{"id":21998249,"url":"https://github.com/simonswine/vault-plugin-auth-google","last_synced_at":"2025-06-14T06:38:03.288Z","repository":{"id":40294942,"uuid":"124519735","full_name":"simonswine/vault-plugin-auth-google","owner":"simonswine","description":"A plugin for Hashicorp Vault to allow Google Domain authentication.","archived":false,"fork":false,"pushed_at":"2023-03-30T20:46:00.000Z","size":52074,"stargazers_count":15,"open_issues_count":1,"forks_count":18,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-30T21:08:48.401Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simonswine.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-03-09T09:36:01.000Z","updated_at":"2025-01-27T06:10:06.000Z","dependencies_parsed_at":"2024-06-19T00:10:03.388Z","dependency_job_id":"d6177530-2de8-4699-81af-ed8731cea721","html_url":"https://github.com/simonswine/vault-plugin-auth-google","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simonswine%2Fvault-plugin-auth-google","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simonswine%2Fvault-plugin-auth-google/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simonswine%2Fvault-plugin-auth-google/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simonswine%2Fvault-plugin-auth-google/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simonswine","download_url":"https://codeload.github.com/simonswine/vault-plugin-auth-google/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251782775,"owners_count":21642987,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-29T22:20:48.055Z","updated_at":"2025-04-30T21:08:54.214Z","avatar_url":"https://github.com/simonswine.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HashiCorp Vault plugin for Google Auth.\n\nA HashiCorp Vault plugin for Google Auth.\n\n## Setup\n\nThe setup guide assumes some familiarity with Vault and Vault's plugin\necosystem. You must have a Vault server already running, unsealed, and\nauthenticated.\n\n1. Compile the plugin from source.\n\n2. Move the compiled plugin into Vault's configured `plugin_directory`:\n\n   ```sh\n   $ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin\n   ```\n\n1. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog.\nIf you are downloading the pre-compiled binary, it is highly recommended that\nyou use the published checksums to verify integrity.\n\n   ```sh\n   $ export SHA256=$(shasum -a 256 \"/etc/vault/plugins/google-auth-vault-plugin\" | cut -d' ' -f1)\n   $ vault write sys/plugins/catalog/google-auth-vault-plugin \\\n       sha_256=\"${SHA256}\" \\\n       command=\"google-auth-vault-plugin\"\n   ```\n\n1. Mount the auth method:\n\n   ```sh\n   $ vault auth-enable \\\n       -path=\"google\" \\\n       -plugin-name=\"google-auth-vault-plugin\" plugin\n   ```\n\n1. Create an OAuth client ID in [the Google Cloud Console](https://console.cloud.google.com/apis/credentials), of type \"Other\".\n\n1. Configure the auth method:\n\n   ```sh\n   $ vault write auth/google/config \\\n       client_id=\u003cGOOGLE_CLIENT_ID\u003e \\\n       client_secret=\u003cGOOGLE_CLIENT_SECRET\u003e\n   ```\n\n1. Create a role for a given set of Google users mapping to a set of policies:\n\n   Create a policy called hello: [vault polices](https://www.vaultproject.io/intro/getting-started/policies.html)\n\n   ```sh\n   $ vault write auth/google/role/hello \\\n       bound_domain=\u003cDOMAIN\u003e \\\n       bound_emails=myuseremail@\u003cDOMAIN\u003e,otheremail@\u003cDOMAIN\u003e \\\n       policies=hello\n   ```\n\n   The plugin can also map users to policies via Google Groups; however you need to consider how groups are retrieved and whether having administative permissions for the plugin is acceptable.\n\n   **Use with caution.**\n\n   Alternative auth method with groups enabled:\n   ```sh\n   $ vault write auth/google/config \\\n       client_id=\u003cGOOGLE_CLIENT_ID\u003e \\\n       client_secret=\u003cGOOGLE_CLIENT_SECRET\u003e \\\n       fetch_groups=true\n   ```\n\n   Create a role for a Google group mapping to a set of policies:\n   ```sh\n   $ vault write auth/google/role/hello \\\n       bound_domain=\u003cDOMAIN\u003e \\\n       bound_groups=SecurityTeam,WebTeam \\\n       policies=hello\n   ```\n\n1. Login using Google credentials (NB we use `open` to navigate to the Google Auth URL to get the code).\n\n   ```sh\n   $ open $(vault read -field=url auth/google/code_url)\n   $ vault write auth/google/login code=$GOOGLE_CODE role=hello\n   ```\n\n## Notes\n\n* If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.\n\n  e.g.\n  ```sh\n  $ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin\n  ```\n\n* When building remember your target platform.\n\n  e.g. on MacOS targeting Linux:\n  ```sh\n  GOOS=linux make\n  ```\n* You may need to set [api_addr](https://www.vaultproject.io/docs/configuration/index.html#api_addr)\n\n  This can be set at the top level for a standalone setup, or in a ha_storage stanza.\n\n## License\n\nThis code is licensed under the MPLv2 license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimonswine%2Fvault-plugin-auth-google","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimonswine%2Fvault-plugin-auth-google","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimonswine%2Fvault-plugin-auth-google/lists"}