upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-05-28 04:10:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Docs for Application Default Credentials, links to non-dwdoa setup (#21453)

Browse source
This commit is contained in:
Torbjørn Fjørtoft 2023-08-08 01:14:55 +02:00 committed by GitHub
parent a1d0be3241
commit 20e2e4b308
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
website/content/docs/auth/jwt/oidc-providers/google.mdx
View file

@ -30,19 +30,20 @@ used to copy claims data into resulting auth token and alias metadata via [claim
To set up the Google-specific handling, you'll need:
- A Google Workspace account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en)
for granting domain-wide delegation API client access.
for granting domain-wide delegation API client access, or a service account that has been granted
[the necessary](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd) group admin roles.
- The ability to create a service account in [Google Cloud Platform](https://console.developers.google.com/iam-admin/serviceaccounts).
- To enable the [Admin SDK API](https://console.developers.google.com/apis/api/admin.googleapis.com/overview).
- An OAuth 2.0 application with an [internal user type](https://support.google.com/cloud/answer/10311615#user-type).
We **do not** recommend using an external user type since it would allow _any user_ with a
Google account to authenticate with Vault.
The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses
Google Workspace Domain-Wide Delegation of Authority for authentication and authorization. You need to follow
**all steps** in the [guide](https://developers.google.com/workspace/guides/create-credentials#service-account)
to obtain the key file for a Google service account capable of making requests to the Google Workspace
[User Accounts](https://developers.google.com/admin-sdk/directory/v1/guides/manage-users) and
[Groups](https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups) APIs.
The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses either
Google Workspace Domain-Wide Delegation of Authority for authentication and authorization, or group admin roles granted to a GCP service account.
Links to steps for setting up authentication and authorization:
- [DWDoA](https://developers.google.com/workspace/guides/create-credentials#service-account)
- [Without DWDoA](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd)
In **step 11** within the section titled
[Optional: Set up domain-wide delegation for a service account](https://developers.google.com/workspace/guides/create-credentials#optional_set_up_domain-wide_delegation_for_a_service_account),
@ -57,15 +58,20 @@ that enable the feature.
#### Configuration
- `provider` `(string: <required>)` - Name of the provider. Must be set to "gsuite".
- `gsuite_service_account` `(string: <required>)` - Either the path to or the contents of a Google service
- `gsuite_service_account` `(string: <optional>)` - Either the path to or the contents of a Google service
account key file in JSON format. If given as a file path, it must refer to a file that's readable on
the host that Vault is running on. If given directly as JSON contents, the JSON must be properly escaped.
- `gsuite_admin_impersonate` `(string: <required>)` - Email address of a Google Workspace admin to impersonate.
If left empty, Application Default Credentials will be used.
- `gsuite_admin_impersonate` `(string: <optional>)` - Email address of a Google Workspace admin to impersonate.
- `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from Google Workspace.
- `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from Google Workspace using the configured [user_custom_schemas](#user_custom_schemas).
- `groups_recurse_max_depth` `(int: <optional>)` - Group membership recursion max depth. Defaults to 0, which means don't recurse.
- `user_custom_schemas` `(string: <optional>)` - Comma-separated list of Google Workspace [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas).
Values set for Google Workspace users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/vault/api-docs/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true.
- `impersonate_principal` `(string: <optional>)` - Service account email that has been granted domain-wide delegation of authority in Google Workspace.
Required if accessing the Google Workspace Directory API through domain-wide delegation of authority, without using a service account key.
The service account vault is running under must be granted the `iam.serviceAccounts.signJwt` permission on this service account.
If `gsuite_admin_impersonate` is specifed, that Workspace user will be impersonated.
Example configuration:
@ -83,7 +89,8 @@ vault write auth/oidc/config -<<EOF
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"user_custom_schemas": "Education,Preferences"
"user_custom_schemas": "Education,Preferences",
"impersonate_principal": "sa@project.iam.gserviceaccount.com"
}
}
EOF