Apotheosis is a tool you can run in the command line to grant yourself temporary Google Cloud Platform (GCP) Identity and Access Management (IAM) privileges which will expire after a specified amount of time. It is meant to allow high privilege users, who would otherwise have
Org Admin roles, not to have any roles themselves except for
Service Account User and
Service Account Token Creator on a service account which will have the
Owner role which would otherwise be assigned to these users.
To run the application:
git clone email@example.com:etsy/Apotheosis.git cd apotheosis virtualenv -p python2 venv source venv/bin/activate sudo python setup.py install apotheosis -h
Adding to an organization:
apotheosis -d 30 -res 305014881247 -r roles/appengine.deployer Added roles/appengine.deployer to user:firstname.lastname@example.org for 30 seconds Removed roles/appengine.deployer from user:email@example.com
Adding to a project:
apotheosis -d 60 -res apotheosis-test -r roles/viewer -m group:firstname.lastname@example.org Added roles/viewer to group:email@example.com for 60 seconds Removed roles/viewer from group:firstname.lastname@example.org
It makes sense to configure defaults for the command line arguments. These can be hardcoded in the file apotheosis.py, like:
default_resource = "a-project-id" default_role = "roles/viewer" default_member = "user:email@example.com" default_service_account = "firstname.lastname@example.org"
If you are signed in to gcloud your default credentials should be set. In some cases it may be necessary to run
gcloud auth application-default login and authenticate with the account which has permissions on the service account.
Also you can press enter in the terminal to revoke the permissions early.