HashiCorp Vault groups integration with Google G Suite

Vault + GCP + GSuite

UPDATE (8 July, 2021): I have updated the default_role code snippet to work with Vault 1.7.1.

Vault is a great tool for secrets management. It comes with various integrations and authentication methods. This article will be focusing on authentication and authorization in Vault using Google G-Suite OIDC flow and making use of groups claim in Google Cloud Platform environment.

Google G-Suite simplifies user management and works well along with Google Cloud Platform. Groups claim can be leveraged to authorize a user in Vault by mapping its associated Google G-Suite group with a Vault group. This way the user can be assigned the relevant Vault policy.

Follow the steps laid out in Vault OIDC providers configuration. It can be summarized into the following steps:

Create a reader and manager policy

You will need the client_id, client_secret and superadmin email obtained in the prerequisites steps

Requires the Vault external address. It can be omitted if you are only testing locally.

Let’s assume there is a user called john.doe@yourdomain.com and they are a part of the GSuite group manager.group@yourdomain.com. When the above configuration is followed, a Vault login via cli should look like the following:

$ vault login -method=oidc
...
Key Value
--- -----
token <TOKEN>
token_accessor <TOKEN_ACCESSOR>
token_duration 768h
token_renewable true
token_policies ["default" "reader"]
identity_policies ["manager"]
policies ["default" "manager" "reader"]
token_meta_role default_role

The login works as expected because manager policy shows up in identity_policies which is mapped via manager.group@yourdomain.com group.

As of writing this article, Vault documentation does not clearly explains this process. It took me a good amount of time to piece together this information from GitHub issues and pull requests. I hope this helps you authorize users in Vault using G Suite groups and saves you some time.

Security and Systems Engineering