sudo-gcp is currently in alpha stages! Expect breaking changes.

Sudo GCP

This tool enables with running Google Cloud commands with temporary elevated privileges, using short-lived OAuth access tokens.

sudo-gcp securely caches access tokens using the operating system's secret-store/keychain, and will reuse matching non-expired tokens on subsequent calls.

Setup

Define a service account to be the holder of your elevated privileges
Grant elevated privileges to that service account
Define who should be eligible to temporarily gain those privileges
- We use a google group with a "role-gcp-sudo-" prefixed group name
Assign those users the roles/iam.workloadIdentityUser role, bound to that service account

Installation

cargo install sudo-gcp

Configuration

If both environment and file configuration sources exist, environment variables take precedence over the configuration file.

Configuration by File

Configuration can be done with a sudo-gcp.toml file in the current working directory. See the example configuration file for more details.

A configuration file in a different location can be provided when running sudo-gcp with the --config-file option.

# create a minimal configuration file if it does not already exist
echo > sudo-gcp.toml 'service_account = "my-terraformer@my-project.iam.gserviceaccount.com"'

Configuration by Environment

Configuration is also supported via environment variables prefixed with SUDOGCP_.

export SUDOGCP_SERVICE_ACCOUNT=my-terraformer@my-project.iam.gserviceaccount.com

Usage

After configuration, wrap commands that need elevated privileges with the sudo-gcp command, similar in usage to sudo.

Examples:

sudo-gcp gcloud compute instances list

terraform plan  # error: no permission to read tfstate
sudo-gcp !!     # try again, but with necessary privileges

For complete usage details, run sudo-gcp --help.