Skip to content
/ GAMpass Public

A simple tool to encrypt & decrypt GAM secrets at runtime using your biometrics with unopass

License

MIT license
9 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

amadotejada/GAMpass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
screenshots
screenshots
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
gampass.py
gampass.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

GAMpass

Written by Amado Tejada

Many Google Workspace admins use GAM or GAMADV-XTD3 to manage their instance. Currently, the secrets needed for these tools are stored on disk in plaintext.

GAMpass is a simple tool to encrypt & decrypt GAM secrets at runtime using your biometrics with unopass

Requirements

  • python 3.6+
  • pip install -r requirements.txt
  • unopass configured
  • GAM/GAMADV-XTD3 configured

Only tested on macOS 12.4+

GAMpass is a work in progress, and should be considered beta software.

First time setup

Back up your plaintext secrets in a different directory before you run setup. Once you verify you can encrypt/decrypt secrets you can delete the backup.

  1. Meet the requirements
  2. Move gampass.py to the same directory as GAM's secrets files, usually ~/.gam/
  3. Run python gampass.py setup*
    • this encrypts GAM all secrets
      • ["client_secrets.json", "oauth2service.json", "oauth2.txt"]
      • If you have multiple GAM domains, all will be encrypted
    • this will generate a new gampass.key file.
    • this adds gampass and gampass_cli alias to ~/.zshrc
      • if you don't use ~/.zshrc, adjust in gampass.py

  1. Open 1Password
    • create a vault named gampass
    • add a new password item with the title gamkey
    • add the content of the gampass.key the credential field

GAM Usage

Use this to make GAM calls

Put gampass before the GAM command

gampass gam [gam args]

gampass gam select domain2 save | gam info domain

  • macOS Touch ID prompts for your biometrics decrypting the secrets

  • GAM results

GAMpass CLI Usage

Use only this to manage your GAM secrets

Usage: gampass_cli [option]

Options:
        encrypt                 Encrypt GAM all secrets
        decrypt                 Decrypt GAM all secrets
        setup                   Setup a key and encrypt secrets
        updates                 View updates documentation
        sync                    Encrypt all domains with existing 1Password key
Example:
        gampass_cli sync

Limitations

Everything that works with GAM should work via GAMpass, except for the following:

  • Scheduled workflows via cron, etc., do not work because intentionally biometrics are prompted to decrypt the secrets.

License

GAMpass is released under the MIT License

About

A simple tool to encrypt & decrypt GAM secrets at runtime using your biometrics with unopass

Topics

python cryptography gsuite gam gsuite-admin googleworkspace googleadmin unopass gampass

Resources

Readme

License

MIT license
Activity

Stars

9 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

1 tags

Languages