Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Latest commit 6567f55 Sep 25, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE initial commit Sep 24, 2019 Update Sep 25, 2019
apotheosis initial commit Sep 24, 2019 initial commit Sep 24, 2019 initial commit Sep 24, 2019


Apotheosis is a tool you can run in the command line to grant yourself temporary Google Cloud Platform (GCP) Identity and Access Management (IAM) privileges which will expire after a specified amount of time. It is meant to allow high privilege users, who would otherwise have Owner or Org Admin roles, not to have any roles themselves except for Service Account User and Service Account Token Creator on a service account which will have the Owner role which would otherwise be assigned to these users.

To run the application:

git clone
cd apotheosis
virtualenv -p python2 venv
source venv/bin/activate
sudo python install
apotheosis -h

Usage Examples:

Adding to an organization:

apotheosis -d 30 -res 305014881247 -r roles/appengine.deployer
Added roles/appengine.deployer to for 30 seconds
Removed roles/appengine.deployer from

Adding to a project:

apotheosis -d 60 -res apotheosis-test -r roles/viewer -m
Added roles/viewer to for 60 seconds
Removed roles/viewer from

It makes sense to configure defaults for the command line arguments. These can be hardcoded in the file, like:

default_resource = "a-project-id"
default_role = "roles/viewer"
default_member = ""
default_service_account = ""

If you are signed in to gcloud your default credentials should be set. In some cases it may be necessary to run gcloud auth application-default login and authenticate with the account which has permissions on the service account.

Also you can press enter in the terminal to revoke the permissions early.

You can’t perform that action at this time.