Vault
Use Google for OIDC authentication
Main reference: Using OAuth 2.0 to Access Google APIs
- Visit the Google API Console.
- Create or a select a project.
- Navigate to Menu > APIs & Services
- Create a new credential via Credentials > Create Credentials > OAuth Client ID.
- Configure the OAuth Consent Screen. Application Name is required. Save.
- Select application type: "Web Application".
- Configure Authorized Redirect URIs.
- Save client ID and secret.
Optional google-specific configuration
Google-specific configuration is available when using Google as an identity provider from the Vault JWT/OIDC auth method. The configuration allows Vault to obtain Google Workspace group membership and user information during the JWT/OIDC authentication flow. The group membership obtained from Google Workspace may be used for Identity group alias association. The user information obtained from Google Workspace can be used to copy claims data into resulting auth token and alias metadata via claim_mappings.
Setup
To set up the Google-specific handling, you'll need:
- A Google Workspace account with the super admin role for granting domain-wide delegation API client access, or a service account that has been granted the necessary group admin roles.
- The ability to create a service account in Google Cloud Platform.
- To enable the Admin SDK API.
- An OAuth 2.0 application with an internal user type. We do not recommend using an external user type since it would allow any user with a Google account to authenticate with Vault.
The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses either Google Workspace Domain-Wide Delegation of Authority for authentication and authorization, or group admin roles granted to a GCP service account.
Links to steps for setting up authentication and authorization:
In step 11 within the section titled Optional: Set up domain-wide delegation for a service account, the only OAuth scopes that should be granted are:
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
This is an important security step in order to give the service account the least set of privileges that enable the feature.
Configuration
provider
(string: <required>)
- Name of the provider. Must be set to "gsuite".gsuite_service_account
(string: <optional>)
- Either the path to or the contents of a Google service account key file in JSON format. If given as a file path, it must refer to a file that's readable on the host that Vault is running on. If given directly as JSON contents, the JSON must be properly escaped. If left empty, Application Default Credentials will be used.gsuite_admin_impersonate
(string: <optional>)
- Email address of a Google Workspace admin to impersonate.fetch_groups
(bool: false)
- If set to true, groups will be fetched from Google Workspace.fetch_user_info
(bool: false)
- If set to true, user info will be fetched from Google Workspace using the configured user_custom_schemas.groups_recurse_max_depth
(int: <optional>)
- Group membership recursion max depth. Defaults to 0, which means don't recurse.user_custom_schemas
(string: <optional>)
- Comma-separated list of Google Workspace custom schemas. Values set for Google Workspace users using custom schema fields will be fetched and made available as claims that can be used with claim_mappings. Required if fetch_user_info is set to true.impersonate_principal
(string: <optional>)
- Service account email that has been granted domain-wide delegation of authority in Google Workspace. Required if accessing the Google Workspace Directory API through domain-wide delegation of authority, without using a service account key. The service account vault is running under must be granted theiam.serviceAccounts.signJwt
permission on this service account. Ifgsuite_admin_impersonate
is specified, that Workspace user will be impersonated.domain
(string: <optional>)
- The domain to get groups from. Set this if your workspace is configured with more than one domain.
Example configuration:
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/path/to/service-account.json",
"gsuite_admin_impersonate": "admin@gsuitedomain.com",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"user_custom_schemas": "Education,Preferences",
"impersonate_principal": "sa@project.iam.gserviceaccount.com"
}
}
EOF
Role
The user_claim value of the role must be set to
one of either sub
or email
for the Google Workspace group and user information
queries to succeed.
Example role:
vault write auth/oidc/role/your_default_role \
allowed_redirect_uris="http://localhost:8200/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
user_claim="sub" \
groups_claim="groups" \
claim_mappings="/Education/graduation_date"="graduation_date" \
claim_mappings="/Preferences/shirt_size"="shirt_size"