An open API service indexing awesome lists of open source software.

https://github.com/simonswine/vault-plugin-auth-google

A plugin for Hashicorp Vault to allow Google Domain authentication.
https://github.com/simonswine/vault-plugin-auth-google

Last synced: about 1 month ago
JSON representation

A plugin for Hashicorp Vault to allow Google Domain authentication.

Awesome Lists containing this project

README

        

# HashiCorp Vault plugin for Google Auth.

A HashiCorp Vault plugin for Google Auth.

## Setup

The setup guide assumes some familiarity with Vault and Vault's plugin
ecosystem. You must have a Vault server already running, unsealed, and
authenticated.

1. Compile the plugin from source.

2. Move the compiled plugin into Vault's configured `plugin_directory`:

```sh
$ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin
```

1. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog.
If you are downloading the pre-compiled binary, it is highly recommended that
you use the published checksums to verify integrity.

```sh
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/google-auth-vault-plugin" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/google-auth-vault-plugin \
sha_256="${SHA256}" \
command="google-auth-vault-plugin"
```

1. Mount the auth method:

```sh
$ vault auth-enable \
-path="google" \
-plugin-name="google-auth-vault-plugin" plugin
```

1. Create an OAuth client ID in [the Google Cloud Console](https://console.cloud.google.com/apis/credentials), of type "Other".

1. Configure the auth method:

```sh
$ vault write auth/google/config \
client_id= \
client_secret=
```

1. Create a role for a given set of Google users mapping to a set of policies:

Create a policy called hello: [vault polices](https://www.vaultproject.io/intro/getting-started/policies.html)

```sh
$ vault write auth/google/role/hello \
bound_domain= \
bound_emails=myuseremail@,otheremail@ \
policies=hello
```

The plugin can also map users to policies via Google Groups; however you need to consider how groups are retrieved and whether having administative permissions for the plugin is acceptable.

**Use with caution.**

Alternative auth method with groups enabled:
```sh
$ vault write auth/google/config \
client_id= \
client_secret= \
fetch_groups=true
```

Create a role for a Google group mapping to a set of policies:
```sh
$ vault write auth/google/role/hello \
bound_domain= \
bound_groups=SecurityTeam,WebTeam \
policies=hello
```

1. Login using Google credentials (NB we use `open` to navigate to the Google Auth URL to get the code).

```sh
$ open $(vault read -field=url auth/google/code_url)
$ vault write auth/google/login code=$GOOGLE_CODE role=hello
```

## Notes

* If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.

e.g.
```sh
$ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin
```

* When building remember your target platform.

e.g. on MacOS targeting Linux:
```sh
GOOS=linux make
```
* You may need to set [api_addr](https://www.vaultproject.io/docs/configuration/index.html#api_addr)

This can be set at the top level for a standalone setup, or in a ha_storage stanza.

## License

This code is licensed under the MPLv2 license.