    inviteId: $inviteId\n  ) {\n    orgMember {\n      id\n      email\n      createdAt\n      role {\n        name\n      }\n    }\n  }\n}": types.AcceptOrganisationInviteDocument,
     "mutation BulkInviteMembers($orgId: ID!, $invites: [InviteInput!]!) {\n  bulkInviteOrganisationMembers(orgId: $orgId, invites: $invites) {\n    invites {\n      id\n      inviteeEmail\n      expiresAt\n    }\n  }\n}": types.BulkInviteMembersDocument,
     "mutation DeleteOrgInvite($inviteId: ID!) {\n  deleteInvitation(inviteId: $inviteId) {\n    ok\n  }\n}": types.DeleteOrgInviteDocument,
@@ -342,15 +342,15 @@ export function graphql(source: "mutation SwapEnvOrder($environment1Id: ID!, $en
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation CreateIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation CreateIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
+export function graphql(source: "mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation CreateExtIdentity($organisationId: ID!, $provider: String!, $name: String!, $description: String, $trustedPrincipals: String!, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int!, $maxTtlSeconds: Int!) {\n  createIdentity(\n    organisationId: $organisationId\n    provider: $provider\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      provider\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation DeleteIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}"];
+export function graphql(source: "mutation DeleteExtIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}"): (typeof documents)["mutation DeleteExtIdentity($id: ID!) {\n  deleteIdentity(id: $id) {\n    ok\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
-export function graphql(source: "mutation UpdateIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation UpdateIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
+export function graphql(source: "mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"): (typeof documents)["mutation UpdateExtIdentity($id: ID!, $name: String, $description: String, $trustedPrincipals: String, $signatureTtlSeconds: Int, $stsEndpoint: String, $tokenNamePattern: String, $defaultTtlSeconds: Int, $maxTtlSeconds: Int) {\n  updateIdentity(\n    id: $id\n    name: $name\n    description: $description\n    trustedPrincipals: $trustedPrincipals\n    signatureTtlSeconds: $signatureTtlSeconds\n    stsEndpoint: $stsEndpoint\n    tokenNamePattern: $tokenNamePattern\n    defaultTtlSeconds: $defaultTtlSeconds\n    maxTtlSeconds: $maxTtlSeconds\n  ) {\n    identity {\n      id\n      name\n      description\n      config {\n        ... on AwsIamConfigType {\n          trustedPrincipals\n          signatureTtlSeconds\n          stsEndpoint\n        }\n      }\n      tokenNamePattern\n      defaultTtlSeconds\n      maxTtlSeconds\n    }\n  }\n}"];
 /**
  * The graphql function is used to parse GraphQL queries into a document that can be used by GraphQL clients.
  */
diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index cdaa78ed7..d4a2d1860 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -2652,7 +2652,7 @@ export type SwapEnvOrderMutationVariables = Exact<{
 
 export type SwapEnvOrderMutation = { __typename?: 'Mutation', swapEnvironmentOrder?: { __typename?: 'SwapEnvironmentOrderMutation', ok?: boolean | null } | null };
 
-export type CreateIdentityMutationVariables = Exact<{
+export type CreateExtIdentityMutationVariables = Exact<{
   organisationId: Scalars['ID']['input'];
   provider: Scalars['String']['input'];
   name: Scalars['String']['input'];
@@ -2666,16 +2666,16 @@ export type CreateIdentityMutationVariables = Exact<{
 }>;
 
 
-export type CreateIdentityMutation = { __typename?: 'Mutation', createIdentity?: { __typename?: 'CreateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
+export type CreateExtIdentityMutation = { __typename?: 'Mutation', createIdentity?: { __typename?: 'CreateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, provider: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
 
-export type DeleteIdentityMutationVariables = Exact<{
+export type DeleteExtIdentityMutationVariables = Exact<{
   id: Scalars['ID']['input'];
 }>;
 
 
-export type DeleteIdentityMutation = { __typename?: 'Mutation', deleteIdentity?: { __typename?: 'DeleteIdentityMutation', ok?: boolean | null } | null };
+export type DeleteExtIdentityMutation = { __typename?: 'Mutation', deleteIdentity?: { __typename?: 'DeleteIdentityMutation', ok?: boolean | null } | null };
 
-export type UpdateIdentityMutationVariables = Exact<{
+export type UpdateExtIdentityMutationVariables = Exact<{
   id: Scalars['ID']['input'];
   name?: InputMaybe<Scalars['String']['input']>;
   description?: InputMaybe<Scalars['String']['input']>;
@@ -2688,7 +2688,7 @@ export type UpdateIdentityMutationVariables = Exact<{
 }>;
 
 
-export type UpdateIdentityMutation = { __typename?: 'Mutation', updateIdentity?: { __typename?: 'UpdateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
+export type UpdateExtIdentityMutation = { __typename?: 'Mutation', updateIdentity?: { __typename?: 'UpdateIdentityMutation', identity?: { __typename?: 'IdentityType', id: string, name: string, description?: string | null, tokenNamePattern?: string | null, defaultTtlSeconds: number, maxTtlSeconds: number, config?: { __typename?: 'AwsIamConfigType', trustedPrincipals?: Array<string | null> | null, signatureTtlSeconds?: number | null, stsEndpoint?: string | null } | null } | null } | null };
 
 export type AcceptOrganisationInviteMutationVariables = Exact<{
   orgId: Scalars['ID']['input'];
@@ -3512,9 +3512,9 @@ export const RemovePersonalSecretDocument = {"kind":"Document","definitions":[{"
 export const RenameEnvDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"RenameEnv"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"renameEnvironment"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environmentId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environmentId"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"environment"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"updatedAt"}}]}}]}}]}}]} as unknown as DocumentNode<RenameEnvMutation, RenameEnvMutationVariables>;
 export const CreateSharedSecretDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateSharedSecret"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"input"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"LockboxInput"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createLockbox"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"input"},"value":{"kind":"Variable","name":{"kind":"Name","value":"input"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"lockbox"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"allowedViews"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<CreateSharedSecretMutation, CreateSharedSecretMutationVariables>;
 export const SwapEnvOrderDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"SwapEnvOrder"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environment1Id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"environment2Id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"swapEnvironmentOrder"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"environment1Id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environment1Id"}}},{"kind":"Argument","name":{"kind":"Name","value":"environment2Id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"environment2Id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<SwapEnvOrderMutation, SwapEnvOrderMutationVariables>;
-export const CreateIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"provider"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"provider"},"value":{"kind":"Variable","name":{"kind":"Name","value":"provider"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<CreateIdentityMutation, CreateIdentityMutationVariables>;
-export const DeleteIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteIdentityMutation, DeleteIdentityMutationVariables>;
-export const UpdateIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateIdentityMutation, UpdateIdentityMutationVariables>;
+export const CreateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"CreateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"provider"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"organisationId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"organisationId"}}},{"kind":"Argument","name":{"kind":"Name","value":"provider"},"value":{"kind":"Variable","name":{"kind":"Name","value":"provider"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"provider"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<CreateExtIdentityMutation, CreateExtIdentityMutationVariables>;
+export const DeleteExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteExtIdentityMutation, DeleteExtIdentityMutationVariables>;
+export const UpdateExtIdentityDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"UpdateExtIdentity"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"id"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"name"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"description"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}},"type":{"kind":"NamedType","name":{"kind":"Name","value":"Int"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"updateIdentity"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"id"},"value":{"kind":"Variable","name":{"kind":"Name","value":"id"}}},{"kind":"Argument","name":{"kind":"Name","value":"name"},"value":{"kind":"Variable","name":{"kind":"Name","value":"name"}}},{"kind":"Argument","name":{"kind":"Name","value":"description"},"value":{"kind":"Variable","name":{"kind":"Name","value":"description"}}},{"kind":"Argument","name":{"kind":"Name","value":"trustedPrincipals"},"value":{"kind":"Variable","name":{"kind":"Name","value":"trustedPrincipals"}}},{"kind":"Argument","name":{"kind":"Name","value":"signatureTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"signatureTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"stsEndpoint"},"value":{"kind":"Variable","name":{"kind":"Name","value":"stsEndpoint"}}},{"kind":"Argument","name":{"kind":"Name","value":"tokenNamePattern"},"value":{"kind":"Variable","name":{"kind":"Name","value":"tokenNamePattern"}}},{"kind":"Argument","name":{"kind":"Name","value":"defaultTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"defaultTtlSeconds"}}},{"kind":"Argument","name":{"kind":"Name","value":"maxTtlSeconds"},"value":{"kind":"Variable","name":{"kind":"Name","value":"maxTtlSeconds"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"identity"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"name"}},{"kind":"Field","name":{"kind":"Name","value":"description"}},{"kind":"Field","name":{"kind":"Name","value":"config"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"InlineFragment","typeCondition":{"kind":"NamedType","name":{"kind":"Name","value":"AwsIamConfigType"}},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"trustedPrincipals"}},{"kind":"Field","name":{"kind":"Name","value":"signatureTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"stsEndpoint"}}]}}]}},{"kind":"Field","name":{"kind":"Name","value":"tokenNamePattern"}},{"kind":"Field","name":{"kind":"Name","value":"defaultTtlSeconds"}},{"kind":"Field","name":{"kind":"Name","value":"maxTtlSeconds"}}]}}]}}]}}]} as unknown as DocumentNode<UpdateExtIdentityMutation, UpdateExtIdentityMutationVariables>;
 export const AcceptOrganisationInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"AcceptOrganisationInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"String"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"createOrganisationMember"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"identityKey"},"value":{"kind":"Variable","name":{"kind":"Name","value":"identityKey"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedKeyring"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedKeyring"}}},{"kind":"Argument","name":{"kind":"Name","value":"wrappedRecovery"},"value":{"kind":"Variable","name":{"kind":"Name","value":"wrappedRecovery"}}},{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"orgMember"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"email"}},{"kind":"Field","name":{"kind":"Name","value":"createdAt"}},{"kind":"Field","name":{"kind":"Name","value":"role"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"name"}}]}}]}}]}}]}}]} as unknown as DocumentNode<AcceptOrganisationInviteMutation, AcceptOrganisationInviteMutationVariables>;
 export const BulkInviteMembersDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"BulkInviteMembers"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}},{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"invites"}},"type":{"kind":"NonNullType","type":{"kind":"ListType","type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"InviteInput"}}}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"bulkInviteOrganisationMembers"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"orgId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"orgId"}}},{"kind":"Argument","name":{"kind":"Name","value":"invites"},"value":{"kind":"Variable","name":{"kind":"Name","value":"invites"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"invites"},"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"id"}},{"kind":"Field","name":{"kind":"Name","value":"inviteeEmail"}},{"kind":"Field","name":{"kind":"Name","value":"expiresAt"}}]}}]}}]}}]} as unknown as DocumentNode<BulkInviteMembersMutation, BulkInviteMembersMutationVariables>;
 export const DeleteOrgInviteDocument = {"kind":"Document","definitions":[{"kind":"OperationDefinition","operation":"mutation","name":{"kind":"Name","value":"DeleteOrgInvite"},"variableDefinitions":[{"kind":"VariableDefinition","variable":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}},"type":{"kind":"NonNullType","type":{"kind":"NamedType","name":{"kind":"Name","value":"ID"}}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"deleteInvitation"},"arguments":[{"kind":"Argument","name":{"kind":"Name","value":"inviteId"},"value":{"kind":"Variable","name":{"kind":"Name","value":"inviteId"}}}],"selectionSet":{"kind":"SelectionSet","selections":[{"kind":"Field","name":{"kind":"Name","value":"ok"}}]}}]}}]} as unknown as DocumentNode<DeleteOrgInviteMutation, DeleteOrgInviteMutationVariables>;

From 65037747b892e1a8f55f9cd7e86f9ee129b17385 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 16:20:24 +0530
Subject: [PATCH 61/80] fix: use configured STS endpoint instead of user
 supploed

---
 backend/api/views/identities/aws/iam.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/api/views/identities/aws/iam.py b/backend/api/views/identities/aws/iam.py
index 16b2b5d71..41fd8e794 100644
--- a/backend/api/views/identities/aws/iam.py
+++ b/backend/api/views/identities/aws/iam.py
@@ -104,7 +104,7 @@ def aws_iam_auth(request):
 
     # Forward the signed request to AWS STS
     try:
-        resp = requests.request(method, url, headers=headers, data=body)
+        resp = requests.request(method, configured, headers=headers, data=body)
     except Exception:
         return JsonResponse({"error": "Failed to contact AWS STS"}, status=502)
 

From 9d21dbc12e358f78f28c349e3157270b042019f8 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 16:43:35 +0530
Subject: [PATCH 62/80] feat: robust xml parsing from aws response

---
 backend/api/views/identities/aws/iam.py | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/backend/api/views/identities/aws/iam.py b/backend/api/views/identities/aws/iam.py
index 41fd8e794..2a8c982c7 100644
--- a/backend/api/views/identities/aws/iam.py
+++ b/backend/api/views/identities/aws/iam.py
@@ -1,9 +1,10 @@
 import base64
 import json
-import re
+from io import StringIO
 from urllib.parse import urlparse
 
 import requests
+from defusedxml.ElementTree import parse
 from django.http import JsonResponse
 from django.utils import timezone
 from rest_framework.decorators import api_view, permission_classes
@@ -111,14 +112,20 @@ def aws_iam_auth(request):
     if resp.status_code != 200:
         return JsonResponse({"error": "AWS STS validation failed", "status": resp.status_code}, status=401)
 
-    # Parse minimal identity info from XML
     arn = None
     try:
-        m = re.search(r"<Arn>([^<]+)</Arn>", resp.text)
-        if m:
-            arn = m.group(1)
+        xml_root = parse(StringIO(resp.text))
+        
+        # AWS STS namespace
+        ns = {"aws": "https://sts.amazonaws.com/doc/2011-06-15/"}
+        
+        # Find the ARN element in the GetCallerIdentityResult
+        arn_element = xml_root.find(".//aws:GetCallerIdentityResult/aws:Arn", ns)
+        if arn_element is not None and arn_element.text:
+            arn = arn_element.text.strip()
     except Exception:
         pass
+
     if arn is None:
         return JsonResponse({"error": "Unable to parse AWS identity"}, status=500)
 

From 108cd3902594c57a6e39d66e05f665ec68a52ad4 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 17:36:50 +0530
Subject: [PATCH 63/80] feat: updated titles and descriptions for server-side
 key management

---
 .../_components/ServiceAccountIdentities.tsx          | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
index 25239b77e..281d44bd0 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
@@ -16,7 +16,7 @@ import { toast } from 'react-toastify'
 import { KeyManagementDialog } from '@/components/service-accounts/KeyManagementDialog'
 import UpdateServiceAccount from '@/graphql/mutations/service-accounts/updateServiceAccount.gql'
 import { TbLockShare } from 'react-icons/tb'
-import { FaPlus, FaSearch, FaTimesCircle, FaServer } from 'react-icons/fa'
+import { FaSearch, FaTimesCircle, FaServer } from 'react-icons/fa'
 import clsx from 'clsx'
 
 export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountType }) => {
@@ -76,9 +76,14 @@ export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountT
   if (!account.serverSideKeyManagementEnabled) {
     return (
       <div className="py-8">
+        {/* Server-side key management is required state */}
+        <div className="text-xl font-semibold mb-2">External Identities</div>
+        <div className="text-neutral-500 mb-4">
+          Manage which external identities are trusted for this account
+        </div>
         <EmptyState
           title="Enable server-side key management"
-          subtitle="Identities require server-side key management to be enabled to mint tokens automatically."
+          subtitle="External identities require server-side key management to manage access tokens for Service Accounts."
           graphic={
             <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
               <FaServer />
@@ -95,7 +100,7 @@ export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountT
     <div className="py-4">
       <div className="space-y-2">
         <div className="space-y-1">
-          <div className="text-xl font-semibold">Identities</div>
+          <div className="text-xl font-semibold">External Identities</div>
           <div className="flex items-center justify-between">
             <div className="text-neutral-500">
               Manage which external identities are trusted for this account

From 7f16837eb9ece4ac8f8041ca32600056c0d69555 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Wed, 27 Aug 2025 21:28:04 +0530
Subject: [PATCH 64/80] chore: remove global legacy sts endpoint list insertion

---
 backend/api/utils/identity/aws.py | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/backend/api/utils/identity/aws.py b/backend/api/utils/identity/aws.py
index 80cabef45..3290715a3 100644
--- a/backend/api/utils/identity/aws.py
+++ b/backend/api/utils/identity/aws.py
@@ -30,14 +30,4 @@ def list_sts_endpoints():
                 }
             )
 
-    # Add global legacy first
-    # results.insert(
-    #     0,
-    #     {
-    #         "regionCode": None,
-    #         "regionName": "Global (Legacy)",
-    #         "endpoint": "https://sts.amazonaws.com",
-    #     },
-    # )
-
     return results

From fa5b4308b4e2b38b1ffbbe96eb6a865217ff8979 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 26 Sep 2025 12:43:29 +0530
Subject: [PATCH 65/80] refactor: external identity crud

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../app/[team]/access/identities/page.tsx     | 155 ++---
 .../identities/AddNewIdentityDialog.tsx       |  83 +++
 .../identities/IdentityProviderSelector.tsx   | 108 ---
 .../components/identities/ProviderCards.tsx   |   4 +-
 .../DeleteExternalIdentityDialog.tsx          |  78 +++
 .../providers/EditExternalIdentityDialog.tsx  |  58 ++
 .../identities/providers/aws/iam.tsx          | 649 ++++++++----------
 7 files changed, 555 insertions(+), 580 deletions(-)
 create mode 100644 frontend/components/identities/AddNewIdentityDialog.tsx
 delete mode 100644 frontend/components/identities/IdentityProviderSelector.tsx
 create mode 100644 frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx
 create mode 100644 frontend/components/identities/providers/EditExternalIdentityDialog.tsx

diff --git a/frontend/app/[team]/access/identities/page.tsx b/frontend/app/[team]/access/identities/page.tsx
index 9fcd07e77..f9d5fac9f 100644
--- a/frontend/app/[team]/access/identities/page.tsx
+++ b/frontend/app/[team]/access/identities/page.tsx
@@ -1,37 +1,24 @@
 'use client'
 
-import { useContext, useState } from 'react'
+import { useContext, useState, useRef, useEffect } from 'react'
 import { organisationContext } from '@/contexts/organisationContext'
 import { userHasPermission } from '@/utils/access/permissions'
-import { useMutation, useQuery } from '@apollo/client'
+import { useQuery } from '@apollo/client'
 import GetOrganisationIdentities from '@/graphql/queries/identities/getOrganisationIdentities.gql'
-import DeleteIdentity from '@/graphql/mutations/identities/deleteIdentity.gql'
 import { Button } from '@/components/common/Button'
 import { ProviderIcon } from '@/components/syncing/ProviderIcon'
-import { FaPlus, FaTrashAlt, FaEdit, FaBan } from 'react-icons/fa'
+import { FaPlus, FaEdit, FaBan } from 'react-icons/fa'
 import { EmptyState } from '@/components/common/EmptyState'
-import { toast } from 'react-toastify'
-import { IdentityProviderSelector } from '@/components/identities/IdentityProviderSelector'
-import { AwsIamIdentityDialog } from '@/components/identities/providers/aws/iam'
+import { AddNewIdentityDialog } from '@/components/identities/AddNewIdentityDialog'
+
 import { ProviderCards } from '@/components/identities/ProviderCards'
 import GetIdentityProviders from '@/graphql/queries/identities/getIdentityProviders.gql'
-
-type AwsIamConfig = {
-  trustedPrincipals: string[]
-  signatureTtlSeconds: number
-  stsEndpoint: string
-}
-
-type Identity = {
-  id: string
-  provider: string
-  name: string
-  description?: string | null
-  config: AwsIamConfig
-  tokenNamePattern?: string | null
-  defaultTtlSeconds: number
-  maxTtlSeconds: number
-}
+import { AwsIamIdentityForm } from '@/components/identities/providers/aws/iam'
+import GenericDialog from '@/components/common/GenericDialog'
+import { TbLockShare } from 'react-icons/tb'
+import { DeleteExternalIdentityDialog } from '@/components/identities/providers/DeleteExternalIdentityDialog'
+import { IdentityType } from '@/apollo/graphql'
+import { EditExternalIdentityDialog } from '@/components/identities/providers/EditExternalIdentityDialog'
 
 export default function IdentityPage() {
   const { activeOrganisation: organisation } = useContext(organisationContext)
@@ -46,9 +33,6 @@ export default function IdentityPage() {
   const canUpdateIdentities = organisation
     ? userHasPermission(organisation.role!.permissions, 'Identities', 'update')
     : false
-  const canDeleteIdentities = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Identities', 'delete')
-    : false
 
   const { data, refetch } = useQuery(GetOrganisationIdentities, {
     variables: { organisationId: organisation?.id },
@@ -58,41 +42,38 @@ export default function IdentityPage() {
 
   const { data: providersData } = useQuery(GetIdentityProviders)
 
-  const [deleteIdentity, { loading: deleting }] = useMutation(DeleteIdentity)
+  const [selectedProvider, setSelectedProvider] = useState<string | null>(null)
 
