From 20e2e4b3084c11a5e1bef54920c8fda63b1a3508 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torbj=C3=B8rn=20Fj=C3=B8rtoft?=
 <torbjorn.fjortoft@gmail.com>
Date: Tue, 8 Aug 2023 01:14:55 +0200
Subject: [PATCH] Docs for Application Default Credentials, links to non-dwdoa
 setup (#21453)

---
 .../docs/auth/jwt/oidc-providers/google.mdx   | 27 ++++++++++++-------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/website/content/docs/auth/jwt/oidc-providers/google.mdx b/website/content/docs/auth/jwt/oidc-providers/google.mdx
index 50e9a352a0..2fe5db48b7 100644
--- a/website/content/docs/auth/jwt/oidc-providers/google.mdx
+++ b/website/content/docs/auth/jwt/oidc-providers/google.mdx
@@ -30,19 +30,20 @@ used to copy claims data into resulting auth token and alias metadata via [claim
 To set up the Google-specific handling, you'll need:
 
 - A Google Workspace account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en)
-  for granting domain-wide delegation API client access.
+  for granting domain-wide delegation API client access, or a service account that has been granted
+  [the necessary](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd) group admin roles.
 - The ability to create a service account in [Google Cloud Platform](https://console.developers.google.com/iam-admin/serviceaccounts).
 - To enable the [Admin SDK API](https://console.developers.google.com/apis/api/admin.googleapis.com/overview).
 - An OAuth 2.0 application with an [internal user type](https://support.google.com/cloud/answer/10311615#user-type).
   We **do not** recommend using an external user type since it would allow _any user_ with a
   Google account to authenticate with Vault.
 
-The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses
-Google Workspace Domain-Wide Delegation of Authority for authentication and authorization. You need to follow
-**all steps** in the [guide](https://developers.google.com/workspace/guides/create-credentials#service-account)
-to obtain the key file for a Google service account capable of making requests to the Google Workspace
-[User Accounts](https://developers.google.com/admin-sdk/directory/v1/guides/manage-users) and
-[Groups](https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups) APIs.
+The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses either
+Google Workspace Domain-Wide Delegation of Authority for authentication and authorization, or group admin roles granted to a GCP service account.
+
+Links to steps for setting up authentication and authorization:
+- [DWDoA](https://developers.google.com/workspace/guides/create-credentials#service-account)
+- [Without DWDoA](https://cloud.google.com/identity/docs/how-to/setup#auth-no-dwd)
 
 In **step 11** within the section titled
 [Optional: Set up domain-wide delegation for a service account](https://developers.google.com/workspace/guides/create-credentials#optional_set_up_domain-wide_delegation_for_a_service_account),
@@ -57,15 +58,20 @@ that enable the feature.
 #### Configuration
 
 - `provider` `(string: <required>)` - Name of the provider. Must be set to "gsuite".
-- `gsuite_service_account` `(string: <required>)` - Either the path to or the contents of a Google service
+- `gsuite_service_account` `(string: <optional>)` - Either the path to or the contents of a Google service
   account key file in JSON format. If given as a file path, it must refer to a file that's readable on
   the host that Vault is running on. If given directly as JSON contents, the JSON must be properly escaped.
-- `gsuite_admin_impersonate` `(string: <required>)` - Email address of a Google Workspace admin to impersonate.
+  If left empty, Application Default Credentials will be used.
+- `gsuite_admin_impersonate` `(string: <optional>)` - Email address of a Google Workspace admin to impersonate.
 - `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from Google Workspace.
 - `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from Google Workspace using the configured [user_custom_schemas](#user_custom_schemas).
 - `groups_recurse_max_depth` `(int: <optional>)` - Group membership recursion max depth. Defaults to 0, which means don't recurse.
 - `user_custom_schemas` `(string: <optional>)` - Comma-separated list of Google Workspace [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas).
   Values set for Google Workspace users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/vault/api-docs/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true.
+- `impersonate_principal` `(string: <optional>)` - Service account email that has been granted domain-wide delegation of authority in Google Workspace.
+  Required if accessing the Google Workspace Directory API through domain-wide delegation of authority, without using a service account key.
+  The service account vault is running under must be granted the `iam.serviceAccounts.signJwt` permission on this service account.
+  If `gsuite_admin_impersonate` is specifed, that	Workspace user will be impersonated.
 
 Example configuration:
 
@@ -83,7 +89,8 @@ vault write auth/oidc/config -<<EOF
         "fetch_groups": true,
         "fetch_user_info": true,
         "groups_recurse_max_depth": 5,
-        "user_custom_schemas": "Education,Preferences"
+        "user_custom_schemas": "Education,Preferences",
+        "impersonate_principal": "sa@project.iam.gserviceaccount.com"
     }
 }
 EOF