Jan 18, 2021
HashiCorp Vault groups integration with Google G Suite
UPDATE (8 July, 2021): I have updated the default_role code snippet to work with Vault 1.7.1.
Vault is a great tool for secrets management. It comes with various integrations and authentication methods. This article will be focusing on authentication and authorization in Vault using Google G-Suite OIDC flow and making use of groups claim in Google Cloud Platform environment.
What is the advantage of groups claim?
Google G-Suite simplifies user management and works well along with Google Cloud Platform. Groups claim can be leveraged to authorize a user in Vault by mapping its associated Google G-Suite group with a Vault group. This way the user can be assigned the relevant Vault policy.
Prerequisites
Follow the steps laid out in Vault OIDC providers configuration. It can be summarized into the following steps:
- Create the Google OAuth credentials to obtain client_id and client_secret
- A G Suite account with the super admin role for granting domain-wide delegation API client access
- The ability to create a service account in Google Cloud Platform
- Perform Google Workspace Domain-Wide Delegation of Authority
Create Policies
Create a reader and manager policy
Configure OIDC Authentication
You will need the client_id, client_secret and superadmin email obtained in the prerequisites steps
Create default_role
Requires the Vault external address. It can be omitted if you are only testing locally.
Create Vault group and group-alias
Test the setup
Let’s assume there is a user called john.doe@yourdomain.com and they are a part of the GSuite group manager.group@yourdomain.com. When the above configuration is followed, a Vault login via cli should look like the following:
$ vault login -method=oidc
...Key Value
--- -----
token <TOKEN>
token_accessor <TOKEN_ACCESSOR>
token_duration 768h
token_renewable true
token_policies ["default" "reader"]
identity_policies ["manager"]
policies ["default" "manager" "reader"]
token_meta_role default_role
The login works as expected because manager policy shows up in identity_policies which is mapped via manager.group@yourdomain.com group.
As of writing this article, Vault documentation does not clearly explains this process. It took me a good amount of time to piece together this information from GitHub issues and pull requests. I hope this helps you authorize users in Vault using G Suite groups and saves you some time.