-  const [providerSelectorOpen, setProviderSelectorOpen] = useState(false)
+  const awsEditDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
+  const createDialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
   const [awsEditDialogOpen, setAwsEditDialogOpen] = useState(false)
-  const [editingIdentity, setEditingIdentity] = useState<Identity | null>(null)
+  const [editingIdentity, setEditingIdentity] = useState<IdentityType | null>(null)
 
-  const identities: Identity[] = data?.identities ?? []
+  const identities: IdentityType[] = data?.identities ?? []
   const identityProviders = providersData?.identityProviders ?? []
 
+  const openCreateIdentityDialog = () => createDialogRef.current?.openModal()
+
+  // Effect to open dialog when awsEditDialogOpen changes
+  useEffect(() => {
+    if (awsEditDialogOpen && awsEditDialogRef.current) {
+      awsEditDialogRef.current.openModal()
+    }
+  }, [awsEditDialogOpen])
+
   // Helper function to get provider info by ID
   const getProviderInfo = (providerId: string) => {
     const provider = identityProviders.find((p: any) => p.id === providerId)
     return provider || { name: providerId, iconId: 'unknown' }
   }
 
-  const handleCreateIdentity = () => {
-    if (!canCreateIdentities) return
-    // If no identities exist, direct provider selection isn't needed as cards are visible
-    // If identities exist, show provider selector modal
-    if (identities.length > 0) {
-      setProviderSelectorOpen(true)
-    }
-  }
-
   const handleProviderSelect = (providerId: string) => {
     setEditingIdentity(null) // Ensure we're creating, not editing
-    if (providerId === 'aws_iam') {
-      setAwsEditDialogOpen(true)
-    }
-    // Future providers can be handled here
-    // Close provider selector if it was open
-    setProviderSelectorOpen(false)
+    setSelectedProvider(providerId)
+    openCreateIdentityDialog()
   }
 
-  const handleEditIdentity = (identity: Identity) => {
+  const handleEditIdentity = (identity: IdentityType) => {
     if (!canUpdateIdentities) return
     setEditingIdentity(identity)
     if (identity.provider === 'aws_iam') {
@@ -101,33 +82,16 @@ export default function IdentityPage() {
   }
 
   const handleProviderSelectorSuccess = () => {
-    setProviderSelectorOpen(false)
     refetch()
   }
 
   const handleAwsEditSuccess = () => {
     setAwsEditDialogOpen(false)
     setEditingIdentity(null)
+    awsEditDialogRef.current?.closeModal()
     refetch()
   }
 
-  const handleDelete = async (id: string) => {
-    if (!canDeleteIdentities) return
-    const ok = window.confirm('Delete this identity? This cannot be undone.')
-    if (!ok) return
-    try {
-      await deleteIdentity({
-        variables: { id },
-        refetchQueries: [
-          { query: GetOrganisationIdentities, variables: { organisationId: organisation?.id } },
-        ],
-      })
-      toast.success('Identity deleted')
-    } catch (e) {
-      toast.error('Failed to delete identity')
-    }
-  }
-
   // Early return if no read permission
   if (!canReadIdentities) {
     return (
@@ -159,7 +123,9 @@ export default function IdentityPage() {
             </div>
           </div>
           {canCreateIdentities ? (
-            <ProviderCards onProviderSelect={handleProviderSelect} />
+            <div className="grid grid-cols-1 sm:grid-cols-2 xl:grid-cols-4 gap-8">
+              <ProviderCards onProviderSelect={handleProviderSelect} />
+            </div>
           ) : (
             <EmptyState
               title="Access restricted"
@@ -183,8 +149,8 @@ export default function IdentityPage() {
           <div className="space-y-4">
             {canCreateIdentities && (
               <div className="flex justify-end">
-                <Button variant="primary" onClick={handleCreateIdentity}>
-                  <FaPlus /> Add identity
+                <Button onClick={openCreateIdentityDialog}>
+                  <FaPlus /> Add Identity Provider
                 </Button>
               </div>
             )}
@@ -204,7 +170,7 @@ export default function IdentityPage() {
                   </tr>
                 </thead>
                 <tbody className="divide-y divide-zinc-500/20">
-                  {identities.map((idn: Identity) => {
+                  {identities.map((idn: IdentityType) => {
                     const providerInfo = getProviderInfo(idn.provider)
                     return (
                       <tr key={idn.id} className="group">
@@ -214,35 +180,16 @@ export default function IdentityPage() {
                           </div>
                           {providerInfo.name}
                         </td>
-                        <td className="px-6 py-4">
-                          <button
-                            className="text-left font-medium text-zinc-900 dark:text-zinc-100 hover:underline"
-                            onClick={() => handleEditIdentity(idn)}
-                          >
-                            {idn.name}
-                          </button>
+                        <td className="px-6 py-4 text-zinc-900 dark:text-zinc-100 font-medium">
+                          {idn.name}
                         </td>
                         <td className="px-6 py-4 text-neutral-500 max-w-xl truncate">
                           {idn.description}
                         </td>
                         <td className="px-6 py-4 flex items-center justify-end gap-2">
                           <div className="opacity-0 group-hover:opacity-100 transition ease flex gap-2">
-                            {canUpdateIdentities && (
-                              <Button variant="secondary" onClick={() => handleEditIdentity(idn)}>
-                                <FaEdit /> Edit identity
-                              </Button>
-                            )}
-                            {canDeleteIdentities && (
-                              <Button
-                                variant="danger"
-                                onClick={(e) => {
-                                  e.preventDefault()
-                                  void handleDelete(idn.id)
-                                }}
-                              >
-                                <FaTrashAlt /> Delete
-                              </Button>
-                            )}
+                            {canUpdateIdentities && <EditExternalIdentityDialog identity={idn} />}
+                            <DeleteExternalIdentityDialog identity={idn} />
                           </div>
                         </td>
                       </tr>
@@ -255,25 +202,29 @@ export default function IdentityPage() {
         </div>
       )}
 
-      {/* Identity Provider Selector */}
-      <IdentityProviderSelector
-        isOpen={providerSelectorOpen}
-        onClose={() => setProviderSelectorOpen(false)}
+      <AddNewIdentityDialog
+        ref={createDialogRef}
+        preSelectedProvider={selectedProvider}
         organisationId={organisation?.id || ''}
         onSuccess={handleProviderSelectorSuccess}
       />
 
       {/* AWS IAM Edit Dialog */}
-      <AwsIamIdentityDialog
-        isOpen={awsEditDialogOpen}
+      <GenericDialog
+        ref={awsEditDialogRef}
+        title="Edit AWS IAM Identity"
+        size="lg"
         onClose={() => {
           setAwsEditDialogOpen(false)
           setEditingIdentity(null)
         }}
-        organisationId={organisation?.id || ''}
-        identity={editingIdentity}
-        onSuccess={handleAwsEditSuccess}
-      />
+      >
+        <AwsIamIdentityForm
+          organisationId={organisation?.id || ''}
+          identity={editingIdentity}
+          onSuccess={handleAwsEditSuccess}
+        />
+      </GenericDialog>
     </section>
   )
 }
diff --git a/frontend/components/identities/AddNewIdentityDialog.tsx b/frontend/components/identities/AddNewIdentityDialog.tsx
new file mode 100644
index 000000000..53cfea5c6
--- /dev/null
+++ b/frontend/components/identities/AddNewIdentityDialog.tsx
@@ -0,0 +1,83 @@
+import { useState, forwardRef, useImperativeHandle, useRef, useEffect } from 'react'
+
+import { FaPlus } from 'react-icons/fa'
+import { AwsIamIdentityForm } from './providers/aws/iam'
+import { ProviderCards } from './ProviderCards'
+import GenericDialog from '../common/GenericDialog'
+import { set } from 'lodash'
+
+interface AddNewIdentityDialogProps {
+  organisationId: string
+  onSuccess: () => void
+  preSelectedProvider?: string | null
+}
+
+export const AddNewIdentityDialog = forwardRef<
+  { openModal: () => void; closeModal: () => void },
+  AddNewIdentityDialogProps
+>(({ organisationId, onSuccess, preSelectedProvider = null }, ref) => {
+  const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
+  const [selectedProvider, setSelectedProvider] = useState<string | null>(preSelectedProvider)
+
+  useImperativeHandle(ref, () => ({
+    openModal: () => dialogRef.current?.openModal(),
+    closeModal: () => dialogRef.current?.closeModal(),
+  }))
+
+  useEffect(() => {
+    if (preSelectedProvider) setSelectedProvider(preSelectedProvider)
+  }, [preSelectedProvider])
+
+  const handleProviderSelect = (providerId: string) => {
+    setSelectedProvider(providerId)
+  }
+
+  const handleSuccess = () => {
+    setSelectedProvider(null)
+    dialogRef.current?.closeModal()
+    onSuccess()
+  }
+
+  const handleBack = () => {
+    setSelectedProvider(null)
+  }
+
+  const handleDialogClose = () => {
+    setSelectedProvider(null)
+  }
+
+  return (
+    <GenericDialog
+      ref={dialogRef}
+      title="Add Identity Provider"
+      size="lg"
+      onClose={handleDialogClose}
+      dialogTitle={
+        <div>
+          <h3>Add Identity Provider</h3>
+        </div>
+      }
+    >
+      <div className="space-y-8 pt-">
+        <div className="text-neutral-500 text-sm">
+          {selectedProvider
+            ? 'Configure your identity provider'
+            : 'Select a provider below to create a new identity.'}
+        </div>
+        {!selectedProvider ? (
+          <div className="grid grid-cols-1 sm:grid-cols-2 gap-8">
+            <ProviderCards onProviderSelect={handleProviderSelect} />
+          </div>
+        ) : selectedProvider === 'aws_iam' ? (
+          <AwsIamIdentityForm
+            organisationId={organisationId}
+            onSuccess={handleSuccess}
+            onBack={handleBack}
+          />
+        ) : null}
+      </div>
+    </GenericDialog>
+  )
+})
+
+AddNewIdentityDialog.displayName = 'AddNewIdentityDialog'
diff --git a/frontend/components/identities/IdentityProviderSelector.tsx b/frontend/components/identities/IdentityProviderSelector.tsx
deleted file mode 100644
index 836abf774..000000000
--- a/frontend/components/identities/IdentityProviderSelector.tsx
+++ /dev/null
@@ -1,108 +0,0 @@
-import { useState } from 'react'
-import { Dialog, Transition } from '@headlessui/react'
-import { Fragment } from 'react'
-import { Button } from '../common/Button'
-import { FaTimes } from 'react-icons/fa'
-import { AwsIamIdentityDialog } from './providers/aws/iam'
-import { ProviderCards } from './ProviderCards'
-
-interface IdentityProviderSelectorProps {
-  isOpen: boolean
-  onClose: () => void
-  organisationId: string
-  onSuccess: () => void
-}
-
-export const IdentityProviderSelector = ({
-  isOpen,
-  onClose,
-  organisationId,
-  onSuccess,
-}: IdentityProviderSelectorProps) => {
-  const [selectedProvider, setSelectedProvider] = useState<string | null>(null)
-  const [awsIamDialogOpen, setAwsIamDialogOpen] = useState(false)
-
-  const handleProviderSelect = (providerId: string) => {
-    setSelectedProvider(providerId)
-    if (providerId === 'aws_iam') {
-      setAwsIamDialogOpen(true)
-      onClose()
-    }
-    // Future providers can be handled here
-  }
-
-  const handleAwsIamSuccess = () => {
-    setAwsIamDialogOpen(false)
-    setSelectedProvider(null)
-    onSuccess()
-  }
-
-  const handleAwsIamClose = () => {
-    setAwsIamDialogOpen(false)
-    setSelectedProvider(null)
-  }
-
-  return (
-    <>
-      <Transition appear show={isOpen} as={Fragment}>
-        <Dialog as="div" className="relative z-10" onClose={onClose}>
-          <Transition.Child
-            as={Fragment}
-            enter="ease-out duration-300"
-            enterFrom="opacity-0"
-            enterTo="opacity-100"
-            leave="ease-in duration-200"
-            leaveFrom="opacity-100"
-            leaveTo="opacity-0"
-          >
-            <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
-          </Transition.Child>
-          <div className="fixed inset-0 overflow-y-auto">
-            <div className="flex min-h-full items-center justify-center p-4 text-center">
-              <Transition.Child
-                as={Fragment}
-                enter="ease-out duration-300"
-                enterFrom="opacity-0 scale-95"
-                enterTo="opacity-100 scale-100"
-                leave="ease-in duration-200"
-                leaveFrom="opacity-100 scale-100"
-                leaveTo="opacity-0 scale-95"
-              >
-                <Dialog.Panel className="w-full max-w-4xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
-                  <div className="flex items-start justify-between">
-                    <div>
-                      <Dialog.Title
-                        as="h3"
-                        className="text-2xl font-semibold text-black dark:text-white"
-                      >
-                        Add Identity Provider
-                      </Dialog.Title>
-                      <div className="text-neutral-500 text-sm">
-                        Select a provider below to create a new identity.
-                      </div>
-                    </div>
-                    <Button variant="text" onClick={onClose} title="Close">
-                      <FaTimes className="text-zinc-900 dark:text-zinc-400" />
-                    </Button>
-                  </div>
-
-                  <div className="space-y-8 py-8">
-                    <ProviderCards onProviderSelect={handleProviderSelect} />
-                  </div>
-                </Dialog.Panel>
-              </Transition.Child>
-            </div>
-          </div>
-        </Dialog>
-      </Transition>
-
-      {/* AWS IAM Identity Dialog */}
-      <AwsIamIdentityDialog
-        isOpen={awsIamDialogOpen}
-        onClose={handleAwsIamClose}
-        organisationId={organisationId}
-        onSuccess={handleAwsIamSuccess}
-      />
-    </>
-  )
-}
diff --git a/frontend/components/identities/ProviderCards.tsx b/frontend/components/identities/ProviderCards.tsx
index ee4358b97..2132abf94 100644
--- a/frontend/components/identities/ProviderCards.tsx
+++ b/frontend/components/identities/ProviderCards.tsx
@@ -52,12 +52,12 @@ export const ProviderCards = ({ onProviderSelect }: ProviderCardsProps) => {
   const providers: IdentityProvider[] = data?.identityProviders ?? []
 
   return (
-    <div className="grid grid-cols-1 sm:grid-cols-2 xl:grid-cols-4 gap-8 max-w-screen-lg">
+    <>
       {providers.map((provider) => (
         <div key={provider.id}>
           <ProviderCard provider={provider} onClick={() => onProviderSelect(provider.id)} />
         </div>
       ))}
-    </div>
+    </>
   )
 }
diff --git a/frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx b/frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx
new file mode 100644
index 000000000..bf60bd033
--- /dev/null
+++ b/frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx
@@ -0,0 +1,78 @@
+import { IdentityType } from '@/apollo/graphql'
+import { Button } from '@/components/common/Button'
+import GenericDialog from '@/components/common/GenericDialog'
+import { FaTrashAlt } from 'react-icons/fa'
+import DeleteIdentity from '@/graphql/mutations/identities/deleteIdentity.gql'
+import GetOrganisationIdentities from '@/graphql/queries/identities/getOrganisationIdentities.gql'
+import { organisationContext } from '@/contexts/organisationContext'
+import { userHasPermission } from '@/utils/access/permissions'
+import { useMutation } from '@apollo/client'
+import { useContext, useRef } from 'react'
+import { toast } from 'react-toastify'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+
+export const DeleteExternalIdentityDialog = ({ identity }: { identity: IdentityType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const dialogRef = useRef<{ closeModal: () => void }>(null)
+
+  const closeModal = () => dialogRef.current?.closeModal()
+
+  const canDeleteIdentities = organisation
+    ? userHasPermission(organisation.role!.permissions, 'Identities', 'delete')
+    : false
+
+  const [deleteIdentity, { loading: deleting }] = useMutation(DeleteIdentity)
+
+  const handleDelete = async () => {
+    if (!canDeleteIdentities) return
+
+    try {
+      const { id } = identity
+      await deleteIdentity({
+        variables: { id },
+        refetchQueries: [
+          { query: GetOrganisationIdentities, variables: { organisationId: organisation?.id } },
+        ],
+      })
+      toast.success('Identity deleted')
+    } catch (e) {
+      toast.error('Failed to delete identity')
+    }
+  }
+
+  if (!canDeleteIdentities) return <></>
+
+  return (
+    <GenericDialog
+      ref={dialogRef}
+      title="Delete External Identity"
+      buttonVariant="danger"
+      buttonContent={
+        <>
+          <FaTrashAlt />
+          Delete
+        </>
+      }
+    >
+      <div className="space-y-6">
+        <p className="text-neutral-500 py-4 inline-flex items-center gap-1">
+          Are you sure you want to delete the{' '}
+          <span>
+            <ProviderIcon providerId={identity.provider} />
+          </span>{' '}
+          <span className="text-zinc-900 dark:text-zinc-100">{identity.name}</span> external
+          identity?
+        </p>
+        <div className="flex items-center justify-between gap-4">
+          <Button variant="secondary" type="button" onClick={closeModal}>
+            Cancel
+          </Button>
+          <Button variant="danger" onClick={handleDelete} isLoading={deleting} icon={FaTrashAlt}>
+            Delete External Identity
+          </Button>
+        </div>
+      </div>
+    </GenericDialog>
+  )
+}
diff --git a/frontend/components/identities/providers/EditExternalIdentityDialog.tsx b/frontend/components/identities/providers/EditExternalIdentityDialog.tsx
new file mode 100644
index 000000000..b97044733
--- /dev/null
+++ b/frontend/components/identities/providers/EditExternalIdentityDialog.tsx
@@ -0,0 +1,58 @@
+import { IdentityType } from '@/apollo/graphql'
+import GenericDialog from '@/components/common/GenericDialog'
+import { AwsIamIdentityForm } from './aws/iam'
+import { organisationContext } from '@/contexts/organisationContext'
+import { useContext, useRef } from 'react'
+import { FaCog, FaEdit } from 'react-icons/fa'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+
+export const EditExternalIdentityDialog = ({ identity }: { identity: IdentityType }) => {
+  const { activeOrganisation: organisation } = useContext(organisationContext)
+
+  const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
+
+  const dialogTitle = () => {
+    switch (identity.provider) {
+      case 'aws_iam':
+        return (
+          <div className="flex items-center gap-3">
+            <div className="text-2xl">
+              <ProviderIcon providerId="aws" />
+            </div>
+            <div>
+              <h3 className="text-base font-semibold text-black dark:text-white">
+                Edit AWS IAM Identity
+              </h3>
+              <div className="text-neutral-500 text-sm">
+                Configure trusted entities and token settings
+              </div>
+            </div>
+          </div>
+        )
+      default:
+        return <>Edit Identity</>
+    }
+  }
+
+  return (
+    <GenericDialog
+      ref={dialogRef}
+      title="Edit AWS IAM Identity"
+      dialogTitle={dialogTitle()}
+      buttonVariant="secondary"
+      buttonContent={
+        <>
+          <FaCog /> Configure
+        </>
+      }
+    >
+      {identity.provider === 'aws_iam' && (
+        <AwsIamIdentityForm
+          organisationId={organisation?.id || ''}
+          identity={identity}
+          onSuccess={() => dialogRef.current?.closeModal()}
+        />
+      )}
+    </GenericDialog>
+  )
+}
diff --git a/frontend/components/identities/providers/aws/iam.tsx b/frontend/components/identities/providers/aws/iam.tsx
index 5a82b8b6c..434bfbeb6 100644
--- a/frontend/components/identities/providers/aws/iam.tsx
+++ b/frontend/components/identities/providers/aws/iam.tsx
@@ -1,18 +1,21 @@
 'use client'
 
-import { useState, Fragment, useEffect, useMemo } from 'react'
+import { useState, useMemo, Fragment, useEffect } from 'react'
 import { useMutation, useQuery } from '@apollo/client'
 import GetAwsStsEndpoints from '@/graphql/queries/identities/getAwsStsEndpoints.gql'
 import CreateIdentity from '@/graphql/mutations/identities/createIdentity.gql'
 import UpdateIdentity from '@/graphql/mutations/identities/updateIdentity.gql'
-import { Dialog, Transition, Combobox } from '@headlessui/react'
+import GetOrganisationIdentities from '@/graphql/queries/identities/getOrganisationIdentities.gql'
+import { Combobox, Transition } from '@headlessui/react'
 import { Input } from '@/components/common/Input'
 import { Button } from '@/components/common/Button'
-import { FaTimes, FaChevronDown, FaCheckCircle } from 'react-icons/fa'
+import { FaChevronDown, FaCheckCircle } from 'react-icons/fa'
 import { LiaAws } from 'react-icons/lia'
 import { toast } from 'react-toastify'
 import clsx from 'clsx'
 import { parseTTL, formatTTL, isValidTTL, getTTLExamples } from '@/utils/ttl'
+import { ProviderIcon } from '@/components/syncing/ProviderIcon'
+import { IdentityType } from '@/apollo/graphql'
 
 type AwsIamConfig = {
   trustedPrincipals: string[]
@@ -20,17 +23,6 @@ type AwsIamConfig = {
   stsEndpoint: string
 }
 
