#service-account #access-token #gcloud #cloud #wrapper #gcp #secure

bin+lib sudo-gcp

A gcloud CLI wrapper to use a more secure pattern of temporary access tokens and service account impersonation

4 releases

0.2.1 Jul 7, 2023
0.2.0 Jul 7, 2023
0.1.0 Apr 17, 2023

#9 in #service-account

Apache-2.0

22KB
286 lines

sudo-gcp is currently in alpha stages! Expect breaking changes.

Sudo GCP

This tool enables with running Google Cloud commands with temporary elevated privileges, using short-lived OAuth access tokens.

sudo-gcp securely caches access tokens using the operating system's secret-store/keychain, and will reuse matching non-expired tokens on subsequent calls.

Setup

  1. Define a service account to be the holder of your elevated privileges
  2. Grant elevated privileges to that service account
  3. Define who should be eligible to temporarily gain those privileges
    • We use a google group with a "role-gcp-sudo-" prefixed group name
  4. Assign those users the roles/iam.workloadIdentityUser role, bound to that service account

Installation

cargo install sudo-gcp

Configuration

If both environment and file configuration sources exist, environment variables take precedence over the configuration file.

Configuration by File

Configuration can be done with a sudo-gcp.toml file in the current working directory. See the example configuration file for more details.

A configuration file in a different location can be provided when running sudo-gcp with the --config-file option.

# create a minimal configuration file if it does not already exist
echo > sudo-gcp.toml 'service_account = "my-terraformer@my-project.iam.gserviceaccount.com"'

Configuration by Environment

Configuration is also supported via environment variables prefixed with SUDOGCP_.

export SUDOGCP_SERVICE_ACCOUNT=my-terraformer@my-project.iam.gserviceaccount.com

Usage

After configuration, wrap commands that need elevated privileges with the sudo-gcp command, similar in usage to sudo.

Examples:

sudo-gcp gcloud compute instances list

terraform plan  # error: no permission to read tfstate
sudo-gcp !!     # try again, but with necessary privileges

For complete usage details, run sudo-gcp --help.

Dependencies

~10–26MB
~368K SLoC