HashiCorp Vault groups integration with Google G Suite

2 min readJan 18, 2021

UPDATE (8 July, 2021): I have updated the default_role code snippet to work with Vault 1.7.1.

Vault is a great tool for secrets management. It comes with various integrations and authentication methods. This article will be focusing on authentication and authorization in Vault using Google G-Suite OIDC flow and making use of groups claim in Google Cloud Platform environment.

What is the advantage of groups claim?

Google G-Suite simplifies user management and works well along with Google Cloud Platform. Groups claim can be leveraged to authorize a user in Vault by mapping its associated Google G-Suite group with a Vault group. This way the user can be assigned the relevant Vault policy.

Prerequisites

Follow the steps laid out in Vault OIDC providers configuration. It can be summarized into the following steps:

Create the Google OAuth credentials to obtain client_id and client_secret
A G Suite account with the super admin role for granting domain-wide delegation API client access
The ability to create a service account in Google Cloud Platform
Perform Google Workspace Domain-Wide Delegation of Authority

Create Policies

Create a reader and manager policy

Configure OIDC Authentication

You will need the client_id, client_secret and superadmin email obtained in the prerequisites steps

Create default_role

Requires the Vault external address. It can be omitted if you are only testing locally.

Create Vault group and group-alias

Test the setup

Let’s assume there is a user called john.doe@yourdomain.com and they are a part of the GSuite group manager.group@yourdomain.com. When the above configuration is followed, a Vault login via cli should look like the following:

$ vault login -method=oidc
...Key                  Value
---                  -----
token                <TOKEN>
token_accessor       <TOKEN_ACCESSOR>
token_duration       768h
token_renewable      true
token_policies       ["default" "reader"]
identity_policies    ["manager"]
policies             ["default" "manager" "reader"]
token_meta_role      default_role

The login works as expected because manager policy shows up in identity_policies which is mapped via manager.group@yourdomain.com group.

As of writing this article, Vault documentation does not clearly explains this process. It took me a good amount of time to piece together this information from GitHub issues and pull requests. I hope this helps you authorize users in Vault using G Suite groups and saves you some time.