-type Identity = {
-  id: string
-  provider: string
-  name: string
-  description?: string | null
-  config: AwsIamConfig
-  tokenNamePattern?: string | null
-  defaultTtlSeconds: number
-  maxTtlSeconds: number
-}
-
 type AwsStsEndpoint = {
   regionCode: string | null
   regionName: string
@@ -38,19 +30,17 @@ type AwsStsEndpoint = {
 }
 
 interface AwsIamIdentityDialogProps {
-  isOpen: boolean
-  onClose: () => void
   organisationId: string
-  identity?: Identity | null
+  identity?: IdentityType | null
   onSuccess: () => void
+  onBack?: () => void
 }
 
-export const AwsIamIdentityDialog = ({
-  isOpen,
-  onClose,
+export const AwsIamIdentityForm = ({
   organisationId,
   identity,
   onSuccess,
+  onBack,
 }: AwsIamIdentityDialogProps) => {
   const { data: stsData } = useQuery(GetAwsStsEndpoints)
   const [createIdentity, { loading: creating }] = useMutation(CreateIdentity)
@@ -106,6 +96,56 @@ export const AwsIamIdentityDialog = ({
     return regionNameMatches || regionCodeMatches || endpointMatches
   })
 
+  useEffect(() => {
+    if (identity) {
+      // Populate form with identity data
+      setName(identity.name)
+      setDescription(identity.description || '')
+      setTrustedPrincipals(identity.config?.trustedPrincipals?.join(', ') || '')
+      setSignatureTtlInput(formatTTL(identity.config?.signatureTtlSeconds ?? 60))
+      setSignatureTtlSeconds(identity.config?.signatureTtlSeconds ?? 60)
+      setStsEndpoint(identity.config?.stsEndpoint ?? '')
+
+      const existingEndpoint = awsStsEndpoints.find(
+        (ep) => identity.config && ep.endpoint === identity.config.stsEndpoint
+      )
+      setUseCustomEndpoint(!existingEndpoint)
+      setSelectedStsEndpoint(existingEndpoint || null)
+      setStsQuery('')
+
+      setTokenNamePattern(identity.tokenNamePattern || '')
+      setDefaultTtlInput(formatTTL(identity.defaultTtlSeconds))
+      setMaxTtlInput(formatTTL(identity.maxTtlSeconds))
+      setDefaultTtlSeconds(identity.defaultTtlSeconds)
+      setMaxTtlSeconds(identity.maxTtlSeconds)
+      setInitialState({
+        name: identity.name,
+        description: identity.description || '',
+        trustedPrincipals: identity.config?.trustedPrincipals?.join(', ') || '',
+        signatureTtlInput: formatTTL(identity.config?.signatureTtlSeconds ?? 60),
+        signatureTtlSeconds: identity.config?.signatureTtlSeconds ?? 60,
+        stsEndpoint: identity.config?.stsEndpoint ?? '',
+        tokenNamePattern: identity.tokenNamePattern || '',
+        defaultTtlInput: formatTTL(identity.defaultTtlSeconds),
+        maxTtlInput: formatTTL(identity.maxTtlSeconds),
+        defaultTtlSeconds: identity.defaultTtlSeconds,
+        maxTtlSeconds: identity.maxTtlSeconds,
+      })
+    } else {
+      // Set default to Global (Legacy) endpoint if available
+      if (awsStsEndpoints.length > 0) {
+        const globalEndpoint = awsStsEndpoints.find(
+          (ep) => ep.endpoint === 'https://sts.amazonaws.com'
+        )
+        if (globalEndpoint) {
+          setSelectedStsEndpoint(globalEndpoint)
+          setStsEndpoint(globalEndpoint.endpoint)
+          setUseCustomEndpoint(false)
+        }
+      }
+    }
+  }, [identity, awsStsEndpoints])
+
   const handleDefaultTtlChange = (value: string) => {
     setDefaultTtlInput(value)
     if (isValidTTL(value)) {
@@ -127,89 +167,6 @@ export const AwsIamIdentityDialog = ({
     }
   }
 
-  const resetForm = () => {
-    setName('')
-    setDescription('')
-    setTrustedPrincipals('')
-    setSignatureTtlInput('60s')
-    setSignatureTtlSeconds(60)
-    setUseCustomEndpoint(false)
-    setStsEndpoint('https://sts.amazonaws.com')
-    setSelectedStsEndpoint(null)
-    setStsQuery('')
-    setTokenNamePattern('')
-    setDefaultTtlInput('1h')
-    setMaxTtlInput('24h')
-    setDefaultTtlSeconds(3600)
-    setMaxTtlSeconds(86400)
-    setInitialState({
-      name: '',
-      description: '',
-      trustedPrincipals: '',
-      signatureTtlInput: '60s',
-      signatureTtlSeconds: 60,
-      stsEndpoint: 'https://sts.amazonaws.com',
-      tokenNamePattern: '',
-      defaultTtlInput: '1h',
-      maxTtlInput: '24h',
-      defaultTtlSeconds: 3600,
-      maxTtlSeconds: 86400,
-    })
-  }
-
-  useEffect(() => {
-    if (isOpen) {
-      if (identity) {
-        // Populate form with identity data
-        setName(identity.name)
-        setDescription(identity.description || '')
-        setTrustedPrincipals(identity.config.trustedPrincipals.join(', '))
-        setSignatureTtlInput(formatTTL(identity.config.signatureTtlSeconds))
-        setSignatureTtlSeconds(identity.config.signatureTtlSeconds)
-        setStsEndpoint(identity.config.stsEndpoint)
-
-        const existingEndpoint = awsStsEndpoints.find(
-          (ep) => ep.endpoint === identity.config.stsEndpoint
-        )
-        setUseCustomEndpoint(!existingEndpoint)
-        setSelectedStsEndpoint(existingEndpoint || null)
-        setStsQuery('')
-
-        setTokenNamePattern(identity.tokenNamePattern || '')
-        setDefaultTtlInput(formatTTL(identity.defaultTtlSeconds))
-        setMaxTtlInput(formatTTL(identity.maxTtlSeconds))
-        setDefaultTtlSeconds(identity.defaultTtlSeconds)
-        setMaxTtlSeconds(identity.maxTtlSeconds)
-        setInitialState({
-          name: identity.name,
-          description: identity.description || '',
-          trustedPrincipals: identity.config.trustedPrincipals.join(', '),
-          signatureTtlInput: formatTTL(identity.config.signatureTtlSeconds),
-          signatureTtlSeconds: identity.config.signatureTtlSeconds,
-          stsEndpoint: identity.config.stsEndpoint,
-          tokenNamePattern: identity.tokenNamePattern || '',
-          defaultTtlInput: formatTTL(identity.defaultTtlSeconds),
-          maxTtlInput: formatTTL(identity.maxTtlSeconds),
-          defaultTtlSeconds: identity.defaultTtlSeconds,
-          maxTtlSeconds: identity.maxTtlSeconds,
-        })
-      } else {
-        resetForm()
-        // Set default to Global (Legacy) endpoint if available
-        if (awsStsEndpoints.length > 0) {
-          const globalEndpoint = awsStsEndpoints.find(
-            (ep) => ep.endpoint === 'https://sts.amazonaws.com'
-          )
-          if (globalEndpoint) {
-            setSelectedStsEndpoint(globalEndpoint)
-            setStsEndpoint(globalEndpoint.endpoint)
-            setUseCustomEndpoint(false)
-          }
-        }
-      }
-    }
-  }, [isOpen, identity, awsStsEndpoints])
-
   const handleSave = async () => {
     // Client-side guard to avoid firing mutation and duplicating toasts
     if (defaultTtlSeconds > maxTtlSeconds) {
@@ -255,15 +212,15 @@ export const AwsIamIdentityDialog = ({
             defaultTtlSeconds,
             maxTtlSeconds,
           },
+          refetchQueries: [{ query: GetOrganisationIdentities, variables: { organisationId } }],
         })
-        toast.success('Identity created')
+        toast.success('Create new AWS IAM External Identity')
       }
       onSuccess()
-      onClose()
     } catch (e: any) {
       const hasGraphQLErrors = Array.isArray(e?.graphQLErrors) && e.graphQLErrors.length > 0
       if (!hasGraphQLErrors) {
-        toast.error('Failed to save identity')
+        toast.error('Failed to create External Identity')
       } else {
         toast.error(e.message)
       }
@@ -297,284 +254,240 @@ export const AwsIamIdentityDialog = ({
   ])
 
   return (
-    <Transition appear show={isOpen} as={Fragment}>
-      <Dialog as="div" className="relative z-10" onClose={onClose}>
-        <Transition.Child
-          as={Fragment}
-          enter="ease-out duration-300"
-          enterFrom="opacity-0"
-          enterTo="opacity-100"
-          leave="ease-in duration-200"
-          leaveFrom="opacity-100"
-          leaveTo="opacity-0"
-        >
-          <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
-        </Transition.Child>
-        <div className="fixed inset-0 overflow-y-auto">
-          <div className="flex min-h-full items-center justify-center p-4 text-center">
-            <Transition.Child
-              as={Fragment}
-              enter="ease-out duration-300"
-              enterFrom="opacity-0 scale-95"
-              enterTo="opacity-100 scale-100"
-              leave="ease-in duration-200"
-              leaveFrom="opacity-100 scale-100"
-              leaveTo="opacity-0 scale-95"
-            >
-              <Dialog.Panel className="w-full max-w-2xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
-                <div className="flex items-start justify-between">
-                  <div className="flex items-center gap-3">
-                    <LiaAws className="text-3xl text-orange-500" />
-                    <div>
-                      <Dialog.Title
-                        as="h3"
-                        className="text-2xl font-semibold text-black dark:text-white"
-                      >
-                        AWS IAM Identity
-                      </Dialog.Title>
-                      <div className="text-neutral-500 text-sm">
-                        Configure trusted entities and token settings
-                      </div>
-                    </div>
-                  </div>
-                  <Button variant="text" onClick={onClose} title="Close">
-                    <FaTimes className="text-zinc-900 dark:text-zinc-400" />
-                  </Button>
-                </div>
-
-                <div className="space-y-6 py-4">
-                  <div className="space-y-2">
-                    <Input
-                      value={name}
-                      setValue={setName}
-                      label="Identity name"
-                      placeholder="e.g. prod-ec2-identity"
-                      required
-                      maxLength={100}
-                    />
-                    <Input
-                      value={description}
-                      setValue={setDescription}
-                      label="Description (optional)"
-                      placeholder="e.g. production EC2 autoscaling group"
-                    />
-                  </div>
+    <div className="space-y-6">
+      <div className="space-y-6 py-4">
+        <div className="space-y-2">
+          <Input
+            value={name}
+            setValue={setName}
+            label="Identity name"
+            placeholder="e.g. prod-ec2-identity"
+            required
+            maxLength={100}
+          />
+          <Input
+            value={description}
+            setValue={setDescription}
+            label="Description (optional)"
+            placeholder="e.g. production EC2 autoscaling group"
+          />
+        </div>
 
+        <div className="space-y-2">
+          <div className="font-medium text-black dark:text-white">Trusted entities</div>
+          <div className="space-y-2">
+            <label className="block text-neutral-500 text-sm font-bold mb-2">
+              Trusted principal ARNs <span className="text-red-500 ml-1">*</span>
+            </label>
+            <textarea
+              rows={2}
+              value={trustedPrincipals}
+              className="w-full"
+              onChange={(e) => setTrustedPrincipals(e.target.value)}
+              placeholder="arn:aws:iam::123456789012:user/MyUser, arn:aws:sts::123456789012:assumed-role/MyRole/*"
+              required
+            />
+          </div>
+          <Input
+            value={signatureTtlInput}
+            setValue={handleSignatureTtlChange}
+            label="Signatures expiry"
+            placeholder={getTTLExamples().join(', ')}
+            required
+          />
+          <div className="relative">
+            <Combobox
+              as="div"
+              value={useCustomEndpoint ? null : selectedStsEndpoint}
+              onChange={(endpoint: AwsStsEndpoint | null) => {
+                if (endpoint) {
+                  setSelectedStsEndpoint(endpoint)
+                  setStsEndpoint(endpoint.endpoint)
+                  setUseCustomEndpoint(false)
+                }
+              }}
+            >
+              {({ open }) => (
+                <>
                   <div className="space-y-2">
-                    <div className="font-medium text-black dark:text-white">Trusted entities</div>
-                    <div className="space-y-2">
-                      <label className="block text-neutral-500 text-sm font-bold mb-2">
-                        Trusted principal ARNs <span className="text-red-500 ml-1">*</span>
+                    <Combobox.Label as={Fragment}>
+                      <label className="block text-neutral-500 text-sm">
+                        STS Endpoint <span className="text-red-500 ml-1">*</span>
                       </label>
-                      <textarea
-                        rows={2}
-                        value={trustedPrincipals}
+                    </Combobox.Label>
+                    <div className="w-full relative flex items-center">
+                      <Combobox.Input
                         className="w-full"
-                        onChange={(e) => setTrustedPrincipals(e.target.value)}
-                        placeholder="arn:aws:iam::123456789012:user/MyUser, arn:aws:sts::123456789012:assumed-role/MyRole/*"
+                        onChange={(event) => setStsQuery(event.target.value)}
                         required
-                      />
-                    </div>
-                    <Input
-                      value={signatureTtlInput}
-                      setValue={handleSignatureTtlChange}
-                      label="Signatures expiry"
-                      placeholder={getTTLExamples().join(', ')}
-                      required
-                    />
-                    <div className="relative">
-                      <Combobox
-                        as="div"
-                        value={useCustomEndpoint ? null : selectedStsEndpoint}
-                        onChange={(endpoint: AwsStsEndpoint | null) => {
+                        placeholder={stsQuery || selectedStsEndpoint ? '' : 'Select STS region'}
+                        displayValue={(endpoint: AwsStsEndpoint) => {
+                          if (useCustomEndpoint) {
+                            return 'Custom endpoint'
+                          }
                           if (endpoint) {
-                            setSelectedStsEndpoint(endpoint)
-                            setStsEndpoint(endpoint.endpoint)
-                            setUseCustomEndpoint(false)
+                            return `${endpoint.regionName} — ${endpoint.endpoint}`
                           }
+                          return stsQuery || ''
                         }}
-                      >
-                        {({ open }) => (
-                          <>
-                            <div className="space-y-2">
-                              <Combobox.Label as={Fragment}>
-                                <label className="block text-neutral-500 text-sm">
-                                  STS Endpoint <span className="text-red-500 ml-1">*</span>
-                                </label>
-                              </Combobox.Label>
-                              <div className="w-full relative flex items-center">
-                                <Combobox.Input
-                                  className="w-full"
-                                  onChange={(event) => setStsQuery(event.target.value)}
-                                  required
-                                  placeholder={
-                                    stsQuery || selectedStsEndpoint ? '' : 'Select STS region'
-                                  }
-                                  displayValue={(endpoint: AwsStsEndpoint) => {
-                                    if (useCustomEndpoint) {
-                                      return 'Custom endpoint'
-                                    }
-                                    if (endpoint) {
-                                      return `${endpoint.regionName} — ${endpoint.endpoint}`
-                                    }
-                                    return stsQuery || ''
-                                  }}
-                                />
-                                <div className="absolute inset-y-0 right-2 flex items-center">
-                                  <Combobox.Button>
-                                    <FaChevronDown
-                                      className={clsx(
-                                        'text-neutral-500 transform transition ease cursor-pointer',
-                                        open ? 'rotate-180' : 'rotate-0'
-                                      )}
-                                    />
-                                  </Combobox.Button>
+                      />
+                      <div className="absolute inset-y-0 right-2 flex items-center">
+                        <Combobox.Button>
+                          <FaChevronDown
+                            className={clsx(
+                              'text-neutral-500 transform transition ease cursor-pointer',
+                              open ? 'rotate-180' : 'rotate-0'
+                            )}
+                          />
+                        </Combobox.Button>
+                      </div>
+                    </div>
+                  </div>
+                  <Transition
+                    enter="transition duration-100 ease-out"
+                    enterFrom="transform scale-95 opacity-0"
+                    enterTo="transform scale-100 opacity-100"
+                    leave="transition duration-75 ease-out"
+                    leaveFrom="transform scale-100 opacity-100"
+                    leaveTo="transform scale-95 opacity-0"
+                  >
+                    <Combobox.Options as={Fragment}>
+                      <div className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-b-md shadow-2xl z-20 absolute max-h-96 overflow-y-auto w-full border border-t-none border-neutral-500/20">
+                        {filteredStsEndpoints.map((endpoint: AwsStsEndpoint) => (
+                          <Combobox.Option
+                            as="div"
+                            key={`${endpoint.regionName}-${endpoint.regionCode || 'global'}`}
+                            value={endpoint}
+                          >
+                            {({ active, selected }) => (
+                              <div
+                                className={clsx(
+                                  'flex items-center justify-between gap-2 p-2 cursor-pointer w-full border-b border-neutral-500/20',
+                                  active && 'bg-zinc-300 dark:bg-zinc-700'
+                                )}
+                              >
+                                <div className="flex items-center gap-2">
+                                  <LiaAws className="shrink-0 text-orange-500" />
+                                  <div>
+                                    <div className="font-semibold text-black dark:text-white">
+                                      {endpoint.regionName}
+                                    </div>
+                                    <div className="text-neutral-500 text-2xs">
+                                      {endpoint.endpoint}
+                                    </div>
+                                  </div>
                                 </div>
+                                {selected && (
+                                  <FaCheckCircle className="shrink-0 text-emerald-500" />
+                                )}
                               </div>
-                            </div>
-                            <Transition
-                              enter="transition duration-100 ease-out"
-                              enterFrom="transform scale-95 opacity-0"
-                              enterTo="transform scale-100 opacity-100"
-                              leave="transition duration-75 ease-out"
-                              leaveFrom="transform scale-100 opacity-100"
-                              leaveTo="transform scale-95 opacity-0"
+                            )}
+                          </Combobox.Option>
+                        ))}
+                        <Combobox.Option
+                          as="div"
+                          value={null}
+                          onClick={() => {
+                            setUseCustomEndpoint(true)
+                            setSelectedStsEndpoint(null)
+                            setStsEndpoint('')
+                            setStsQuery('')
+                          }}
+                        >
+                          {({ active }) => (
+                            <div
+                              className={clsx(
+                                'flex items-center gap-2 p-2 cursor-pointer w-full',
+                                active && 'bg-zinc-300 dark:bg-zinc-700'
+                              )}
                             >
-                              <Combobox.Options as={Fragment}>
-                                <div className="bg-zinc-200 dark:bg-zinc-800 p-2 rounded-b-md shadow-2xl z-20 absolute max-h-96 overflow-y-auto w-full border border-t-none border-neutral-500/20">
-                                  {filteredStsEndpoints.map((endpoint: AwsStsEndpoint) => (
-                                    <Combobox.Option
-                                      as="div"
-                                      key={`${endpoint.regionName}-${endpoint.regionCode || 'global'}`}
-                                      value={endpoint}
-                                    >
-                                      {({ active, selected }) => (
-                                        <div
-                                          className={clsx(
-                                            'flex items-center justify-between gap-2 p-2 cursor-pointer w-full border-b border-neutral-500/20',
-                                            active && 'bg-zinc-300 dark:bg-zinc-700'
-                                          )}
-                                        >
-                                          <div className="flex items-center gap-2">
-                                            <LiaAws className="shrink-0 text-orange-500" />
-                                            <div>
-                                              <div className="font-semibold text-black dark:text-white">
-                                                {endpoint.regionName}
-                                              </div>
-                                              <div className="text-neutral-500 text-2xs">
-                                                {endpoint.endpoint}
-                                              </div>
-                                            </div>
-                                          </div>
-                                          {selected && (
-                                            <FaCheckCircle className="shrink-0 text-emerald-500" />
-                                          )}
-                                        </div>
-                                      )}
-                                    </Combobox.Option>
-                                  ))}
-                                  <Combobox.Option
-                                    as="div"
-                                    value={null}
-                                    onClick={() => {
-                                      setUseCustomEndpoint(true)
-                                      setSelectedStsEndpoint(null)
-                                      setStsEndpoint('')
-                                      setStsQuery('')
-                                    }}
-                                  >
-                                    {({ active }) => (
-                                      <div
-                                        className={clsx(
-                                          'flex items-center gap-2 p-2 cursor-pointer w-full',
-                                          active && 'bg-zinc-300 dark:bg-zinc-700'
-                                        )}
-                                      >
-                                        <LiaAws className="shrink-0 text-orange-500" />
-                                        <div>
-                                          <div className="font-semibold text-black dark:text-white">
-                                            Custom endpoint
-                                          </div>
-                                          <div className="text-neutral-500 text-2xs">
-                                            Specify your own STS endpoint
-                                          </div>
-                                        </div>
-                                      </div>
-                                    )}
-                                  </Combobox.Option>
+                              <LiaAws className="shrink-0 text-orange-500" />
+                              <div>
+                                <div className="font-semibold text-black dark:text-white">
+                                  Custom endpoint
                                 </div>
-                              </Combobox.Options>
-                            </Transition>
-                          </>
-                        )}
-                      </Combobox>
-                    </div>
-                    {useCustomEndpoint && (
-                      <Input
-                        value={stsEndpoint}
-                        setValue={setStsEndpoint}
-                        placeholder="https://sts.<region>.amazonaws.com"
-                        required
-                      />
-                    )}
-                  </div>
+                                <div className="text-neutral-500 text-2xs">
+                                  Specify your own STS endpoint
+                                </div>
+                              </div>
+                            </div>
+                          )}
+                        </Combobox.Option>
+                      </div>
+                    </Combobox.Options>
+                  </Transition>
+                </>
+              )}
+            </Combobox>
+          </div>
+          {useCustomEndpoint && (
+            <Input
+              value={stsEndpoint}
+              setValue={setStsEndpoint}
+              placeholder="https://sts.<region>.amazonaws.com"
+              required
+            />
+          )}
+        </div>
 
