teleo-infrastructure/docs/gcp-operator-reauth.md
twentyOne2x cf796fea76
Some checks are pending
CI / lint-and-test (push) Waiting to run
feat: add secure GCP operator reauth helper (#90)
* feat: add secure GCP operator reauth helper

* fix: keep secure GCP prompt open on empty input

* fix: enable paste in secure GCP password dialog
2026-07-13 01:31:26 +02:00

37 lines
1.6 KiB
Markdown

# GCP Operator Reauthentication
From the `teleo-infrastructure` repository root, inspect the current local
operator state without opening a dialog:
```bash
scripts/gcp-operator-reauth.sh --status
```
Store or update the current Google password through a native secure prompt:
```bash
scripts/gcp-operator-reauth.sh --store-password
```
With no option, the script asks before opening that prompt. It uses
`pinentry-mac` when installed. Otherwise it compiles a temporary AppKit helper
that uses `NSAlert` and `NSSecureTextField`. The helper stores the value as a
non-synchronizing generic password in this Mac's encrypted Keychain. The
password is never printed, copied to the clipboard, submitted to Google, or
placed in a process argument or plaintext file.
The stored password is only an emergency operator convenience. A Google
password cannot refresh or satisfy gcloud OAuth by itself, and this script does
not attempt to automate Google login. When OAuth is stale, follow the one
`clear_CTA` printed by the script and rerun `--status`.
`--status` verifies the selected account and project, checks token refresh
without printing the token, reads the expected VM identity, and asks gcloud to
construct the IAP SSH command with `--dry-run`. It does not create a tunnel or
start SSH. `iap_ssh_preflight=ready_dry_run_only` must not be reported as a live
IAP connection.
The durable unattended operator is
`.github/workflows/gcp-iap-operator.yml`. It uses GitHub OIDC, Workload Identity
Federation, fixed reviewed operations, and IAP after the one-time authenticated
bootstrap. No stored Google password is an alternative to that route.