Temporal Issue an API Key for a New Service Account

arazzo: 1.0.1
info:
  title: Temporal Issue an API Key for a New Service Account
  summary: Create a Service Account, read it back, then issue an API key owned by it.
  description: >-
    Automation in Temporal Cloud authenticates as a Service Account holding an
    API key. This workflow creates a Service Account, reads it back to capture
    its id, and then creates an API key owned by that Service Account. The key
    creation request uses the Service Account id as ownerId and a serviceaccount
    ownerType. Every step spells out its request inline so the flow can be read
    and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: cloudOpsApi
  url: ../openapi/cloud-ops-api.yml
  type: openapi
workflows:
- workflowId: issue-service-account-key
  summary: Create a Service Account and issue an API key bound to it.
  description: >-
    Chains createServiceAccount, listServiceAccounts to resolve the new id, and
    createApiKey to mint a key owned by that Service Account.
  inputs:
    type: object
    required:
    - bearerToken
    - serviceAccountName
    - access
    - keyDisplayName
    - keyExpiryTime
    properties:
      bearerToken:
        type: string
        description: API key used as the Bearer token for Authorization.
      serviceAccountName:
        type: string
        description: The display name for the new Service Account.
      access:
        type: object
        description: The access spec object granting the Service Account scopes.
      keyDisplayName:
        type: string
        description: The display name for the API key to issue.
      keyExpiryTime:
        type: string
        description: RFC3339 timestamp at which the API key expires.
  steps:
  - stepId: createServiceAccount
    description: >-
      Create the Service Account from the supplied name and access spec.
    operationId: createServiceAccount
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.bearerToken"
    requestBody:
      contentType: application/json
      payload:
        spec:
          name: $inputs.serviceAccountName
          access: $inputs.access
    successCriteria:
    - condition: $statusCode == 200
    onSuccess:
    - name: resolveId
      type: goto
      stepId: resolveServiceAccount
      criteria:
      - condition: $statusCode == 200
  - stepId: resolveServiceAccount
    description: >-
      List Service Accounts to resolve the id of the account just created so it
      can own the new API key.
    operationId: listServiceAccounts
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.bearerToken"
    - name: pageSize
      in: query
      value: 100
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      serviceAccountId: $response.body#/serviceAccounts/0/id
  - stepId: issueApiKey
    description: >-
      Create an API key owned by the new Service Account, using its id as ownerId
      and serviceaccount as the ownerType.
    operationId: createApiKey
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.bearerToken"
    requestBody:
      contentType: application/json
      payload:
        spec:
          displayName: $inputs.keyDisplayName
          ownerId: $steps.resolveServiceAccount.outputs.serviceAccountId
          ownerType: serviceaccount
          expiryTime: $inputs.keyExpiryTime
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      keyStatus: $statusCode
  outputs:
    serviceAccountId: $steps.resolveServiceAccount.outputs.serviceAccountId
    keyStatus: $steps.issueApiKey.outputs.keyStatus