-                  <div className="py-2">
-                    <div className="border-b border-neutral-500/40 w-full"></div>
-                  </div>
+        <div className="py-2">
+          <div className="border-b border-neutral-500/40 w-full"></div>
+        </div>
 
-                  <div className="space-y-4">
-                    <div className="font-medium text-black dark:text-white">
-                      Token configuration
-                    </div>
-                    <Input
-                      value={tokenNamePattern}
-                      setValue={setTokenNamePattern}
-                      label="Token name prefix or suffix"
-                      placeholder="Optional identifier (e.g. prod, staging)"
-                    />
-                    <div className="grid grid-cols-1 sm:grid-cols-2 gap-4">
-                      <Input
-                        value={defaultTtlInput}
-                        setValue={handleDefaultTtlChange}
-                        label="Default TTL"
-                        placeholder={getTTLExamples().join(', ')}
-                        required
-                      />
-                      <Input
-                        value={maxTtlInput}
-                        setValue={handleMaxTtlChange}
-                        label="Max TTL"
-                        placeholder={getTTLExamples().join(', ')}
-                        required
-                      />
-                    </div>
-                  </div>
+        <div className="space-y-4">
+          <div className="font-medium text-black dark:text-white">Token configuration</div>
+          <Input
+            value={tokenNamePattern}
+            setValue={setTokenNamePattern}
+            label="Token name prefix or suffix"
+            placeholder="Optional identifier (e.g. prod, staging)"
+          />
+          <div className="grid grid-cols-1 sm:grid-cols-2 gap-4">
+            <Input
+              value={defaultTtlInput}
+              setValue={handleDefaultTtlChange}
+              label="Default TTL"
+              placeholder={getTTLExamples().join(', ')}
+              required
+            />
+            <Input
+              value={maxTtlInput}
+              setValue={handleMaxTtlChange}
+              label="Max TTL"
+              placeholder={getTTLExamples().join(', ')}
+              required
+            />
+          </div>
+        </div>
 
-                  <div className="flex items-center justify-end mt-4">
-                    <Button
-                      variant="primary"
-                      onClick={handleSave}
-                      isLoading={isSaving}
-                      disabled={
-                        !hasChanges ||
-                        !name ||
-                        !trustedPrincipals ||
-                        !stsEndpoint ||
-                        !isValidTTL(signatureTtlInput) ||
-                        !isValidTTL(defaultTtlInput) ||
-                        !isValidTTL(maxTtlInput)
-                      }
-                    >
-                      Save
-                    </Button>
-                  </div>
-                </div>
-              </Dialog.Panel>
-            </Transition.Child>
+        <div className="flex items-center justify-between mt-4">
+          <div>
+            {onBack && (
+              <Button variant="secondary" onClick={onBack}>
+                Back
+              </Button>
+            )}
+          </div>
+          <div className="flex gap-2">
+            <Button
+              variant="primary"
+              onClick={handleSave}
+              isLoading={isSaving}
+              disabled={
+                !hasChanges ||
+                !name ||
+                !trustedPrincipals ||
+                !stsEndpoint ||
+                !isValidTTL(signatureTtlInput) ||
+                !isValidTTL(defaultTtlInput) ||
+                !isValidTTL(maxTtlInput)
+              }
+            >
+              Save
+            </Button>
           </div>
         </div>
-      </Dialog>
-    </Transition>
+      </div>
+    </div>
   )
 }

From a1ad2bec6fb75a43d99bccafaf74446541750137 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 26 Sep 2025 13:10:08 +0530
Subject: [PATCH 66/80] fix: misc updates to account identity management ux

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../_components/ServiceAccountIdentities.tsx  | 235 +++++++++---------
 1 file changed, 119 insertions(+), 116 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
index 281d44bd0..88d484be1 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/_components/ServiceAccountIdentities.tsx
@@ -2,7 +2,7 @@
 
 import { ServiceAccountType } from '@/apollo/graphql'
 import { organisationContext } from '@/contexts/organisationContext'
-import { useContext, useMemo, useState } from 'react'
+import { useContext, useMemo, useRef, useState } from 'react'
 import { Button } from '@/components/common/Button'
 import { EmptyState } from '@/components/common/EmptyState'
 import { Dialog, Transition } from '@headlessui/react'
@@ -18,15 +18,19 @@ import UpdateServiceAccount from '@/graphql/mutations/service-accounts/updateSer
 import { TbLockShare } from 'react-icons/tb'
 import { FaSearch, FaTimesCircle, FaServer } from 'react-icons/fa'
 import clsx from 'clsx'
+import GenericDialog from '@/components/common/GenericDialog'
+import { MdSearchOff } from 'react-icons/md'
+import Link from 'next/link'
 
 export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountType }) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
-  const [isOpen, setIsOpen] = useState(false)
   const { data } = useQuery(GetOrganisationIdentities, {
     variables: { organisationId: organisation?.id },
     skip: !organisation,
   })
 
+  const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
+
   const [updateAccount, { loading }] = useMutation(UpdateServiceAccount)
 
   const orgIdentities: any[] = data?.identities ?? []
@@ -42,13 +46,8 @@ export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountT
     setSelected(s)
   }
 
-  const open = () => {
-    if (!account.serverSideKeyManagementEnabled) {
-      const dlg = document.getElementById('sa-kms-dialog')
-    }
-    setIsOpen(true)
-  }
-  const close = () => setIsOpen(false)
+  const openManageIdentitiesDialog = () => dialogRef.current?.openModal()
+  const closeManageIdentitiesDialog = () => dialogRef.current?.closeModal()
 
   // Filter identities based on search query
   const filteredIdentities = orgIdentities.filter(
@@ -69,7 +68,7 @@ export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountT
         { query: GetServiceAccountDetail, variables: { orgId: organisation?.id, id: account.id } },
       ],
     })
-    close()
+    closeManageIdentitiesDialog()
     toast.success('Updated identities for this account')
   }
 
@@ -106,8 +105,8 @@ export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountT
               Manage which external identities are trusted for this account
             </div>
             {(account as any).identities && (account as any).identities.length > 0 && (
-              <Button variant="primary" onClick={() => setIsOpen(true)}>
-                <TbLockShare /> Manage identities
+              <Button variant="primary" onClick={() => openManageIdentitiesDialog()}>
+                <TbLockShare /> Manage External Identities
               </Button>
             )}
           </div>
@@ -133,127 +132,131 @@ export const ServiceAccountIdentities = ({ account }: { account: ServiceAccountT
             </div>
           ) : (
             <EmptyState
-              title="No identities"
-              subtitle="No identities are enabled for this account."
+              title="No External Identities"
+              subtitle="No external identities are enabled for this account."
               graphic={
                 <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
                   <TbLockShare />
                 </div>
               }
             >
-              <Button variant="primary" onClick={() => setIsOpen(true)}>
-                <TbLockShare /> Manage identities
+              <Button variant="primary" onClick={() => openManageIdentitiesDialog()}>
+                <TbLockShare /> Manage External Identities
               </Button>
             </EmptyState>
           )}
         </div>
       </div>
 
-      <Transition appear show={isOpen} as={Fragment}>
-        <Dialog as="div" className="relative z-10" onClose={close}>
-          <Transition.Child
-            as={Fragment}
-            enter="ease-out duration-300"
-            enterFrom="opacity-0"
-            enterTo="opacity-100"
-            leave="ease-in duration-200"
-            leaveFrom="opacity-100"
-            leaveTo="opacity-0"
-          >
-            <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
-          </Transition.Child>
-          <div className="fixed inset-0 overflow-y-auto">
-            <div className="flex min-h-full items-center justify-center p-4 text-center">
-              <Transition.Child
-                as={Fragment}
-                enter="ease-out duration-300"
-                enterFrom="opacity-0 scale-95"
-                enterTo="opacity-100 scale-100"
-                leave="ease-in duration-200"
-                leaveFrom="opacity-100 scale-100"
-                leaveTo="opacity-0 scale-95"
-              >
-                <Dialog.Panel className="w-full max-w-3xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
-                  <Dialog.Title
-                    as="h3"
-                    className="text-lg font-medium leading-6 text-black dark:text-white "
-                  >
-                    Manage identities
-                  </Dialog.Title>
-                  <div className="py-4">
-                    <div className="flex items-center justify-between mb-3">
-                      <div className="relative flex items-center bg-zinc-100 dark:bg-zinc-800 rounded-md px-2 w-full max-w-sm">
-                        <div className="">
-                          <FaSearch className="text-neutral-500" />
+      <GenericDialog title="Manage external identities" ref={dialogRef}>
+        {orgIdentities.length > 0 ? (
+          <div>
+            <div className="text-neutral-500 text-sm pb-4">
+              Manage External Identities associated with this Service Account
+            </div>
+            <div className="flex items-center justify-between mb-3">
+              <div className="relative flex items-center bg-zinc-200 dark:bg-zinc-800 rounded-md px-2 w-full max-w-sm">
+                <div className="">
+                  <FaSearch className="text-neutral-500" />
+                </div>
+                <input
+                  placeholder="Search external identities"
+                  className="custom bg-zinc-200 dark:bg-zinc-800 text-zinc-900 dark:text-zinc-100"
+                  value={searchQuery}
+                  onChange={(e) => setSearchQuery(e.target.value)}
+                />
+                <FaTimesCircle
+                  className={clsx(
+                    'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2',
+                    searchQuery ? 'opacity-100' : 'opacity-0'
+                  )}
+                  role="button"
+                  onClick={() => setSearchQuery('')}
+                />
+              </div>
+            </div>
+            <table className="table-auto min-w-full divide-y divide-zinc-500/40 ">
+              <thead>
+                <tr>
+                  <th className="py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                    Provider
+                  </th>
+                  <th className="py-3 px-6 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
+                    Identity
+                  </th>
+
+                  <th className="py-3 px-6 text-right text-xs font-medium text-gray-500 uppercase tracking-wider">
+                    Enabled
+                  </th>
+                </tr>
+              </thead>
+              <tbody className="divide-y divide-zinc-500/20">
+                {filteredIdentities.map((idn: any) => (
+                  <tr key={idn.id} className="group text-zinc-900 dark:text-zinc-100">
+                    <td className="font-medium inline-flex items-center gap-1 break-word text-2xl">
+                      <ProviderIcon providerId="aws" />
+                    </td>
+                    <td className="px-6 py-2">
+                      <div className="space-y-0">
+                        <div className="font-medium text-sm leading-tight">{idn.name}</div>
+                        <div className="text-neutral-500 text-xs leading-tight">
+                          {idn.description}
                         </div>
-                        <input
-                          placeholder="Search identities"
-                          className="custom bg-zinc-100 dark:bg-zinc-800"
-                          value={searchQuery}
-                          onChange={(e) => setSearchQuery(e.target.value)}
-                        />
-                        <FaTimesCircle
-                          className={clsx(
-                            'cursor-pointer text-neutral-500 transition-opacity ease absolute right-2',
-                            searchQuery ? 'opacity-100' : 'opacity-0'
-                          )}
-                          role="button"
-                          onClick={() => setSearchQuery('')}
-                        />
                       </div>
-                    </div>
-                    <table className="table-auto min-w-full divide-y divide-zinc-500/40 ">
-                      <thead>
-                        <tr>
-                          <th className="py-3 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
-                            Provider
-                          </th>
-                          <th className="py-3 px-6 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
-                            Name
-                          </th>
-                          <th className="py-3 px-6 text-left text-xs font-medium text-gray-500 uppercase tracking-wider">
-                            Description
-                          </th>
-                          <th className="py-3 px-6 text-right text-xs font-medium text-gray-500 uppercase tracking-wider">
-                            Enabled
-                          </th>
-                        </tr>
-                      </thead>
-                      <tbody className="divide-y divide-zinc-500/20">
-                        {filteredIdentities.map((idn: any) => (
-                          <tr key={idn.id} className="group">
-                            <td className="text-zinc-900 dark:text-zinc-100 font-medium inline-flex items-center gap-1 break-word">
-                              <div className="text-xl">
-                                <ProviderIcon providerId="aws" />
-                              </div>
-                            </td>
-                            <td className="px-6 py-4">{idn.name}</td>
-                            <td className="px-6 py-4 text-neutral-500">{idn.description}</td>
-                            <td className="px-6 py-4 flex items-center justify-end gap-2">
-                              <ToggleSwitch
-                                value={selected.has(idn.id)}
-                                onToggle={() => toggle(idn.id)}
-                              />
-                            </td>
-                          </tr>
-                        ))}
-                      </tbody>
-                    </table>
-                    <div className="flex items-center justify-between mt-4">
-                      <Button variant="secondary" onClick={close}>
-                        Cancel
-                      </Button>
-                      <Button variant="primary" onClick={handleSave} isLoading={loading}>
-                        Save
-                      </Button>
-                    </div>
+                    </td>
+
+                    <td className="px-6 py-4 flex items-center justify-end gap-2">
+                      <ToggleSwitch value={selected.has(idn.id)} onToggle={() => toggle(idn.id)} />
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+            {orgIdentities.length > 0 && filteredIdentities.length === 0 && (
+              <EmptyState
+                title={`No results for "${searchQuery}"`}
+                subtitle="Try adjusting your search term"
+                graphic={
+                  <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                    <MdSearchOff />
                   </div>
-                </Dialog.Panel>
-              </Transition.Child>
+                }
+              >
+                <></>
+              </EmptyState>
+            )}
+            <div className="flex items-center justify-between mt-6">
+              <Button variant="secondary" onClick={closeManageIdentitiesDialog}>
+                Cancel
+              </Button>
+              <Button variant="primary" onClick={handleSave} isLoading={loading}>
+                Save
+              </Button>
             </div>
           </div>
-        </Dialog>
-      </Transition>
+        ) : (
+          <div>
+            <EmptyState
+              title="No External Identities"
+              subtitle="There are no external identities in your organisation. Create one first."
+              graphic={
+                <div className="text-neutral-300 dark:text-neutral-700 text-7xl text-center">
+                  <TbLockShare />
+                </div>
+              }
+            >
+              <>
+                <Link href={`/${organisation?.name}/access/identities`}>
+                  <Button>
+                    <TbLockShare />
+                    Create an External Identity
+                  </Button>
+                </Link>
+              </>
+            </EmptyState>
+          </div>
+        )}
+      </GenericDialog>
     </div>
   )
 }

From 4ca417de09edda3d03c9e6f9f564073eefae7b31 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 26 Sep 2025 15:11:12 +0530
Subject: [PATCH 67/80] feat: misc updates to KMS management ux

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../service-accounts/[account]/page.tsx       | 103 ++---
 frontend/components/common/GenericDialog.tsx  |   4 +-
 .../service-accounts/KeyManagementDialog.tsx  | 430 ++++++++----------
 3 files changed, 246 insertions(+), 291 deletions(-)

diff --git a/frontend/app/[team]/access/service-accounts/[account]/page.tsx b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
index 05d0b9473..1525c95c0 100644
--- a/frontend/app/[team]/access/service-accounts/[account]/page.tsx
+++ b/frontend/app/[team]/access/service-accounts/[account]/page.tsx
@@ -136,69 +136,62 @@ export default function ServiceAccount({ params }: { params: { team: string; acc
       <div className="pb-4">
         <Link
           href={`/${params.team}/access/service-accounts`}
-          className="text-neutral-500 flex items-center gap-2 text-sm hover:text-zinc-800 dark:hover:text-zinc-200 transition ease"
+          className="text-neutral-500 inline-flex items-center gap-2 text-sm hover:text-zinc-800 dark:hover:text-zinc-200 transition ease"
         >
           <FaChevronLeft /> Back to service accounts
         </Link>
       </div>
       <div className="w-full space-y-8 py-4 text-zinc-900 dark:text-zinc-100 divide-y divide-neutral-500/40">
-        <div className="text-2xl font-semibold flex items-center gap-2">
-          <Avatar serviceAccount={account} size="xl" />
-          <div className="flex flex-col">
-            <h3 className="relative group w-full max-w-md">
-              <input
-                className="custom bg-transparent hover:bg-neutral-500/10 rounded-lg transition ease w-full "
-                value={name}
-                onChange={(e) => setName(e.target.value)}
-                readOnly={!userCanUpdateSA}
-                maxLength={64}
-              />
-              {nameUpdated ? (
-                <div className="flex items-center inset-y-0 gap-1 absolute right-2 backdrop-blur-sm">
-                  <Button variant="secondary" onClick={resetName}>
-                    <span className="text-2xs">Discard</span>
-                  </Button>
-                  <Button variant="primary" onClick={updateName}>
-                    <span className="text-2xs">Save</span>
-                  </Button>
-                </div>
-              ) : (
-                <div className="flex items-center inset-y-0 gap-1 absolute right-2 opacity-0 group-hover:opacity-100 transition ease ">
-                  <FaEdit className="text-neutral-500 text-base" />
-                </div>
-              )}
-            </h3>
-            <CopyButton
-              value={account.id}
-              buttonVariant="ghost"
-              title="Copy Service Account ID to clipboard"
-            >
-              <span className="text-neutral-500 text-sm font-mono pl-2">{account.id}</span>
-            </CopyButton>
-            <div className="flex items-center gap-2 text-sm text-neutral-500 mt-1">
-              {account.serverSideKeyManagementEnabled ? (
-                <FaServer className="text-neutral-500" />
-              ) : (
-                <FaArrowDownUpLock className="text-neutral-500" />
-              )}
-              <span className="whitespace-nowrap">KMS Mode:</span>
-              <span className="font-medium text-zinc-900 dark:text-zinc-100">
-                {account.serverSideKeyManagementEnabled ? 'Server-side' : 'Client-side'} key
-                management
-              </span>
-              {userCanUpdateSA && (
-                <KeyManagementDialog
-                  serviceAccount={account}
-                  trigger={
-                    <Button variant="secondary" className="flex items-center gap-2">
-                      <FaCog className="h-4 w-4" />
-                      <span>Manage</span>
-                    </Button>
-                  }
+        <div className="flex items-end justify-between">
+          <div className="text-2xl font-semibold flex items-center gap-2">
+            <Avatar serviceAccount={account} size="xl" />
+            <div>
+              <h3 className="relative group w-full max-w-md">
+                <input
+                  className="custom bg-transparent hover:bg-neutral-500/10 rounded-lg transition ease w-full "
+                  value={name}
+                  onChange={(e) => setName(e.target.value)}
+                  readOnly={!userCanUpdateSA}
+                  maxLength={64}
                 />
-              )}
+                {nameUpdated ? (
+                  <div className="flex items-center inset-y-0 gap-1 absolute right-2 backdrop-blur-sm">
+                    <Button variant="secondary" onClick={resetName}>
+                      <span className="text-2xs">Discard</span>
+                    </Button>
+                    <Button variant="primary" onClick={updateName}>
+                      <span className="text-2xs">Save</span>
+                    </Button>
+                  </div>
+                ) : (
+                  <div className="flex items-center inset-y-0 gap-1 absolute right-2 opacity-0 group-hover:opacity-100 transition ease ">
+                    <FaEdit className="text-neutral-500 text-base" />
+                  </div>
+                )}
+              </h3>
+              <CopyButton
+                value={account.id}
+                buttonVariant="ghost"
+                title="Copy Service Account ID to clipboard"
+              >
+                <span className="text-neutral-500 text-sm font-mono">{account.id}</span>
+              </CopyButton>
             </div>
           </div>
+          <div className="flex items-center gap-2 text-base text-neutral-500 mt-1">
+            {account.serverSideKeyManagementEnabled ? (
+              <FaServer className="text-sky-500" />
+            ) : (
+              <FaArrowDownUpLock className="text-emerald-500" />
+            )}
+
+            <span className="font-medium text-zinc-900 dark:text-zinc-100">
+              {account.serverSideKeyManagementEnabled ? 'Server-side' : 'Client-side'} KMS
+            </span>
+            {userCanUpdateSA && (
+              <KeyManagementDialog serviceAccount={account} buttonVariant={'secondary'} />
+            )}
+          </div>
         </div>
 
