Some checks are pending
CI / lint-and-test (push) Waiting to run
* feat: add secure GCP operator reauth helper * fix: keep secure GCP prompt open on empty input * fix: enable paste in secure GCP password dialog
37 lines
1.6 KiB
Markdown
37 lines
1.6 KiB
Markdown
# GCP Operator Reauthentication
|
|
|
|
From the `teleo-infrastructure` repository root, inspect the current local
|
|
operator state without opening a dialog:
|
|
|
|
```bash
|
|
scripts/gcp-operator-reauth.sh --status
|
|
```
|
|
|
|
Store or update the current Google password through a native secure prompt:
|
|
|
|
```bash
|
|
scripts/gcp-operator-reauth.sh --store-password
|
|
```
|
|
|
|
With no option, the script asks before opening that prompt. It uses
|
|
`pinentry-mac` when installed. Otherwise it compiles a temporary AppKit helper
|
|
that uses `NSAlert` and `NSSecureTextField`. The helper stores the value as a
|
|
non-synchronizing generic password in this Mac's encrypted Keychain. The
|
|
password is never printed, copied to the clipboard, submitted to Google, or
|
|
placed in a process argument or plaintext file.
|
|
|
|
The stored password is only an emergency operator convenience. A Google
|
|
password cannot refresh or satisfy gcloud OAuth by itself, and this script does
|
|
not attempt to automate Google login. When OAuth is stale, follow the one
|
|
`clear_CTA` printed by the script and rerun `--status`.
|
|
|
|
`--status` verifies the selected account and project, checks token refresh
|
|
without printing the token, reads the expected VM identity, and asks gcloud to
|
|
construct the IAP SSH command with `--dry-run`. It does not create a tunnel or
|
|
start SSH. `iap_ssh_preflight=ready_dry_run_only` must not be reported as a live
|
|
IAP connection.
|
|
|
|
The durable unattended operator is
|
|
`.github/workflows/gcp-iap-operator.yml`. It uses GitHub OIDC, Workload Identity
|
|
Federation, fixed reviewed operations, and IAP after the one-time authenticated
|
|
bootstrap. No stored Google password is an alternative to that route.
|