temporalio · bechols · Jan 31, 2026 · Jan 31, 2026 · Feb 27, 2026
@@ -89,6 +89,29 @@ func FromAccountAccessRole(r identity.AccountAccess_Role) (string, error) {
 	}
 }
 
+// FromAccountAccess extracts the role string from an AccountAccess object.
+// It first checks the Role enum field, and if that is UNSPECIFIED, falls back
+// to the deprecated RoleDeprecated string field. This handles the case where
+// the API returns the role in the deprecated field for some account types.
+func FromAccountAccess(access *identity.AccountAccess) (string, error) {
+	if access == nil {
+		return "none", nil
+	}
+
+	// First try the enum field
+	if access.GetRole() != identity.AccountAccess_ROLE_UNSPECIFIED {
+		return FromAccountAccessRole(access.GetRole())
+	}
+
+	// Fall back to the deprecated string field if the enum is unspecified.
+	//nolint:staticcheck // SA1019: RoleDeprecated still used by older Temporal Cloud accounts.
+	if deprecated := access.GetRoleDeprecated(); deprecated != "" {
+		return strings.ToLower(deprecated), nil
+	}
+
+	return "none", nil
+}
+
 func ToNamespaceAccessPermission(s string) (identity.NamespaceAccess_Permission, error) {
 	switch strings.ToLower(s) {
 	case "admin":

@@ -365,7 +365,7 @@ func updateGroupAccessModel(ctx context.Context, state *groupAccessResourceModel
 
 	state.ID = types.StringValue(group.Id)
 
-	role, err := enums.FromAccountAccessRole(group.GetSpec().GetAccess().GetAccountAccess().GetRole())
+	role, err := enums.FromAccountAccess(group.GetSpec().GetAccess().GetAccountAccess())
 	if err != nil {
 		diags.AddError("Failed to convert account access role", err.Error())
 		return diags

@@ -538,7 +538,7 @@ func updateServiceAccountModelFromSpec(ctx context.Context, state *serviceAccoun
 		state.NamespaceAccesses = types.SetNull(types.ObjectType{AttrTypes: serviceAccountNamespaceAccessAttrs})
 	} else {
 		// Handle account-scoped service account
-		role, err := enums.FromAccountAccessRole(serviceAccount.GetSpec().GetAccess().GetAccountAccess().GetRole())
+		role, err := enums.FromAccountAccess(serviceAccount.GetSpec().GetAccess().GetAccountAccess())
 		if err != nil {
 			diags.AddError("Failed to convert account access role", err.Error())
 		}

@@ -252,7 +252,7 @@ func serviceAccountToServiceAccountDataModel(ctx context.Context, sa *identityv1
 		serviceAccountModel.NamespaceAccesses = types.SetNull(types.ObjectType{AttrTypes: serviceAccountNamespaceAccessAttrs})
 	} else {
 		// Handle account-scoped service account
-		role, err := enums.FromAccountAccessRole(sa.GetSpec().GetAccess().GetAccountAccess().GetRole())
+		role, err := enums.FromAccountAccess(sa.GetSpec().GetAccess().GetAccountAccess())
 		if err != nil {
 			diags.AddError("Failed to convert account access role", err.Error())
 			return nil, diags

@@ -50,7 +50,7 @@ func userToUserDataModel(ctx context.Context, sa *identityv1.User) (*userDataMod
 		UpdatedAt: types.StringValue(sa.GetLastModifiedTime().AsTime().GoString()),
 	}
 
-	role, err := enums.FromAccountAccessRole(sa.GetSpec().GetAccess().GetAccountAccess().GetRole())
+	role, err := enums.FromAccountAccess(sa.GetSpec().GetAccess().GetAccountAccess())
 	if err != nil {
 		diags.AddError("Failed to convert account access role", err.Error())
 		return nil, diags

@@ -440,7 +440,7 @@ func updateUserModelFromSpec(ctx context.Context, state *userResourceModel, user
 	}
 	state.State = types.StringValue(stateStr)
 	state.Email = types.StringValue(user.GetSpec().GetEmail())
-	role, err := enums.FromAccountAccessRole(user.GetSpec().GetAccess().GetAccountAccess().GetRole())
+	role, err := enums.FromAccountAccess(user.GetSpec().GetAccess().GetAccountAccess())
 	if err != nil {
 		diags.AddError("Failed to convert account access role", err.Error())
 		return diags