         <div className="py-4 space-y-4">
diff --git a/frontend/components/common/GenericDialog.tsx b/frontend/components/common/GenericDialog.tsx
index 01a22ba01..18d50da43 100644
--- a/frontend/components/common/GenericDialog.tsx
+++ b/frontend/components/common/GenericDialog.tsx
@@ -120,8 +120,8 @@ const GenericDialog = forwardRef(
                       sizeClass
                     )}
                   >
-                    <Dialog.Title as="div" className="flex w-full justify-between">
-                      <h3 className="text-lg font-medium leading-6 text-zinc-800 dark:text-zinc-200 break-all">
+                    <Dialog.Title as="div" className="flex w-full justify-between gap-2">
+                      <h3 className="text-lg font-medium leading-6 text-zinc-800 dark:text-zinc-200 break-all w-full">
                         {dialogTitle || title}
                       </h3>
                       <Button variant="text" onClick={closeModal}>
diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
index d6ac9b7d3..fd2dd6c0b 100644
--- a/frontend/components/service-accounts/KeyManagementDialog.tsx
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -1,14 +1,13 @@
 import { ServiceAccountType } from '@/apollo/graphql'
 import { useMutation, useQuery } from '@apollo/client'
-import { Dialog, Transition } from '@headlessui/react'
-import { useState, Fragment, useContext } from 'react'
-import { FaTimes, FaCog, FaUsers } from 'react-icons/fa'
+import { useState, useContext, useRef } from 'react'
+import { FaCog, FaUsers } from 'react-icons/fa'
 import { FaServer, FaArrowDownUpLock } from 'react-icons/fa6'
 import { MdMenuBook } from 'react-icons/md'
 import clsx from 'clsx'
 import { toast } from 'react-toastify'
 import { Alert } from '../common/Alert'
-import { Button } from '../common/Button'
+import { Button, ButtonVariant } from '../common/Button'
 import { KeyringContext } from '@/contexts/keyringContext'
 import GetServerKey from '@/graphql/queries/syncing/getServerKey.gql'
 import { GetServiceAccountDetail } from '@/graphql/queries/service-accounts/getServiceAccountDetail.gql'
@@ -21,19 +20,22 @@ import { userHasPermission } from '@/utils/access/permissions'
 import Link from 'next/link'
 import EnableServerSide from '@/graphql/mutations/service-accounts/enableServiceAccountServerSideKeyManagement.gql'
 import EnableClientSide from '@/graphql/mutations/service-accounts/enableServiceAccountClientSideKeyManagement.gql'
+import GenericDialog from '../common/GenericDialog'
 
 interface KeyManagementDialogProps {
   serviceAccount: ServiceAccountType
-  trigger?: React.ReactNode
-  mode?: 'enable' | 'manage'
+  buttonVariant?: ButtonVariant
 }
 
-export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
-  const { serviceAccount, trigger, mode = 'manage' } = props
-
+export const KeyManagementDialog = ({
+  serviceAccount,
+  buttonVariant = 'primary',
+}: KeyManagementDialogProps) => {
   const { activeOrganisation: organisation } = useContext(organisationContext)
   const { keyring } = useContext(KeyringContext)
 
+  const dialogRef = useRef<{ openModal: () => void; closeModal: () => void }>(null)
+
   const { data: serverKeyData } = useQuery(GetServerKey)
   const [enableSSE, { loading: enableLoading }] = useMutation(EnableServerSide)
   const [disableSSE, { loading: disableLoading }] = useMutation(EnableClientSide)
@@ -42,26 +44,22 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
     ? userHasPermission(organisation.role?.permissions, 'ServiceAccounts', 'update')
     : false
 
-  const [isOpen, setIsOpen] = useState<boolean>(false)
   const [selectedMode, setSelectedMode] = useState<'client' | 'server'>(
     serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client'
   )
 
-  const closeModal = () => {
-    setIsOpen(false)
-    // Reset to current state when closing
+  const resetSelectedMode = () =>
     setSelectedMode(serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client')
-  }
 
-  const openModal = () => {
-    // Always sync mode with latest account state on open
+  const closeModal = () => {
+    dialogRef.current?.closeModal()
+    // Reset to current state when closing
     setSelectedMode(serviceAccount.serverSideKeyManagementEnabled ? 'server' : 'client')
-    setIsOpen(true)
   }
 
   const handleSave = async (e: { preventDefault: () => void }) => {
     e.preventDefault()
-    setIsOpen(false)
+    dialogRef.current?.closeModal()
 
     if (selectedMode === 'server' && !serviceAccount.serverSideKeyManagementEnabled) {
       // Enable server-side encryption
@@ -161,229 +159,193 @@ export const KeyManagementDialog = (props: KeyManagementDialogProps) => {
   const hasChanges = selectedMode !== currentMode
 
   return (
-    <>
-      {trigger ? (
-        <div onClick={openModal} className="cursor-pointer">
-          {trigger}
-        </div>
-      ) : (
-        <div className="flex items-center justify-center">
-          <Button variant="primary" onClick={openModal} title="Manage Key Settings">
-            <FaCog /> Manage
-          </Button>
-        </div>
-      )}
+    <GenericDialog
+      ref={dialogRef}
+      title="Key Management Settings"
+      onOpen={resetSelectedMode}
+      buttonVariant={buttonVariant}
+      buttonContent={
+        <>
+          <FaCog /> Manage
+        </>
+      }
+      dialogTitle={
+        <div className="flex w-full justify-between items-center">
+          <h3 className="text-lg font-medium leading-6 text-black dark:text-white ">
+            Key Management Settings
+          </h3>
 
-      <Transition appear show={isOpen} as={Fragment}>
-        <Dialog as="div" className="relative z-10" onClose={closeModal}>
-          <Transition.Child
-            as={Fragment}
-            enter="ease-out duration-300"
-            enterFrom="opacity-0"
-            enterTo="opacity-100"
-            leave="ease-in duration-200"
-            leaveFrom="opacity-100"
-            leaveTo="opacity-0"
-          >
-            <div className="fixed inset-0 bg-black/25 backdrop-blur-md" />
-          </Transition.Child>
+          <div className="inline-flex items-center gap-2">
+            <Link
+              href="https://docs.phase.dev/access-control/service-accounts"
+              target="_blank"
+              rel="noreferrer"
+            >
+              <Button type="button" variant="outline">
+                <MdMenuBook className="my-1 shrink-0" />
+                Docs
+              </Button>
+            </Link>
+          </div>
+        </div>
+      }
+    >
+      {' '}
+      {userCanManageKeys ? (
+        <form className="space-y-6" onSubmit={handleSave}>
+          <p className="text-neutral-500 text-sm pb-4">
+            Choose where and how keys are managed for this Service Account
+          </p>
 
-          <div className="fixed inset-0 overflow-y-auto">
-            <div className="flex min-h-full items-center justify-center p-4 text-center">
-              <Transition.Child
-                as={Fragment}
-                enter="ease-out duration-300"
-                enterFrom="opacity-0 scale-95"
-                enterTo="opacity-100 scale-100"
-                leave="ease-in duration-200"
-                leaveFrom="opacity-100 scale-100"
-                leaveTo="opacity-0 scale-95"
+          <div className="space-y-4">
+            {/* Client-side option */}
+            <label
+              className={clsx(
+                'flex items-start gap-3 p-4 rounded-lg cursor-pointer transition-colors ease ring-1 ring-inset',
+                selectedMode === 'client'
+                  ? 'bg-emerald-400/10 ring-emerald-400/30'
+                  : 'ring-neutral-500/20 hover:bg-neutral-50 dark:hover:bg-neutral-800'
+              )}
+            >
+              <input
+                type="radio"
+                name="keyManagement"
+                value="client"
+                checked={selectedMode === 'client'}
+                onChange={(e) => setSelectedMode('client')}
+                className="sr-only peer"
+              />
+              <span
+                className={clsx(
+                  'mt-1 h-4 w-4 rounded-full border flex items-center justify-center shrink-0',
+                  selectedMode === 'client' ? 'border-emerald-500' : 'border-neutral-400'
+                )}
               >
-                <Dialog.Panel className="w-full max-w-2xl transform overflow-hidden rounded-2xl bg-neutral-100 dark:bg-neutral-900 p-6 text-left align-middle shadow-xl transition-all">
-                  <Dialog.Title as="div" className="flex w-full justify-between items-center">
-                    <h3 className="text-lg font-medium leading-6 text-black dark:text-white ">
-                      Key Management Settings
-                    </h3>
-
-                    <div className="flex items-center gap-2">
-                      <Link
-                        href="https://docs.phase.dev/access-control/service-accounts"
-                        target="_blank"
-                        rel="noreferrer"
-                      >
-                        <Button type="button" variant="outline">
-                          <MdMenuBook className="my-1 shrink-0" />
-                          Docs
-                        </Button>
-                      </Link>
-
-                      <Button variant="text" onClick={closeModal}>
-                        <FaTimes className="text-zinc-900 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-300" />
-                      </Button>
-                    </div>
-                  </Dialog.Title>
-
-                  {userCanManageKeys ? (
-                    <form className="space-y-6 py-4" onSubmit={handleSave}>
-                      <p className="text-neutral-500">
-                        Choose where and how keys are managed for this Service Account:
-                      </p>
-
-                      <div className="space-y-4">
-                        {/* Client-side option */}
-                        <label
-                          className={clsx(
-                            'flex items-start gap-3 p-4 rounded-lg cursor-pointer transition-colors ring-1 ring-inset',
-                            selectedMode === 'client'
-                              ? 'bg-emerald-400/10 ring-emerald-400/30'
-                              : 'ring-neutral-500/20 hover:bg-neutral-50 dark:hover:bg-neutral-800'
-                          )}
-                        >
-                          <input
-                            type="radio"
-                            name="keyManagement"
-                            value="client"
-                            checked={selectedMode === 'client'}
-                            onChange={(e) => setSelectedMode('client')}
-                            className="sr-only peer"
-                          />
-                          <span
-                            className={clsx(
-                              'mt-1 h-4 w-4 rounded-full border flex items-center justify-center shrink-0',
-                              selectedMode === 'client'
-                                ? 'border-emerald-500'
-                                : 'border-neutral-400'
-                            )}
-                          >
-                            <span
-                              className={clsx(
-                                'h-2.5 w-2.5 rounded-full transition-colors',
-                                selectedMode === 'client' ? 'bg-emerald-500' : 'bg-transparent'
-                              )}
-                            />
-                          </span>
-                          <div className="flex-1">
-                            <div
-                              className={clsx(
-                                'flex items-center gap-2 font-medium',
-                                selectedMode === 'client'
-                                  ? 'text-emerald-600'
-                                  : 'text-black dark:text-white'
-                              )}
-                            >
-                              <FaArrowDownUpLock
-                                className={clsx(
-                                  selectedMode === 'client' ? 'text-emerald-500' : ''
-                                )}
-                              />
-                              Client-side key management
-                            </div>
-                            <p className="text-sm text-neutral-500 mt-1">
-                              Handle all cryptographic operations such as token generation on the
-                              client with end-to-end encryption. Requires manual intervention.
-                            </p>
-                          </div>
-                        </label>
+                <span
+                  className={clsx(
+                    'h-2.5 w-2.5 rounded-full transition-colors ease',
+                    selectedMode === 'client' ? 'bg-emerald-500' : 'bg-transparent'
+                  )}
+                />
+              </span>
+              <div className="flex-1">
+                <div
+                  className={clsx(
+                    'flex items-center gap-2 font-medium',
+                    selectedMode === 'client'
+                      ? 'text-emerald-600 dark:text-emerald-400'
+                      : 'text-black dark:text-white'
+                  )}
+                >
+                  <FaArrowDownUpLock
+                    className={clsx(
+                      selectedMode === 'client' ? 'text-emerald-600 dark:text-emerald-400' : ''
+                    )}
+                  />
+                  Client-side key management
+                </div>
+                <p className="text-sm text-neutral-500 mt-1">
+                  Handle all cryptographic operations such as token generation on the client with
+                  end-to-end encryption. Requires manual intervention.
+                </p>
+              </div>
+            </label>
 
-                        {/* Server-side option */}
-                        <label
-                          className={clsx(
-                            'flex items-start gap-3 p-4 rounded-lg cursor-pointer transition-colors ring-1 ring-inset',
-                            selectedMode === 'server'
-                              ? 'bg-sky-400/10 ring-sky-400/30'
-                              : 'ring-neutral-500/20 hover:bg-neutral-50 dark:hover:bg-neutral-800'
-                          )}
-                        >
-                          <input
-                            type="radio"
-                            name="keyManagement"
-                            value="server"
-                            checked={selectedMode === 'server'}
-                            onChange={(e) => setSelectedMode('server')}
-                            className="sr-only peer"
-                          />
-                          <span
-                            className={clsx(
-                              'mt-1 h-4 w-4 rounded-full border flex items-center justify-center shrink-0',
-                              selectedMode === 'server' ? 'border-sky-500' : 'border-neutral-400'
-                            )}
-                          >
-                            <span
-                              className={clsx(
-                                'h-2.5 w-2.5 rounded-full transition-colors',
-                                selectedMode === 'server' ? 'bg-sky-500' : 'bg-transparent'
-                              )}
-                            />
-                          </span>
-                          <div className="flex-1">
-                            <div
-                              className={clsx(
-                                'flex items-center gap-2 font-medium',
-                                selectedMode === 'server'
-                                  ? 'text-sky-600'
-                                  : 'text-black dark:text-white'
-                              )}
-                            >
-                              <FaServer
-                                className={clsx(selectedMode === 'server' ? 'text-sky-500' : '')}
-                              />
-                              Server-side key management
-                            </div>
-                            <p className="text-sm text-neutral-500 mt-1">
-                              Allow the server to manage keys on behalf of the Service Account.
-                              Enables automated operations, token generation, and API access without
-                              manual intervention.
-                            </p>
-                          </div>
-                        </label>
-                      </div>
+            {/* Server-side option */}
+            <label
+              className={clsx(
+                'flex items-start gap-3 p-4 rounded-lg cursor-pointer transition-colors ease ring-1 ring-inset',
+                selectedMode === 'server'
+                  ? 'bg-sky-400/10 ring-sky-400/30'
+                  : 'ring-neutral-500/20 hover:bg-neutral-50 dark:hover:bg-neutral-800'
+              )}
+            >
+              <input
+                type="radio"
+                name="keyManagement"
+                value="server"
+                checked={selectedMode === 'server'}
+                onChange={(e) => setSelectedMode('server')}
+                className="sr-only peer"
+              />
+              <span
+                className={clsx(
+                  'mt-1 h-4 w-4 rounded-full border flex items-center justify-center shrink-0',
+                  selectedMode === 'server' ? 'border-sky-500' : 'border-neutral-400'
+                )}
+              >
+                <span
+                  className={clsx(
+                    'h-2.5 w-2.5 rounded-full transition-colors ease',
+                    selectedMode === 'server' ? 'bg-sky-500' : 'bg-transparent'
+                  )}
+                />
+              </span>
+              <div className="flex-1">
+                <div
+                  className={clsx(
+                    'flex items-center gap-2 font-medium',
+                    selectedMode === 'server'
+                      ? 'text-sky-600 dark:text-sky-400'
+                      : 'text-black dark:text-white'
+                  )}
+                >
+                  <FaServer
+                    className={clsx(
+                      selectedMode === 'server' ? 'text-sky-600 dark:text-sky-400' : ''
+                    )}
+                  />
+                  Server-side key management
+                </div>
+                <p className="text-sm text-neutral-500 mt-1">
+                  Allow the server to manage keys on behalf of the Service Account. Enables
+                  automated operations, token generation, and API access without manual
+                  intervention.
+                </p>
+              </div>
+            </label>
+          </div>
 
-                      {hasChanges &&
-                        selectedMode === 'client' &&
-                        serviceAccount.serverSideKeyManagementEnabled && (
-                          <Alert variant="warning" icon={true}>
-                            Switching to client-side key management will remove server access to
-                            this account&apos;s keys. All previously generated access tokens will
-                            continue to work until they expire.
-                          </Alert>
-                        )}
+          {hasChanges &&
+            selectedMode === 'client' &&
+            serviceAccount.serverSideKeyManagementEnabled && (
+              <Alert variant="warning" icon={true} size="sm">
+                Switching to client-side key management will remove server access to this
+                account&apos;s keys. All previously generated access tokens will continue to work
+                until they expire.
+              </Alert>
+            )}
 
-                      <div className="flex items-center gap-4 justify-between">
-                        <Button variant="secondary" type="button" onClick={closeModal}>
-                          Cancel
-                        </Button>
-                        <Button
-                          variant="primary"
-                          type="submit"
-                          isLoading={enableLoading || disableLoading}
-                          disabled={!hasChanges}
-                        >
-                          Save
-                        </Button>
-                      </div>
-                    </form>
-                  ) : (
-                    <div className="py-4 space-y-4">
-                      <Alert variant="info" icon={true}>
-                        Only users with Service Account update permissions can manage key settings
-                        for this Service Account. Please contact an Organization Owner or Admin.
-                      </Alert>
+          <div className="flex items-center gap-4 justify-between">
+            <Button variant="secondary" type="button" onClick={closeModal}>
+              Cancel
+            </Button>
+            <Button
+              variant="primary"
+              type="submit"
+              isLoading={enableLoading || disableLoading}
+              disabled={!hasChanges}
+            >
+              Save
+            </Button>
+          </div>
+        </form>
+      ) : (
+        <div className="py-4 space-y-4">
+          <Alert variant="info" icon={true}>
+            Only users with Service Account update permissions can manage key settings for this
+            Service Account. Please contact an Organization Owner or Admin.
+          </Alert>
 
-                      <div className="flex items-center justify-end">
-                        <Link href={`/${organisation?.name}/access/service-accounts`}>
-                          <Button variant="secondary">
-                            <FaUsers /> View Service Accounts
-                          </Button>
-                        </Link>
-                      </div>
-                    </div>
-                  )}
-                </Dialog.Panel>
-              </Transition.Child>
-            </div>
+          <div className="flex items-center justify-end">
+            <Link href={`/${organisation?.name}/access/service-accounts`}>
+              <Button variant="secondary">
+                <FaUsers /> View Service Accounts
+              </Button>
+            </Link>
           </div>
-        </Dialog>
-      </Transition>
-    </>
+        </div>
+      )}
+    </GenericDialog>
   )
 }

From df7c5b8742e12e5195c257e75ce07f813db784e5 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 12:10:19 +0530
Subject: [PATCH 68/80] fix: clean up migration graph

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 ...accounttoken_created_by_service_account.py | 19 -------
 ...0107_identity_serviceaccount_identities.py | 37 ------------
 ...accounttoken_created_by_service_account.py | 25 +++++++++
 ...0111_identity_serviceaccount_identities.py | 56 +++++++++++++++++++
 4 files changed, 81 insertions(+), 56 deletions(-)
 delete mode 100644 backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py
 delete mode 100644 backend/api/migrations/0107_identity_serviceaccount_identities.py
 create mode 100644 backend/api/migrations/0110_serviceaccounttoken_created_by_service_account.py
 create mode 100644 backend/api/migrations/0111_identity_serviceaccount_identities.py

diff --git a/backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py b/backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py
deleted file mode 100644
index d48f24941..000000000
--- a/backend/api/migrations/0106_serviceaccounttoken_created_by_service_account.py
+++ /dev/null
@@ -1,19 +0,0 @@
-# Generated by Django 4.2.22 on 2025-08-22 08:59
-
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('api', '0105_environmentkey_unique_envkey_user_and_more'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='serviceaccounttoken',
-            name='created_by_service_account',
-            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='created_tokens', to='api.serviceaccount'),
-        ),
-    ]
diff --git a/backend/api/migrations/0107_identity_serviceaccount_identities.py b/backend/api/migrations/0107_identity_serviceaccount_identities.py
deleted file mode 100644
index 48ad2fefa..000000000
--- a/backend/api/migrations/0107_identity_serviceaccount_identities.py
+++ /dev/null
@@ -1,37 +0,0 @@
-# Generated by Django 4.2.22 on 2025-08-25 13:24
-
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('api', '0106_serviceaccounttoken_created_by_service_account'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='Identity',
-            fields=[
-                ('id', models.TextField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
-                ('provider', models.CharField(max_length=64)),
-                ('name', models.CharField(max_length=100)),
-                ('description', models.TextField(blank=True, null=True)),
-                ('config', models.JSONField(default=dict)),
-                ('token_name_pattern', models.CharField(blank=True, max_length=128, null=True)),
-                ('default_ttl_seconds', models.IntegerField(default=3600)),
-                ('max_ttl_seconds', models.IntegerField(default=86400)),
-                ('created_at', models.DateTimeField(auto_now_add=True, null=True)),
-                ('updated_at', models.DateTimeField(auto_now=True)),
-                ('deleted_at', models.DateTimeField(blank=True, null=True)),
-                ('organisation', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.organisation')),
-            ],
-        ),
-        migrations.AddField(
-            model_name='serviceaccount',
-            name='identities',
-            field=models.ManyToManyField(blank=True, related_name='service_accounts', to='api.identity'),
-        ),
-    ]
diff --git a/backend/api/migrations/0110_serviceaccounttoken_created_by_service_account.py b/backend/api/migrations/0110_serviceaccounttoken_created_by_service_account.py
new file mode 100644
index 000000000..36cf7c9f5
--- /dev/null
+++ b/backend/api/migrations/0110_serviceaccounttoken_created_by_service_account.py
@@ -0,0 +1,25 @@
+# Generated by Django 4.2.22 on 2025-08-22 08:59
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0109_alter_dynamicsecret_key_map"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="serviceaccounttoken",
+            name="created_by_service_account",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="created_tokens",
+                to="api.serviceaccount",
+            ),
+        ),
+    ]
diff --git a/backend/api/migrations/0111_identity_serviceaccount_identities.py b/backend/api/migrations/0111_identity_serviceaccount_identities.py
new file mode 100644
index 000000000..2a570bbfa
--- /dev/null
+++ b/backend/api/migrations/0111_identity_serviceaccount_identities.py
@@ -0,0 +1,56 @@
+# Generated by Django 4.2.22 on 2025-08-25 13:24
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("api", "0110_serviceaccounttoken_created_by_service_account"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Identity",
+            fields=[
+                (
+                    "id",
+                    models.TextField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("provider", models.CharField(max_length=64)),
+                ("name", models.CharField(max_length=100)),
+                ("description", models.TextField(blank=True, null=True)),
+                ("config", models.JSONField(default=dict)),
+                (
+                    "token_name_pattern",
+                    models.CharField(blank=True, max_length=128, null=True),
+                ),
+                ("default_ttl_seconds", models.IntegerField(default=3600)),
+                ("max_ttl_seconds", models.IntegerField(default=86400)),
+                ("created_at", models.DateTimeField(auto_now_add=True, null=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                ("deleted_at", models.DateTimeField(blank=True, null=True)),
+                (
+                    "organisation",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="api.organisation",
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="serviceaccount",
+            name="identities",
+            field=models.ManyToManyField(
+                blank=True, related_name="service_accounts", to="api.identity"
+            ),
+        ),
+    ]

