Written by Amado Tejada
Many Google Workspace admins use GAM or GAMADV-XTD3 to manage their instance. Currently, the secrets needed for these tools are stored on disk in plaintext.
GAMpass is a simple tool to encrypt & decrypt GAM secrets at runtime using your biometrics with unopass
- python 3.13+
pip install -r requirements.txt
- unopass configured
- GAM/GAMADV-XTD3 configured
Tested on macOS 12.4+
Back up your plaintext secrets in a different directory before you run setup. Once you verify you can encrypt/decrypt secrets you can delete the backup.
- Meet the requirements
- Move
gampass.py
to the same directory as GAM's secrets files, usually~/.gam/
- Run
python gampass.py setup
*- this encrypts GAM all secrets
- ["client_secrets.json", "oauth2service.json", "oauth2.txt"]
- If you have multiple GAM domains, all will be encrypted
- this will generate a new
gampass.key
file. - this adds
gampass
andgampass_cli
alias to ~/.zshrc- if you don't use ~/.zshrc, adjust in
gampass.py
- if you don't use ~/.zshrc, adjust in
- this encrypts GAM all secrets
- Open 1Password
- create a vault named
gampass
- add a new password item with the title
gamkey
- add the content of the
gampass.key
thecredential
field
- create a vault named
Use this to make GAM calls
Put gampass
before the GAM command
gampass gam [gam args]
gampass gam select domain2 save | gam info domain
- macOS Touch ID prompts for your biometrics decrypting the secrets
- GAM results
Use only this to manage your GAM secrets
Usage: gampass_cli [option]
Options:
encrypt Encrypt GAM all secrets
decrypt Decrypt GAM all secrets
setup Setup a key and encrypt secrets
updates View updates documentation
sync Encrypt all domains with existing 1Password key
Example:
gampass_cli sync
Everything that works with GAM should work via GAMpass, except for the following:
- Scheduled workflows via cron, etc., do not work because intentionally biometrics are prompted to decrypt the secrets.
GAMpass is released under the MIT License