teleo-infrastructure/docs/gcp-operator-reauth.md
twentyOne2x cf796fea76
Some checks are pending
CI / lint-and-test (push) Waiting to run
feat: add secure GCP operator reauth helper (#90)
* feat: add secure GCP operator reauth helper

* fix: keep secure GCP prompt open on empty input

* fix: enable paste in secure GCP password dialog
2026-07-13 01:31:26 +02:00

1.6 KiB

GCP Operator Reauthentication

From the teleo-infrastructure repository root, inspect the current local operator state without opening a dialog:

scripts/gcp-operator-reauth.sh --status

Store or update the current Google password through a native secure prompt:

scripts/gcp-operator-reauth.sh --store-password

With no option, the script asks before opening that prompt. It uses pinentry-mac when installed. Otherwise it compiles a temporary AppKit helper that uses NSAlert and NSSecureTextField. The helper stores the value as a non-synchronizing generic password in this Mac's encrypted Keychain. The password is never printed, copied to the clipboard, submitted to Google, or placed in a process argument or plaintext file.

The stored password is only an emergency operator convenience. A Google password cannot refresh or satisfy gcloud OAuth by itself, and this script does not attempt to automate Google login. When OAuth is stale, follow the one clear_CTA printed by the script and rerun --status.

--status verifies the selected account and project, checks token refresh without printing the token, reads the expected VM identity, and asks gcloud to construct the IAP SSH command with --dry-run. It does not create a tunnel or start SSH. iap_ssh_preflight=ready_dry_run_only must not be reported as a live IAP connection.

The durable unattended operator is .github/workflows/gcp-iap-operator.yml. It uses GitHub OIDC, Workload Identity Federation, fixed reviewed operations, and IAP after the one-time authenticated bootstrap. No stored Google password is an alternative to that route.