From 504662c58143ee0cad75d3d372136a091d3a54d3 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 12:10:29 +0530
Subject: [PATCH 69/80] chore: regenrate schema and types

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/apollo/graphql.ts     |  14 +-
 frontend/apollo/schema.graphql | 520 ++++++---------------------------
 2 files changed, 89 insertions(+), 445 deletions(-)

diff --git a/frontend/apollo/graphql.ts b/frontend/apollo/graphql.ts
index 509feed91..48d2a2d45 100644
--- a/frontend/apollo/graphql.ts
+++ b/frontend/apollo/graphql.ts
@@ -243,13 +243,6 @@ export type AppType = {
   wrappedKeyShare: Scalars['String']['output'];
 };
 
-export type AwsIamConfigType = {
-  __typename?: 'AwsIamConfigType';
-  signatureTtlSeconds?: Maybe<Scalars['Int']['output']>;
-  stsEndpoint?: Maybe<Scalars['String']['output']>;
-  trustedPrincipals?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
-}
-
 export type AwsCredentialsType = {
   __typename?: 'AwsCredentialsType';
   accessKeyId?: Maybe<Scalars['String']['output']>;
@@ -257,6 +250,13 @@ export type AwsCredentialsType = {
   username?: Maybe<Scalars['String']['output']>;
 };
 
+export type AwsIamConfigType = {
+  __typename?: 'AwsIamConfigType';
+  signatureTtlSeconds?: Maybe<Scalars['Int']['output']>;
+  stsEndpoint?: Maybe<Scalars['String']['output']>;
+  trustedPrincipals?: Maybe<Array<Maybe<Scalars['String']['output']>>>;
+};
+
 export enum BillingPeriodEnum {
   Monthly = 'MONTHLY',
   Yearly = 'YEARLY'
diff --git a/frontend/apollo/schema.graphql b/frontend/apollo/schema.graphql
index 42a1ba00a..6154c9b23 100644
--- a/frontend/apollo/schema.graphql
+++ b/frontend/apollo/schema.graphql
@@ -14,22 +14,9 @@ type Query {
   validateInvite(inviteId: ID): OrganisationMemberInviteType
   apps(organisationId: ID, appId: ID): [AppType]
   kmsLogs(appId: ID, start: BigInt, end: BigInt): KMSLogsResponseType
-  secretLogs(
-    appId: ID
-    start: BigInt
-    end: BigInt
-    eventTypes: [String]
-    memberId: ID
-    memberType: MemberType
-    environmentId: ID
-  ): SecretLogsResponseType
+  secretLogs(appId: ID, start: BigInt, end: BigInt, eventTypes: [String], memberId: ID, memberType: MemberType, environmentId: ID): SecretLogsResponseType
   appActivityChart(appId: ID, period: TimeRange): [ChartDataPointType]
-  appEnvironments(
-    appId: ID
-    environmentId: ID
-    memberId: ID
-    memberType: MemberType
-  ): [EnvironmentType]
+  appEnvironments(appId: ID, environmentId: ID, memberId: ID, memberType: MemberType): [EnvironmentType]
   appUsers(appId: ID): [OrganisationMemberType]
   appServiceAccounts(appId: ID): [ServiceAccountType]
   secrets(envId: ID, path: String, id: ID): [SecretType]
@@ -65,11 +52,7 @@ type Query {
   testVaultCreds(credentialId: ID): Boolean
   testNomadCreds(credentialId: ID): Boolean
   validateAwsAssumeRoleAuth: AWSValidationResultType
-  validateAwsAssumeRoleCredentials(
-    roleArn: String!
-    region: String
-    externalId: String
-  ): AWSValidationResultType
+  validateAwsAssumeRoleCredentials(roleArn: String!, region: String, externalId: String): AWSValidationResultType
   stripeCheckoutDetails(stripeSessionId: String!): StripeCheckoutDetails
   stripeSubscriptionDetails(organisationId: ID): StripeSubscriptionDetails
   stripeCustomerPortalUrl(organisationId: ID!): String
@@ -98,19 +81,13 @@ value as specified by
 scalar DateTime
 
 enum ApiOrganisationPlanChoices {
-  """
-  Free
-  """
+  """Free"""
   FR
 
-  """
-  Pro
-  """
+  """Pro"""
   PR
 
-  """
-  Enterprise
-  """
+  """Enterprise"""
   EN
 }
 
@@ -212,24 +189,16 @@ type EnvironmentType {
 }
 
 enum ApiEnvironmentEnvTypeChoices {
-  """
-  Development
-  """
+  """Development"""
   DEV
 
-  """
-  Staging
-  """
+  """Staging"""
   STAGING
 
-  """
-  Production
-  """
+  """Production"""
   PROD
 
-  """
-  Custom
-  """
+  """Custom"""
   CUSTOM
 }
 
@@ -377,24 +346,16 @@ type AwsIamConfigType {
 }
 
 enum ApiSecretEventEventTypeChoices {
-  """
-  Create
-  """
+  """Create"""
   C
 
-  """
-  Read
-  """
+  """Read"""
   R
 
-  """
-  Update
-  """
+  """Update"""
   U
 
-  """
-  Delete
-  """
+  """Delete"""
   D
 }
 
@@ -417,9 +378,7 @@ type DynamicSecretType {
   path: String!
   authentication: ProviderCredentialsType
 
-  """
-  Which provider this secret is associated with.
-  """
+  """Which provider this secret is associated with."""
   provider: ApiDynamicSecretProviderChoices!
   config: DynamicSecretConfigUnion
   keyMap: [KeyMap]
@@ -450,9 +409,7 @@ type ProviderType {
 }
 
 enum ApiDynamicSecretProviderChoices {
-  """
-  AWS
-  """
+  """AWS"""
   AWS
 }
 
@@ -488,9 +445,7 @@ type DynamicSecretLeaseType {
   serviceAccount: ServiceAccountType
   ttl: Int
 
-  """
-  Current status of the lease
-  """
+  """Current status of the lease"""
   status: ApiDynamicSecretLeaseStatusChoices!
   credentials: LeaseCredentialsUnion
   createdAt: DateTime
@@ -501,29 +456,19 @@ type DynamicSecretLeaseType {
 }
 
 enum ApiDynamicSecretLeaseStatusChoices {
-  """
-  Created
-  """
+  """Created"""
   CREATED
 
-  """
-  Active
-  """
+  """Active"""
   ACTIVE
 
-  """
-  Renewed
-  """
+  """Renewed"""
   RENEWED
 
-  """
-  Revoked
-  """
+  """Revoked"""
   REVOKED
 
-  """
-  Expired
-  """
+  """Expired"""
   EXPIRED
 }
 
@@ -548,29 +493,19 @@ type DynamicSecretLeaseEventType {
 }
 
 enum ApiDynamicSecretLeaseEventEventTypeChoices {
-  """
-  Created
-  """
+  """Created"""
   CREATED
 
-  """
-  Active
-  """
+  """Active"""
   ACTIVE
 
-  """
-  Renewed
-  """
+  """Renewed"""
   RENEWED
 
-  """
-  Revoked
-  """
+  """Revoked"""
   REVOKED
 
-  """
-  Expired
-  """
+  """Expired"""
   EXPIRED
 }
 
@@ -589,29 +524,19 @@ type EnvironmentSyncType {
 }
 
 enum ApiEnvironmentSyncStatusChoices {
-  """
-  In progress
-  """
+  """In progress"""
   IN_PROGRESS
 
-  """
-  Completed
-  """
+  """Completed"""
   COMPLETED
 
-  """
-  cancelled
-  """
+  """cancelled"""
   CANCELLED
 
-  """
-  Timed out
-  """
+  """Timed out"""
   TIMED_OUT
 
-  """
-  Failed
-  """
+  """Failed"""
   FAILED
 }
 
@@ -632,29 +557,19 @@ type EnvironmentSyncEventType {
 }
 
 enum ApiEnvironmentSyncEventStatusChoices {
-  """
-  In progress
-  """
+  """In progress"""
   IN_PROGRESS
 
-  """
-  Completed
-  """
+  """Completed"""
   COMPLETED
 
-  """
-  cancelled
-  """
+  """cancelled"""
   CANCELLED
 
-  """
-  Timed out
-  """
+  """Timed out"""
   TIMED_OUT
 
-  """
-  Failed
-  """
+  """Failed"""
   FAILED
 }
 
@@ -717,19 +632,13 @@ type ActivatedPhaseLicenseType {
 }
 
 enum ApiActivatedPhaseLicensePlanChoices {
-  """
-  Free
-  """
+  """Free"""
   FR
 
-  """
-  Pro
-  """
+  """Pro"""
   PR
 
-  """
-  Enterprise
-  """
+  """Enterprise"""
   EN
 }
 
@@ -784,13 +693,9 @@ type KMSLogType implements Node {
   longitude: Float
 }
 
-"""
-An object with an ID
-"""
+"""An object with an ID"""
 interface Node {
-  """
-  The ID of the object
-  """
+  """The ID of the object"""
   id: ID!
 }
 
@@ -1036,293 +941,66 @@ type DynamicSecretProviderType {
 }
 
 type Mutation {
-  createOrganisation(
-    id: ID!
-    identityKey: String!
-    name: String!
-    wrappedKeyring: String!
-    wrappedRecovery: String!
-  ): CreateOrganisationMutation
-  bulkInviteOrganisationMembers(
-    invites: [InviteInput]!
-    orgId: ID!
-  ): BulkInviteOrganisationMembersMutation
-  createOrganisationMember(
-    identityKey: String!
-    inviteId: ID!
-    orgId: ID!
-    wrappedKeyring: String
-    wrappedRecovery: String
-  ): CreateOrganisationMemberMutation
+  createOrganisation(id: ID!, identityKey: String!, name: String!, wrappedKeyring: String!, wrappedRecovery: String!): CreateOrganisationMutation
+  bulkInviteOrganisationMembers(invites: [InviteInput]!, orgId: ID!): BulkInviteOrganisationMembersMutation
+  createOrganisationMember(identityKey: String!, inviteId: ID!, orgId: ID!, wrappedKeyring: String, wrappedRecovery: String): CreateOrganisationMemberMutation
   deleteOrganisationMember(memberId: ID!): DeleteOrganisationMemberMutation
   updateOrganisationMemberRole(memberId: ID!, roleId: ID!): UpdateOrganisationMemberRole
-  updateMemberWrappedSecrets(
-    orgId: ID!
-    wrappedKeyring: String!
-    wrappedRecovery: String!
-  ): UpdateUserWrappedSecretsMutation
+  updateMemberWrappedSecrets(orgId: ID!, wrappedKeyring: String!, wrappedRecovery: String!): UpdateUserWrappedSecretsMutation
   deleteInvitation(inviteId: ID!): DeleteInviteMutation
-  createApp(
-    appSeed: String!
-    appToken: String!
-    appVersion: Int!
-    id: ID!
-    identityKey: String!
-    name: String!
-    organisationId: ID!
-    wrappedKeyShare: String!
-  ): CreateAppMutation
+  createApp(appSeed: String!, appToken: String!, appVersion: Int!, id: ID!, identityKey: String!, name: String!, organisationId: ID!, wrappedKeyShare: String!): CreateAppMutation
   rotateAppKeys(appToken: String!, id: ID!, wrappedKeyShare: String!): RotateAppKeysMutation
   deleteApp(id: ID!): DeleteAppMutation
   updateAppName(id: ID!, name: String!): UpdateAppNameMutation
-  addAppMember(
-    appId: ID
-    envKeys: [EnvironmentKeyInput]
-    memberId: ID
-    memberType: MemberType
-  ): AddAppMemberMutation
+  addAppMember(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): AddAppMemberMutation
   bulkAddAppMembers(appId: ID!, members: [AppMemberInputType]!): BulkAddAppMembersMutation
   removeAppMember(appId: ID, memberId: ID, memberType: MemberType): RemoveAppMemberMutation
-  updateMemberEnvironmentScope(
-    appId: ID
-    envKeys: [EnvironmentKeyInput]
-    memberId: ID
-    memberType: MemberType
-  ): UpdateMemberEnvScopeMutation
-  createEnvironment(
-    adminKeys: [EnvironmentKeyInput]
-    environmentData: EnvironmentInput!
-    wrappedSalt: String
-    wrappedSeed: String
-  ): CreateEnvironmentMutation
+  updateMemberEnvironmentScope(appId: ID, envKeys: [EnvironmentKeyInput], memberId: ID, memberType: MemberType): UpdateMemberEnvScopeMutation
+  createEnvironment(adminKeys: [EnvironmentKeyInput], environmentData: EnvironmentInput!, wrappedSalt: String, wrappedSeed: String): CreateEnvironmentMutation
   deleteEnvironment(environmentId: ID!): DeleteEnvironmentMutation
   renameEnvironment(environmentId: ID!, name: String!): RenameEnvironmentMutation
   swapEnvironmentOrder(environment1Id: ID!, environment2Id: ID!): SwapEnvironmentOrderMutation
-  createEnvironmentKey(
-    envId: ID!
-    identityKey: String!
-    userId: ID
-    wrappedSalt: String!
-    wrappedSeed: String!
-  ): CreateEnvironmentKeyMutation
-  createEnvironmentToken(
-    envId: ID!
-    identityKey: String!
-    name: String!
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateEnvironmentTokenMutation
-  createCustomRole(
-    color: String
-    description: String
-    name: String
-    organisationId: ID!
-    permissions: JSONString
-  ): CreateCustomRoleMutation
-  updateCustomRole(
-    color: String
-    description: String
-    id: ID!
-    name: String
-    permissions: JSONString
-  ): UpdateCustomRoleMutation
+  createEnvironmentKey(envId: ID!, identityKey: String!, userId: ID, wrappedSalt: String!, wrappedSeed: String!): CreateEnvironmentKeyMutation
+  createEnvironmentToken(envId: ID!, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateEnvironmentTokenMutation
+  createCustomRole(color: String, description: String, name: String, organisationId: ID!, permissions: JSONString): CreateCustomRoleMutation
+  updateCustomRole(color: String, description: String, id: ID!, name: String, permissions: JSONString): UpdateCustomRoleMutation
   deleteCustomRole(id: ID!): DeleteCustomRoleMutation
-  createNetworkAccessPolicy(
-    allowedIps: String!
-    isGlobal: Boolean!
-    name: String
-    organisationId: ID!
-  ): CreateNetworkAccessPolicyMutation
+  createNetworkAccessPolicy(allowedIps: String!, isGlobal: Boolean!, name: String, organisationId: ID!): CreateNetworkAccessPolicyMutation
   updateNetworkAccessPolicy(policyInputs: [UpdatePolicyInput]): UpdateNetworkAccessPolicyMutation
   deleteNetworkAccessPolicy(id: ID!): DeleteNetworkAccessPolicyMutation
-  updateAccountNetworkAccessPolicies(
-    accountInputs: [AccountPolicyInput]
-    organisationId: ID!
-  ): UpdateAccountNetworkAccessPolicies
-  createIdentity(
-    defaultTtlSeconds: Int!
-    description: String
-    maxTtlSeconds: Int!
-    name: String!
-    organisationId: ID!
-    provider: String!
-    signatureTtlSeconds: Int
-    stsEndpoint: String
-    tokenNamePattern: String
-    trustedPrincipals: String!
-  ): CreateIdentityMutation
-  updateIdentity(
-    defaultTtlSeconds: Int
-    description: String
-    id: ID!
-    maxTtlSeconds: Int
-    name: String
-    signatureTtlSeconds: Int
-    stsEndpoint: String
-    tokenNamePattern: String
-    trustedPrincipals: String
-  ): UpdateIdentityMutation
+  updateAccountNetworkAccessPolicies(accountInputs: [AccountPolicyInput], organisationId: ID!): UpdateAccountNetworkAccessPolicies
+  createIdentity(defaultTtlSeconds: Int!, description: String, maxTtlSeconds: Int!, name: String!, organisationId: ID!, provider: String!, signatureTtlSeconds: Int, stsEndpoint: String, tokenNamePattern: String, trustedPrincipals: String!): CreateIdentityMutation
+  updateIdentity(defaultTtlSeconds: Int, description: String, id: ID!, maxTtlSeconds: Int, name: String, signatureTtlSeconds: Int, stsEndpoint: String, tokenNamePattern: String, trustedPrincipals: String): UpdateIdentityMutation
   deleteIdentity(id: ID!): DeleteIdentityMutation
-  createServiceAccount(
-    handlers: [ServiceAccountHandlerInput]
-    identityKey: String
-    name: String
-    organisationId: ID
-    roleId: ID
-    serverWrappedKeyring: String
-    serverWrappedRecovery: String
-  ): CreateServiceAccountMutation
-
-  enableServiceAccountServerSideKeyManagement(
-    serverWrappedKeyring: String
-    serverWrappedRecovery: String
-    serviceAccountId: ID
-  ): EnableServiceAccountServerSideKeyManagementMutation
-  enableServiceAccountClientSideKeyManagement(
-    serviceAccountId: ID
-  ): EnableServiceAccountClientSideKeyManagementMutation
+  createServiceAccount(handlers: [ServiceAccountHandlerInput], identityKey: String, name: String, organisationId: ID, roleId: ID, serverWrappedKeyring: String, serverWrappedRecovery: String): CreateServiceAccountMutation
   enableServiceAccountServerSideKeyManagement(serverWrappedKeyring: String, serverWrappedRecovery: String, serviceAccountId: ID): EnableServiceAccountServerSideKeyManagementMutation
   enableServiceAccountClientSideKeyManagement(serviceAccountId: ID): EnableServiceAccountClientSideKeyManagementMutation
-  enableServiceAccountThirdPartyAuth(
-    serverWrappedKeyring: String
-    serverWrappedRecovery: String
-    serviceAccountId: ID
-  ): EnableServiceAccountThirdPartyAuthMutation
-  updateServiceAccountHandlers(
-    handlers: [ServiceAccountHandlerInput]
-    organisationId: ID
-  ): UpdateServiceAccountHandlersMutation
-  updateServiceAccount(
-    identityIds: [ID!]
-    name: String
-    roleId: ID
-    serviceAccountId: ID
-  ): UpdateServiceAccountMutation
+  updateServiceAccountHandlers(handlers: [ServiceAccountHandlerInput], organisationId: ID): UpdateServiceAccountHandlersMutation
+  updateServiceAccount(identityIds: [ID!], name: String, roleId: ID, serviceAccountId: ID): UpdateServiceAccountMutation
   deleteServiceAccount(serviceAccountId: ID): DeleteServiceAccountMutation
-  createServiceAccountToken(
-    expiry: BigInt
-    identityKey: String!
-    name: String!
-    serviceAccountId: ID
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateServiceAccountTokenMutation
+  createServiceAccountToken(expiry: BigInt, identityKey: String!, name: String!, serviceAccountId: ID, token: String!, wrappedKeyShare: String!): CreateServiceAccountTokenMutation
   deleteServiceAccountToken(tokenId: ID): DeleteServiceAccountTokenMutation
   initEnvSync(appId: ID, envKeys: [EnvironmentKeyInput]): InitEnvSync
   deleteEnvSync(syncId: ID): DeleteSync
   triggerSync(syncId: ID): TriggerSync
   toggleSyncActive(syncId: ID): ToggleSyncActive
   updateSyncAuthentication(credentialId: ID, syncId: ID): UpdateSyncAuthentication
-  createProviderCredentials(
-    credentials: JSONString
-    name: String
-    orgId: ID
-    provider: String
-  ): CreateProviderCredentials
-  updateProviderCredentials(
-    credentialId: ID
-    credentials: JSONString
-    name: String
-  ): UpdateProviderCredentials
+  createProviderCredentials(credentials: JSONString, name: String, orgId: ID, provider: String): CreateProviderCredentials
+  updateProviderCredentials(credentialId: ID, credentials: JSONString, name: String): UpdateProviderCredentials
   deleteProviderCredentials(credentialId: ID): DeleteProviderCredentials
-  createCloudflarePagesSync(
-    credentialId: ID
-    deploymentId: ID
-    envId: ID
-    path: String
-    projectEnv: String
-    projectName: String
-  ): CreateCloudflarePagesSync
-  createCloudflareWorkersSync(
-    credentialId: ID
-    envId: ID
-    path: String
-    workerName: String
-  ): CreateCloudflareWorkersSync
-  createAwsSecretSync(
-    credentialId: ID
-    envId: ID
-    kmsId: String
-    path: String
-    secretName: String
-  ): CreateAWSSecretsManagerSync
-  createGhActionsSync(
-    credentialId: ID
-    envId: ID
-    owner: String
-    path: String
-    repoName: String
-  ): CreateGitHubActionsSync
-  createVaultSync(
-    credentialId: ID
-    engine: String
-    envId: ID
-    path: String
-    vaultPath: String
-  ): CreateVaultSync
-  createNomadSync(
-    credentialId: ID
-    envId: ID
-    nomadNamespace: String
-    nomadPath: String
-    path: String
-  ): CreateNomadSync
-  createGitlabCiSync(
-    credentialId: ID
-    envId: ID
-    isGroup: Boolean
-    masked: Boolean
-    path: String
-    protected: Boolean
-    resourceId: String
-    resourcePath: String
-  ): CreateGitLabCISync
-  createRailwaySync(
-    credentialId: ID
-    envId: ID
-    path: String
-    railwayEnvironment: RailwayResourceInput
-    railwayProject: RailwayResourceInput
-    railwayService: RailwayResourceInput
-  ): CreateRailwaySync
-  createVercelSync(
-    credentialId: ID
-    envId: ID
-    environment: String
-    path: String
-    projectId: String
-    projectName: String
-    secretType: String
-    teamId: String
-    teamName: String
-  ): CreateVercelSync
-  createRenderSync(
-    credentialId: ID
-    envId: ID
-    path: String
-    resourceId: String
-    resourceName: String
-    resourceType: RenderResourceType
-    secretFileName: String
-  ): CreateRenderSync
-  createUserToken(
-    expiry: BigInt
-    identityKey: String!
-    name: String!
-    orgId: ID!
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateUserTokenMutation
+  createCloudflarePagesSync(credentialId: ID, deploymentId: ID, envId: ID, path: String, projectEnv: String, projectName: String): CreateCloudflarePagesSync
+  createCloudflareWorkersSync(credentialId: ID, envId: ID, path: String, workerName: String): CreateCloudflareWorkersSync
+  createAwsSecretSync(credentialId: ID, envId: ID, kmsId: String, path: String, secretName: String): CreateAWSSecretsManagerSync
+  createGhActionsSync(credentialId: ID, envId: ID, owner: String, path: String, repoName: String): CreateGitHubActionsSync
+  createVaultSync(credentialId: ID, engine: String, envId: ID, path: String, vaultPath: String): CreateVaultSync
+  createNomadSync(credentialId: ID, envId: ID, nomadNamespace: String, nomadPath: String, path: String): CreateNomadSync
+  createGitlabCiSync(credentialId: ID, envId: ID, isGroup: Boolean, masked: Boolean, path: String, protected: Boolean, resourceId: String, resourcePath: String): CreateGitLabCISync
+  createRailwaySync(credentialId: ID, envId: ID, path: String, railwayEnvironment: RailwayResourceInput, railwayProject: RailwayResourceInput, railwayService: RailwayResourceInput): CreateRailwaySync
+  createVercelSync(credentialId: ID, envId: ID, environment: String, path: String, projectId: String, projectName: String, secretType: String, teamId: String, teamName: String): CreateVercelSync
+  createRenderSync(credentialId: ID, envId: ID, path: String, resourceId: String, resourceName: String, resourceType: RenderResourceType, secretFileName: String): CreateRenderSync
+  createUserToken(expiry: BigInt, identityKey: String!, name: String!, orgId: ID!, token: String!, wrappedKeyShare: String!): CreateUserTokenMutation
   deleteUserToken(tokenId: ID!): DeleteUserTokenMutation
-  createServiceToken(
-    appId: ID!
-    environmentKeys: [EnvironmentKeyInput]
-    expiry: BigInt
-    identityKey: String!
-    name: String!
-    token: String!
-    wrappedKeyShare: String!
-  ): CreateServiceTokenMutation
+  createServiceToken(appId: ID!, environmentKeys: [EnvironmentKeyInput], expiry: BigInt, identityKey: String!, name: String!, token: String!, wrappedKeyShare: String!): CreateServiceTokenMutation
   deleteServiceToken(tokenId: ID!): DeleteServiceTokenMutation
   createSecretFolder(envId: ID, name: String, path: String): CreateSecretFolderMutation
   deleteSecretFolder(folderId: ID): DeleteSecretFolderMutation
@@ -1337,53 +1015,20 @@ type Mutation {
   createOverride(overrideData: PersonalSecretInput): CreatePersonalSecretMutation
   removeOverride(secretId: ID): DeletePersonalSecretMutation
   createLockbox(input: LockboxInput): CreateLockboxMutation
-  createSubscriptionCheckoutSession(
-    billingPeriod: BillingPeriodEnum
-    organisationId: ID!
-    planType: PlanTypeEnum
-  ): CreateSubscriptionCheckoutSession
+  createSubscriptionCheckoutSession(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum): CreateSubscriptionCheckoutSession
   deletePaymentMethod(organisationId: ID, paymentMethodId: String): DeletePaymentMethodMutation
   cancelSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
   resumeSubscription(organisationId: ID, subscriptionId: String!): UpdateSubscriptionResponse
-  modifySubscription(
-    billingPeriod: BillingPeriodEnum
-    organisationId: ID!
-    planType: PlanTypeEnum
-    subscriptionId: String!
-  ): UpdateSubscriptionResponse
+  modifySubscription(billingPeriod: BillingPeriodEnum, organisationId: ID!, planType: PlanTypeEnum, subscriptionId: String!): UpdateSubscriptionResponse
   createSetupIntent(organisationId: ID): CreateSetupIntentMutation
   setDefaultPaymentMethod(
     organisationId: ID
 
