* feat: add secure GCP operator reauth helper * fix: keep secure GCP prompt open on empty input * fix: enable paste in secure GCP password dialog
1.6 KiB
GCP Operator Reauthentication
From the teleo-infrastructure repository root, inspect the current local
operator state without opening a dialog:
scripts/gcp-operator-reauth.sh --status
Store or update the current Google password through a native secure prompt:
scripts/gcp-operator-reauth.sh --store-password
With no option, the script asks before opening that prompt. It uses
pinentry-mac when installed. Otherwise it compiles a temporary AppKit helper
that uses NSAlert and NSSecureTextField. The helper stores the value as a
non-synchronizing generic password in this Mac's encrypted Keychain. The
password is never printed, copied to the clipboard, submitted to Google, or
placed in a process argument or plaintext file.
The stored password is only an emergency operator convenience. A Google
password cannot refresh or satisfy gcloud OAuth by itself, and this script does
not attempt to automate Google login. When OAuth is stale, follow the one
clear_CTA printed by the script and rerun --status.
--status verifies the selected account and project, checks token refresh
without printing the token, reads the expected VM identity, and asks gcloud to
construct the IAP SSH command with --dry-run. It does not create a tunnel or
start SSH. iap_ssh_preflight=ready_dry_run_only must not be reported as a live
IAP connection.
The durable unattended operator is
.github/workflows/gcp-iap-operator.yml. It uses GitHub OIDC, Workload Identity
Federation, fixed reviewed operations, and IAP after the one-time authenticated
bootstrap. No stored Google password is an alternative to that route.