-    """
-    Payment Method ID to set as default
-    """
+    """Payment Method ID to set as default"""
     paymentMethodId: String!
   ): SetDefaultPaymentMethodMutation
-  createAwsDynamicSecret(
-    authenticationId: ID
-    config: AWSConfigInput!
-    defaultTtl: Int
-    description: String
-    environmentId: ID!
-    keyMap: [KeyMapInput]!
-    maxTtl: Int
-    name: String!
-    organisationId: ID!
-    path: String
-  ): CreateAWSDynamicSecretMutation
-  updateAwsDynamicSecret(
-    authenticationId: ID
-    config: AWSConfigInput!
-    defaultTtl: Int
-    description: String
-    dynamicSecretId: ID!
-    keyMap: [KeyMapInput]!
-    maxTtl: Int
-    name: String!
-    organisationId: ID!
-    path: String
-  ): UpdateAWSDynamicSecretMutation
+  createAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, environmentId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): CreateAWSDynamicSecretMutation
+  updateAwsDynamicSecret(authenticationId: ID, config: AWSConfigInput!, defaultTtl: Int, description: String, dynamicSecretId: ID!, keyMap: [KeyMapInput]!, maxTtl: Int, name: String!, organisationId: ID!, path: String): UpdateAWSDynamicSecretMutation
   deleteDynamicSecret(secretId: ID!): DeleteDynamicSecretMutation
   createDynamicSecretLease(name: String, secretId: ID!, ttl: Int): LeaseDynamicSecret
   renewDynamicSecretLease(leaseId: ID!, ttl: Int): RenewLeaseMutation
@@ -1842,5 +1487,4 @@ type RenewLeaseMutation {
 
 type RevokeLeaseMutation {
   lease: DynamicSecretLeaseType
-}
-
+}
\ No newline at end of file

From 0a674f67bee0a77a660fda56ee97e6a51074b6ec Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 12:18:11 +0530
Subject: [PATCH 70/80] chore: organize urls

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/urls.py | 39 +++++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index d06b96579..8da352622 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -17,35 +17,54 @@
 
 CLOUD_HOSTED = settings.APP_HOST == "cloud"
 
+# Core API and System URLs
 urlpatterns = [
-    path("public/", root_endpoint),
+    # System health and info
+    path("health/", health_check),
+    path(
+        "493c5048-99f9-4eac-ad0d-98c3740b491f/health", health_check
+    ),  # Legacy health check - TODO: Remove
+    # Authentication and user management
     path("accounts/", include("allauth.urls")),
     path("auth/", include("dj_rest_auth.urls")),
     path("social/login/", include("api.urls")),
     path("logout/", csrf_exempt(logout_view)),
+    # GraphQL API
     path("graphql/", csrf_exempt(PrivateGraphQLView.as_view(graphiql=True))),
-    path("health/", health_check),
-    # To not break legacy health checks. TODO: Remove
-    path("493c5048-99f9-4eac-ad0d-98c3740b491f/health", health_check),
+    # OAuth integrations
+    path("oauth/github/callback", github_integration_callback),
+    # Secrets management
     path("secrets/", E2EESecretsView.as_view()),
-    path("public/v1/secrets/", PublicSecretsView.as_view()),
     path("secrets/tokens/", secrets_tokens),
-    path("identity/v1/aws/iam/auth", aws_iam_auth),
-    path("oauth/github/callback", github_integration_callback),
+    # Lockbox
     path("lockbox/<box_id>", LockboxView.as_view()),
+]
+
+# Public API URLs
+public_urls = [
+    path("public/", root_endpoint),
+    path("public/v1/secrets/", PublicSecretsView.as_view()),
     path(
         "public/v1/secrets/dynamic/",
         include("ee.integrations.secrets.dynamic.rest.urls"),
     ),
+    path("public/identity/v1/aws/iam/auth/", aws_iam_auth),
 ]
 
+# Add public URLs to main urlpatterns
+urlpatterns.extend(public_urls)
+
+# Cloud-hosted specific URLs
 if CLOUD_HOSTED:
     from ee.billing.webhooks.stripe import stripe_webhook
 
-    urlpatterns.append(path("kms/<app_id>", kms))
-    urlpatterns.append(path("stripe/webhook/", stripe_webhook, name="stripe-webhook"))
-
+    cloud_urls = [
+        path("kms/<app_id>", kms),
+        path("stripe/webhook/", stripe_webhook, name="stripe-webhook"),
+    ]
+    urlpatterns.extend(cloud_urls)
 
+# Admin interface (if enabled)
 try:
     if settings.ADMIN_ENABLED:
         urlpatterns.append(path("admin/", admin.site.urls))

From 113afb78f0ea6069dd6f78171c3348e9cdf94b33 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 13:52:32 +0530
Subject: [PATCH 71/80] chore: update url

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/backend/urls.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index 8da352622..ad0d5cf0e 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -48,7 +48,7 @@
         "public/v1/secrets/dynamic/",
         include("ee.integrations.secrets.dynamic.rest.urls"),
     ),
-    path("public/identity/v1/aws/iam/auth/", aws_iam_auth),
+    path("public/identities/external/v1/aws/iam/auth/", aws_iam_auth),
 ]
 
 # Add public URLs to main urlpatterns

From bf4ecdcf7297028af97e0be32fba3a07ada251f8 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 14:29:17 +0530
Subject: [PATCH 72/80] fix: misc ui cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../identities/AddNewIdentityDialog.tsx          |  5 ++---
 .../providers/EditExternalIdentityDialog.tsx     | 16 +++++++++-------
 .../components/identities/providers/aws/iam.tsx  |  4 ++--
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/frontend/components/identities/AddNewIdentityDialog.tsx b/frontend/components/identities/AddNewIdentityDialog.tsx
index 53cfea5c6..2dc1ba8ea 100644
--- a/frontend/components/identities/AddNewIdentityDialog.tsx
+++ b/frontend/components/identities/AddNewIdentityDialog.tsx
@@ -50,7 +50,6 @@ export const AddNewIdentityDialog = forwardRef<
     <GenericDialog
       ref={dialogRef}
       title="Add Identity Provider"
-      size="lg"
       onClose={handleDialogClose}
       dialogTitle={
         <div>
@@ -58,14 +57,14 @@ export const AddNewIdentityDialog = forwardRef<
         </div>
       }
     >
-      <div className="space-y-8 pt-">
+      <div className="space-y-6">
         <div className="text-neutral-500 text-sm">
           {selectedProvider
             ? 'Configure your identity provider'
             : 'Select a provider below to create a new identity.'}
         </div>
         {!selectedProvider ? (
-          <div className="grid grid-cols-1 sm:grid-cols-2 gap-8">
+          <div className="grid grid-cols-1 gap-8">
             <ProviderCards onProviderSelect={handleProviderSelect} />
           </div>
         ) : selectedProvider === 'aws_iam' ? (
diff --git a/frontend/components/identities/providers/EditExternalIdentityDialog.tsx b/frontend/components/identities/providers/EditExternalIdentityDialog.tsx
index b97044733..b25a60222 100644
--- a/frontend/components/identities/providers/EditExternalIdentityDialog.tsx
+++ b/frontend/components/identities/providers/EditExternalIdentityDialog.tsx
@@ -46,13 +46,15 @@ export const EditExternalIdentityDialog = ({ identity }: { identity: IdentityTyp
         </>
       }
     >
-      {identity.provider === 'aws_iam' && (
-        <AwsIamIdentityForm
-          organisationId={organisation?.id || ''}
-          identity={identity}
-          onSuccess={() => dialogRef.current?.closeModal()}
-        />
-      )}
+      <div className="pt-6">
+        {identity.provider === 'aws_iam' && (
+          <AwsIamIdentityForm
+            organisationId={organisation?.id || ''}
+            identity={identity}
+            onSuccess={() => dialogRef.current?.closeModal()}
+          />
+        )}
+      </div>
     </GenericDialog>
   )
 }
diff --git a/frontend/components/identities/providers/aws/iam.tsx b/frontend/components/identities/providers/aws/iam.tsx
index 434bfbeb6..67708dfd2 100644
--- a/frontend/components/identities/providers/aws/iam.tsx
+++ b/frontend/components/identities/providers/aws/iam.tsx
@@ -255,7 +255,7 @@ export const AwsIamIdentityForm = ({
 
   return (
     <div className="space-y-6">
-      <div className="space-y-6 py-4">
+      <div className="space-y-6">
         <div className="space-y-2">
           <Input
             value={name}
@@ -460,7 +460,7 @@ export const AwsIamIdentityForm = ({
           </div>
         </div>
 
-        <div className="flex items-center justify-between mt-4">
+        <div className="flex items-center justify-between pt-4">
           <div>
             {onBack && (
               <Button variant="secondary" onClick={onBack}>

From d73c4ac8d7c22e5fe69e667e63ff82e33a7fbfa6 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 15:14:02 +0530
Subject: [PATCH 73/80] chore: misc cleanup

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/views/identities/aws/iam.py | 48 +++++++++++++++----------
 1 file changed, 29 insertions(+), 19 deletions(-)

diff --git a/backend/api/views/identities/aws/iam.py b/backend/api/views/identities/aws/iam.py
index 2a8c982c7..4bbec9c77 100644
--- a/backend/api/views/identities/aws/iam.py
+++ b/backend/api/views/identities/aws/iam.py
@@ -2,7 +2,7 @@
 import json
 from io import StringIO
 from urllib.parse import urlparse
-
+import fnmatch
 import requests
 from defusedxml.ElementTree import parse
 from django.http import JsonResponse
@@ -33,7 +33,9 @@ def aws_iam_auth(request):
     account_type = (account.get("type") or "service").lower()
     account_id = account.get("id")
     if account_type != "service" or not account_id:
-        return JsonResponse({"error": "Only service account authentication supported"}, status=400)
+        return JsonResponse(
+            {"error": "Only service account authentication supported"}, status=400
+        )
 
     # Decode signed request
     try:
@@ -52,9 +54,8 @@ def aws_iam_auth(request):
     try:
         from datetime import datetime, timezone as dt_timezone
 
-        dt = (
-            datetime.strptime(amz_date.replace("Z", ""), "%Y%m%dT%H%M%S")
-            .replace(tzinfo=dt_timezone.utc)
+        dt = datetime.strptime(amz_date.replace("Z", ""), "%Y%m%dT%H%M%S").replace(
+            tzinfo=dt_timezone.utc
         )
     except Exception:
         return JsonResponse({"error": "Invalid X-Amz-Date"}, status=400)
@@ -64,11 +65,15 @@ def aws_iam_auth(request):
     if service_account is None:
         return JsonResponse({"error": "Service account not found"}, status=404)
     if not service_account.server_wrapped_keyring:
-        return JsonResponse({"error": "Server-side key management must be enabled"}, status=403)
+        return JsonResponse(
+            {"error": "Server-side key management must be enabled"}, status=403
+        )
 
     identity = resolve_attached_identity(service_account, "aws_iam")
     if not identity:
-        return JsonResponse({"error": "No AWS IAM identity attached to this account"}, status=404)
+        return JsonResponse(
+            {"error": "No AWS IAM identity attached to this account"}, status=404
+        )
 
     try:
         max_skew = int(identity.config.get("signatureTtlSeconds", 60))
@@ -110,15 +115,18 @@ def aws_iam_auth(request):
         return JsonResponse({"error": "Failed to contact AWS STS"}, status=502)
 
     if resp.status_code != 200:
-        return JsonResponse({"error": "AWS STS validation failed", "status": resp.status_code}, status=401)
+        return JsonResponse(
+            {"error": "AWS STS validation failed", "status": resp.status_code},
+            status=401,
+        )
 
     arn = None
     try:
         xml_root = parse(StringIO(resp.text))
-        
+
         # AWS STS namespace
         ns = {"aws": "https://sts.amazonaws.com/doc/2011-06-15/"}
-        
+
         # Find the ARN element in the GetCallerIdentityResult
         arn_element = xml_root.find(".//aws:GetCallerIdentityResult/aws:Arn", ns)
         if arn_element is not None and arn_element.text:
@@ -130,11 +138,12 @@ def aws_iam_auth(request):
         return JsonResponse({"error": "Unable to parse AWS identity"}, status=500)
 
     # Trust check
-    import fnmatch
-
     trusted = identity.get_trusted_list()
     if any(p == "*" for p in trusted):
-        return JsonResponse({"error": "Invalid trusted principal pattern '*' is not allowed"}, status=400)
+        return JsonResponse(
+            {"error": "Invalid trusted principal pattern '*' is not allowed"},
+            status=400,
+        )
 
     def arn_matches_patterns(value: str, patterns: list[str]) -> bool:
         for pattern in patterns:
@@ -150,11 +159,14 @@ def arn_matches_patterns(value: str, patterns: list[str]) -> bool:
     # Validate requested TTL
     requested_ttl = int(token_req.get("ttl") or identity.default_ttl_seconds)
     max_ttl = identity.max_ttl_seconds
-    
+
     if requested_ttl > max_ttl:
-        return JsonResponse({
-            "error": f"Requested TTL ({requested_ttl}s) exceeds maximum allowed TTL ({max_ttl}s)"
-        }, status=400)
+        return JsonResponse(
+            {
+                "error": f"Requested TTL ({requested_ttl}s) exceeds maximum allowed TTL ({max_ttl}s)"
+            },
+            status=400,
+        )
 
     try:
         auth = mint_service_account_token(
@@ -167,5 +179,3 @@ def arn_matches_patterns(value: str, patterns: list[str]) -> bool:
         return JsonResponse({"error": "Failed to mint token"}, status=500)
 
     return JsonResponse({"authentication": auth})
-
-

From 4860e085c0352b223beaecd09f54cff324fba488 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 18:12:22 +0530
Subject: [PATCH 74/80] chore: rename permission class to ExternalIdentities

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/utils/access/roles.py             | 10 +++---
 backend/backend/graphene/mutations/access.py  | 33 +++++++++++--------
 backend/backend/graphene/queries/access.py    | 10 ++++--
 .../app/[team]/access/identities/page.tsx     |  6 ++--
 .../DeleteExternalIdentityDialog.tsx          |  2 +-
 5 files changed, 37 insertions(+), 24 deletions(-)

diff --git a/backend/api/utils/access/roles.py b/backend/api/utils/access/roles.py
index b672e2ffb..138d0e50d 100644
--- a/backend/api/utils/access/roles.py
+++ b/backend/api/utils/access/roles.py
@@ -12,7 +12,7 @@
             "MemberPersonalAccessTokens": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
-            "Identities": ["create", "read", "update", "delete"],
+            "ExternalIdentities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -44,7 +44,7 @@
             "MemberPersonalAccessTokens": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
-            "Identities": ["create", "read", "update", "delete"],
+            "ExternalIdentities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -75,7 +75,7 @@
             "Members": ["create", "read", "update", "delete"],
             "ServiceAccounts": ["create", "read", "update", "delete"],
             "ServiceAccountTokens": ["create", "read", "update", "delete"],
-            "Identities": ["create", "read", "update", "delete"],
+            "ExternalIdentities": ["create", "read", "update", "delete"],
             "Roles": ["create", "read", "update", "delete"],
             "IntegrationCredentials": ["create", "read", "update", "delete"],
             "NetworkAccessPolicies": ["create", "read", "update", "delete"],
@@ -106,7 +106,7 @@
             "Members": ["read"],
             "ServiceAccounts": [],
             "ServiceAccountTokens": [],
-            "Identities": [],
+            "ExternalIdentities": [],
             "Roles": ["read"],
             "IntegrationCredentials": [
                 "create",
@@ -141,7 +141,7 @@
             "Members": ["read"],
             "ServiceAccounts": ["read"],
             "ServiceAccountTokens": ["read"],
-            "Identities": ["read"],
+            "ExternalIdentities": ["read"],
             "Roles": ["read"],
             "IntegrationCredentials": ["read"],
             "NetworkAccessPolicies": ["read"],
diff --git a/backend/backend/graphene/mutations/access.py b/backend/backend/graphene/mutations/access.py
index 57433b20f..62176e60c 100644
--- a/backend/backend/graphene/mutations/access.py
+++ b/backend/backend/graphene/mutations/access.py
@@ -257,7 +257,7 @@ def mutate(
         user = info.context.user
         org = Organisation.objects.get(id=organisation_id)
 
-        if not user_has_permission(user, "create", "Identities", org):
+        if not user_has_permission(user, "create", "ExternalIdentities", org):
             raise GraphQLError(
                 "You don't have the permissions required to create identities in this organisation"
             )
@@ -324,20 +324,22 @@ def mutate(
         identity = Identity.objects.get(id=id, deleted_at=None)
 
         org = identity.organisation
-        if not user_has_permission(user, "update", "Identities", org):
+        if not user_has_permission(user, "update", "ExternalIdentities", org):
             raise GraphQLError(
                 "You don't have the permissions required to update identities in this organisation"
             )
 
         # Update basic fields using dictionary unpacking
         basic_updates = {
-            k: v for k, v in {
-                'name': name,
-                'description': description,
-                'token_name_pattern': token_name_pattern,
-                'default_ttl_seconds': default_ttl_seconds,
-                'max_ttl_seconds': max_ttl_seconds,
-            }.items() if v is not None
+            k: v
+            for k, v in {
+                "name": name,
+                "description": description,
+                "token_name_pattern": token_name_pattern,
+                "default_ttl_seconds": default_ttl_seconds,
+                "max_ttl_seconds": max_ttl_seconds,
+            }.items()
+            if v is not None
         }
         for field, value in basic_updates.items():
             setattr(identity, field, value)
@@ -345,16 +347,21 @@ def mutate(
         # Update provider-specific config atomically
         config_updates = {}
         if trusted_principals is not None:
-            config_updates["trustedPrincipals"] = [p.strip() for p in trusted_principals.split(",") if p.strip()]
+            config_updates["trustedPrincipals"] = [
+                p.strip() for p in trusted_principals.split(",") if p.strip()
+            ]
         if signature_ttl_seconds is not None:
             config_updates["signatureTtlSeconds"] = signature_ttl_seconds
         if sts_endpoint is not None:
             config_updates["stsEndpoint"] = sts_endpoint
-        
+
         if config_updates:
             identity.config = {**(identity.config or {}), **config_updates}
 
-        if identity.default_ttl_seconds is not None and identity.max_ttl_seconds is not None:
+        if (
+            identity.default_ttl_seconds is not None
+            and identity.max_ttl_seconds is not None
+        ):
             if int(identity.default_ttl_seconds) > int(identity.max_ttl_seconds):
                 raise GraphQLError(
                     "Default token expiry must be less than or equal to Maximum token expiry"
@@ -377,7 +384,7 @@ def mutate(cls, root, info, id):
         identity = Identity.objects.get(id=id, deleted_at=None)
 
         org = identity.organisation
-        if not user_has_permission(user, "delete", "Identities", org):
+        if not user_has_permission(user, "delete", "ExternalIdentities", org):
             raise GraphQLError(
                 "You don't have the permissions required to delete identities in this organisation"
             )
diff --git a/backend/backend/graphene/queries/access.py b/backend/backend/graphene/queries/access.py
index 040a0fb91..f553bee3a 100644
--- a/backend/backend/graphene/queries/access.py
+++ b/backend/backend/graphene/queries/access.py
@@ -1,5 +1,11 @@
 from api.utils.access.permissions import user_has_permission, user_is_org_member
-from api.models import NetworkAccessPolicy, Organisation, OrganisationMember, Role, Identity
+from api.models import (
+    NetworkAccessPolicy,
+    Organisation,
+    OrganisationMember,
+    Role,
+    Identity,
+)
 from graphql import GraphQLError
 from django.db import transaction
 from api.utils.access.roles import default_roles
@@ -106,7 +112,7 @@ def resolve_identities(root, info, organisation_id):
     if user_has_permission(
         info.context.user.userId,
         "read",
-        "Identities",
+        "ExternalIdentities",
         Organisation.objects.get(id=organisation_id),
     ):
         return Identity.objects.filter(organisation_id=organisation_id, deleted_at=None)
diff --git a/frontend/app/[team]/access/identities/page.tsx b/frontend/app/[team]/access/identities/page.tsx
index f9d5fac9f..9313bda4d 100644
--- a/frontend/app/[team]/access/identities/page.tsx
+++ b/frontend/app/[team]/access/identities/page.tsx
@@ -25,13 +25,13 @@ export default function IdentityPage() {
 
   // Permission checks
   const canReadIdentities = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Identities', 'read')
+    ? userHasPermission(organisation.role!.permissions, 'ExternalIdentities', 'read')
     : false
   const canCreateIdentities = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Identities', 'create')
+    ? userHasPermission(organisation.role!.permissions, 'ExternalIdentities', 'create')
     : false
   const canUpdateIdentities = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Identities', 'update')
+    ? userHasPermission(organisation.role!.permissions, 'ExternalIdentities', 'update')
     : false
 
   const { data, refetch } = useQuery(GetOrganisationIdentities, {
diff --git a/frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx b/frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx
index bf60bd033..358d71e2f 100644
--- a/frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx
+++ b/frontend/components/identities/providers/DeleteExternalIdentityDialog.tsx
@@ -19,7 +19,7 @@ export const DeleteExternalIdentityDialog = ({ identity }: { identity: IdentityT
   const closeModal = () => dialogRef.current?.closeModal()
 
   const canDeleteIdentities = organisation
-    ? userHasPermission(organisation.role!.permissions, 'Identities', 'delete')
+    ? userHasPermission(organisation.role!.permissions, 'ExternalIdentities', 'delete')
     : false
 
   const [deleteIdentity, { loading: deleting }] = useMutation(DeleteIdentity)

From dff980b8d7c2590ff562f982370581b2d6d1790a Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Thu, 2 Oct 2025 18:16:31 +0530
Subject: [PATCH 75/80] chore: combine ttl utils into single file

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 .../dynamic/CreateDynamicSecretDialog.tsx     |  2 +-
 .../secrets/dynamic/CreateLeaseDialog.tsx     |  2 +-
 .../secrets/dynamic/RenewLeaseDialog.tsx      |  2 +-
 .../dynamic/UpdateDynamicSecretDialog.tsx     |  2 +-
 frontend/utils/dynamicSecrets.ts              | 28 ------------------
 frontend/utils/ttl.ts                         | 29 +++++++++++++++++++
 6 files changed, 33 insertions(+), 32 deletions(-)
 delete mode 100644 frontend/utils/dynamicSecrets.ts

diff --git a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
index edd58efa7..0363da799 100644
--- a/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateDynamicSecretDialog.tsx
@@ -35,7 +35,7 @@ import { MdOutlinePassword } from 'react-icons/md'
 import { camelCase } from 'lodash'
 import { toast } from 'react-toastify'
 import { EnableSSEDialog } from '@/components/apps/EnableSSEDialog'
-import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
+import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/ttl'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'
 
diff --git a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
index fadffaf78..f388241cf 100644
--- a/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/CreateLeaseDialog.tsx
@@ -7,7 +7,7 @@ import { Input } from '@/components/common/Input'
 import { organisationContext } from '@/contexts/organisationContext'
 import { CreateDynamicSecretLease } from '@/graphql/mutations/environments/secrets/dynamic/createLease.gql'
 import { GetDynamicSecretLeases } from '@/graphql/queries/secrets/dynamic/getSecretLeases.gql'
-import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
+import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/ttl'
 import { relativeTimeFromDates } from '@/utils/time'
 import { useMutation } from '@apollo/client'
 import { useContext, useState } from 'react'
diff --git a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
index d2dcf1b4d..7c7397d62 100644
--- a/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/RenewLeaseDialog.tsx
@@ -5,7 +5,7 @@ import {
 } from '@/apollo/graphql'
 import { Button } from '@/components/common/Button'
 import GenericDialog from '@/components/common/GenericDialog'
-import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/dynamicSecrets'
+import { leaseTtlButtons, MINIMUM_LEASE_TTL } from '@/utils/ttl'
 import { relativeTimeFromDates, humanReadableDuration } from '@/utils/time'
 import { useContext, useRef, useState } from 'react'
 import { FiRefreshCw } from 'react-icons/fi'
diff --git a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
index fe0083d52..b9ccd4592 100644
--- a/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
+++ b/frontend/ee/components/secrets/dynamic/UpdateDynamicSecretDialog.tsx
@@ -23,7 +23,7 @@ import { toast } from 'react-toastify'
 import { FaCog, FaCogs } from 'react-icons/fa'
 import { Textarea } from '@/components/common/TextArea'
 import { encryptAsymmetric } from '@/utils/crypto'
-import { leaseTtlButtons } from '@/utils/dynamicSecrets'
+import { leaseTtlButtons } from '@/utils/ttl'
 import CopyButton from '@/components/common/CopyButton'
 
 type UpdateDynamicSecretDialogRef = {
diff --git a/frontend/utils/dynamicSecrets.ts b/frontend/utils/dynamicSecrets.ts
deleted file mode 100644
index bd0f0e5a9..000000000
--- a/frontend/utils/dynamicSecrets.ts
+++ /dev/null
@@ -1,28 +0,0 @@
-export const MINIMUM_LEASE_TTL = 60 // 1 minute
-
-export const leaseTtlButtons = [
-  {
-    label: '15min',
-    seconds: '900',
-  },
-  {
-    label: '1h',
-    seconds: '3600',
-  },
-  {
-    label: '12h',
-    seconds: '43200',
-  },
-  {
-    label: '24h',
-    seconds: '86400',
-  },
-  {
-    label: '30d',
-    seconds: '2592000',
-  },
-  {
-    label: '90d',
-    seconds: '7776000',
-  },
-]
diff --git a/frontend/utils/ttl.ts b/frontend/utils/ttl.ts
index 379fead7d..d5d5b16a6 100644
--- a/frontend/utils/ttl.ts
+++ b/frontend/utils/ttl.ts
@@ -83,3 +83,32 @@ export function isValidTTL(ttlString: string): boolean {
 export function getTTLExamples(): string[] {
   return ['60s', '10m', '2h', '7d']
 }
+
+export const MINIMUM_LEASE_TTL = 60 // 1 minute
+
+export const leaseTtlButtons = [
+  {
+    label: '15min',
+    seconds: '900',
+  },
+  {
+    label: '1h',
+    seconds: '3600',
+  },
+  {
+    label: '12h',
+    seconds: '43200',
+  },
+  {
+    label: '24h',
+    seconds: '86400',
+  },
+  {
+    label: '30d',
+    seconds: '2592000',
+  },
+  {
+    label: '90d',
+    seconds: '7776000',
+  },
+]

From 5a0bd0da2d2fc363ca41a70bcad754a0bdc1c23d Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Fri, 3 Oct 2025 21:52:31 +0530
Subject: [PATCH 76/80] fix: copy, layout

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/common/GenericDialog.tsx      | 13 +++++++++----
 .../identities/AddNewIdentityDialog.tsx           | 15 +++------------
 .../components/identities/providers/aws/iam.tsx   |  4 ++--
 .../service-accounts/KeyManagementDialog.tsx      |  4 ++--
 4 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/frontend/components/common/GenericDialog.tsx b/frontend/components/common/GenericDialog.tsx
index 76b5027b6..a579b8844 100644
--- a/frontend/components/common/GenericDialog.tsx
+++ b/frontend/components/common/GenericDialog.tsx
@@ -121,10 +121,15 @@ const GenericDialog = forwardRef(
                       sizeClass
                     )}
                   >
-                    <Dialog.Title as="div" className="flex w-full justify-between gap-2 items-start">
-                      <h3 className="text-lg font-medium leading-6 text-zinc-800 dark:text-zinc-200 break-all">
-                        {dialogTitle || title}
-                      </h3>
+                    <Dialog.Title
+                      as="div"
+                      className="flex w-full justify-between gap-2 items-start"
+                    >
+                      {dialogTitle || (
+                        <h3 className="text-lg font-medium leading-6 text-zinc-800 dark:text-zinc-200 break-all">
+                          {title}
+                        </h3>
+                      )}
                       <Button variant="text" onClick={closeModal}>
                         <FaTimes className="text-zinc-900 dark:text-zinc-400 hover:text-zinc-700 dark:hover:text-zinc-300" />
                       </Button>
diff --git a/frontend/components/identities/AddNewIdentityDialog.tsx b/frontend/components/identities/AddNewIdentityDialog.tsx
index 2dc1ba8ea..5c90ce547 100644
--- a/frontend/components/identities/AddNewIdentityDialog.tsx
+++ b/frontend/components/identities/AddNewIdentityDialog.tsx
@@ -47,21 +47,12 @@ export const AddNewIdentityDialog = forwardRef<
   }
 
   return (
-    <GenericDialog
-      ref={dialogRef}
-      title="Add Identity Provider"
-      onClose={handleDialogClose}
-      dialogTitle={
-        <div>
-          <h3>Add Identity Provider</h3>
-        </div>
-      }
-    >
+    <GenericDialog ref={dialogRef} title="Add External Identity" onClose={handleDialogClose}>
       <div className="space-y-6">
         <div className="text-neutral-500 text-sm">
           {selectedProvider
-            ? 'Configure your identity provider'
-            : 'Select a provider below to create a new identity.'}
+            ? 'Set up a new external identity'
+            : 'Select a provider below to set up a new identity'}
         </div>
         {!selectedProvider ? (
           <div className="grid grid-cols-1 gap-8">
diff --git a/frontend/components/identities/providers/aws/iam.tsx b/frontend/components/identities/providers/aws/iam.tsx
index 67708dfd2..e9a9a27f1 100644
--- a/frontend/components/identities/providers/aws/iam.tsx
+++ b/frontend/components/identities/providers/aws/iam.tsx
@@ -291,7 +291,7 @@ export const AwsIamIdentityForm = ({
           <Input
             value={signatureTtlInput}
             setValue={handleSignatureTtlChange}
-            label="Signatures expiry"
+            label="Signature expiry"
             placeholder={getTTLExamples().join(', ')}
             required
           />
@@ -439,7 +439,7 @@ export const AwsIamIdentityForm = ({
           <Input
             value={tokenNamePattern}
             setValue={setTokenNamePattern}
-            label="Token name prefix or suffix"
+            label="Token name"
             placeholder="Optional identifier (e.g. prod, staging)"
           />
           <div className="grid grid-cols-1 sm:grid-cols-2 gap-4">
diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
index fd2dd6c0b..2383864ca 100644
--- a/frontend/components/service-accounts/KeyManagementDialog.tsx
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -170,7 +170,7 @@ export const KeyManagementDialog = ({
         </>
       }
       dialogTitle={
-        <div className="flex w-full justify-between items-center">
+        <div className="flex w-full justify-between items-center pr-4">
           <h3 className="text-lg font-medium leading-6 text-black dark:text-white ">
             Key Management Settings
           </h3>
@@ -193,7 +193,7 @@ export const KeyManagementDialog = ({
       {' '}
       {userCanManageKeys ? (
         <form className="space-y-6" onSubmit={handleSave}>
-          <p className="text-neutral-500 text-sm pb-4">
+          <p className="text-neutral-500 text-sm">
             Choose where and how keys are managed for this Service Account
           </p>
 

From c751c8ad123c4127f88bfd3f283e90dfc6523de6 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sat, 4 Oct 2025 14:38:37 +0530
Subject: [PATCH 77/80] fix: make sure clean is run on model save, remove
 redundant imports

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/models.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/backend/api/models.py b/backend/api/models.py
index 02c83f94f..0e3c657ba 100644
--- a/backend/api/models.py
+++ b/backend/api/models.py
@@ -575,16 +575,18 @@ def clean(self):
         # Ensure only one of created_by or created_by_service_account is set
         # Service accounts can create tokens for themselves and others
         if not (self.created_by or self.created_by_service_account):
-            from django.core.exceptions import ValidationError
             raise ValidationError(
                 "Must set either created_by (organisation member) or created_by_service_account"
             )
         if self.created_by and self.created_by_service_account:
-            from django.core.exceptions import ValidationError
             raise ValidationError(
                 "Only one of created_by or created_by_service_account may be set"
             )
 
+    def save(self, *args, **kwargs):
+        self.full_clean()  # This calls clean() and field validation
+        super().save(*args, **kwargs)
+
     def get_creator_account(self):
         return self.created_by or self.created_by_service_account
 
@@ -911,6 +913,7 @@ class Identity(models.Model):
 
     Scope: Organisation level; can be attached to multiple ServiceAccounts.
     """
+
     id = models.TextField(default=uuid4, primary_key=True, editable=False)
     organisation = models.ForeignKey(Organisation, on_delete=models.CASCADE)
     provider = models.CharField(max_length=64)
@@ -939,12 +942,15 @@ def get_trusted_list(self):
         try:
             principals = self.config.get("trustedPrincipals", [])
             if isinstance(principals, list):
-                return [p.strip() for p in principals if isinstance(p, str) and p.strip()]
+                return [
+                    p.strip() for p in principals if isinstance(p, str) and p.strip()
+                ]
             # Fallback for legacy comma-separated string format
             return [p.strip() for p in str(principals).split(",") if p.strip()]
         except Exception:
             return []
 
+
 class PersonalSecret(models.Model):
     id = models.TextField(default=uuid4, primary_key=True, editable=False)
     secret = models.ForeignKey(Secret, on_delete=models.CASCADE)

From b0bfa6272c4f9da5dd26bff07aa979bc1f596791 Mon Sep 17 00:00:00 2001
From: Nimish <nimish@phase.dev>
Date: Sun, 5 Oct 2025 14:10:16 +0530
Subject: [PATCH 78/80] chore: update version to v2.53.0

---
 backend/version.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/version.txt b/backend/version.txt
index 6e380ebf9..804c37de6 100644
--- a/backend/version.txt
+++ b/backend/version.txt
@@ -1 +1 @@
-v2.52.0
+v2.53.0

From 1fe6860a62136ea0fd8f1718ff99e4c3c0154dfa Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 5 Oct 2025 20:33:11 +0530
Subject: [PATCH 79/80] chore: remove empty else block

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 frontend/components/service-accounts/KeyManagementDialog.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/frontend/components/service-accounts/KeyManagementDialog.tsx b/frontend/components/service-accounts/KeyManagementDialog.tsx
index 2383864ca..2987f4715 100644
--- a/frontend/components/service-accounts/KeyManagementDialog.tsx
+++ b/frontend/components/service-accounts/KeyManagementDialog.tsx
@@ -67,7 +67,6 @@ export const KeyManagementDialog = ({
     } else if (selectedMode === 'client' && serviceAccount.serverSideKeyManagementEnabled) {
       // Disable server-side encryption (switch to client-side)
       await handleDisableSSE()
-    } else {
     }
   }
 

From 0c40b7bb066dcb71fc4f2010b2e8d98621e203c2 Mon Sep 17 00:00:00 2001
From: rohan <rohan.chaturvedi@protonmail.com>
Date: Sun, 5 Oct 2025 20:33:22 +0530
Subject: [PATCH 80/80] fix: add timeout and error handling for AWS STS request

Signed-off-by: rohan <rohan.chaturvedi@protonmail.com>
---
 backend/api/views/identities/aws/iam.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/api/views/identities/aws/iam.py b/backend/api/views/identities/aws/iam.py
index 4bbec9c77..630241736 100644
--- a/backend/api/views/identities/aws/iam.py
+++ b/backend/api/views/identities/aws/iam.py
@@ -110,7 +110,13 @@ def aws_iam_auth(request):
 
     # Forward the signed request to AWS STS
     try:
-        resp = requests.request(method, configured, headers=headers, data=body)
+        resp = requests.request(
+            method, configured, headers=headers, data=body, timeout=10
+        )
+    except requests.exceptions.Timeout:
+        return JsonResponse({"error": "AWS STS request timed out"}, status=504)
+    except requests.exceptions.ConnectionError:
+        return JsonResponse({"error": "Unable to connect to AWS STS"}, status=502)
     except Exception:
         return JsonResponse({"error": "Failed to contact AWS STS"}, status=502)