https://github.com/simonswine/vault-plugin-auth-google
A plugin for Hashicorp Vault to allow Google Domain authentication.
https://github.com/simonswine/vault-plugin-auth-google
Last synced: about 1 month ago
JSON representation
A plugin for Hashicorp Vault to allow Google Domain authentication.
- Host: GitHub
- URL: https://github.com/simonswine/vault-plugin-auth-google
- Owner: simonswine
- License: mpl-2.0
- Created: 2018-03-09T09:36:01.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2023-03-30T20:46:00.000Z (about 2 years ago)
- Last Synced: 2025-04-30T21:08:48.401Z (about 1 month ago)
- Language: Go
- Size: 49.7 MB
- Stars: 15
- Watchers: 2
- Forks: 18
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# HashiCorp Vault plugin for Google Auth.
A HashiCorp Vault plugin for Google Auth.
## Setup
The setup guide assumes some familiarity with Vault and Vault's plugin
ecosystem. You must have a Vault server already running, unsealed, and
authenticated.1. Compile the plugin from source.
2. Move the compiled plugin into Vault's configured `plugin_directory`:
```sh
$ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin
```1. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog.
If you are downloading the pre-compiled binary, it is highly recommended that
you use the published checksums to verify integrity.```sh
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/google-auth-vault-plugin" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/google-auth-vault-plugin \
sha_256="${SHA256}" \
command="google-auth-vault-plugin"
```1. Mount the auth method:
```sh
$ vault auth-enable \
-path="google" \
-plugin-name="google-auth-vault-plugin" plugin
```1. Create an OAuth client ID in [the Google Cloud Console](https://console.cloud.google.com/apis/credentials), of type "Other".
1. Configure the auth method:
```sh
$ vault write auth/google/config \
client_id= \
client_secret=
```1. Create a role for a given set of Google users mapping to a set of policies:
Create a policy called hello: [vault polices](https://www.vaultproject.io/intro/getting-started/policies.html)
```sh
$ vault write auth/google/role/hello \
bound_domain= \
bound_emails=myuseremail@,otheremail@ \
policies=hello
```The plugin can also map users to policies via Google Groups; however you need to consider how groups are retrieved and whether having administative permissions for the plugin is acceptable.
**Use with caution.**
Alternative auth method with groups enabled:
```sh
$ vault write auth/google/config \
client_id= \
client_secret= \
fetch_groups=true
```Create a role for a Google group mapping to a set of policies:
```sh
$ vault write auth/google/role/hello \
bound_domain= \
bound_groups=SecurityTeam,WebTeam \
policies=hello
```1. Login using Google credentials (NB we use `open` to navigate to the Google Auth URL to get the code).
```sh
$ open $(vault read -field=url auth/google/code_url)
$ vault write auth/google/login code=$GOOGLE_CODE role=hello
```## Notes
* If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.
e.g.
```sh
$ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin
```* When building remember your target platform.
e.g. on MacOS targeting Linux:
```sh
GOOS=linux make
```
* You may need to set [api_addr](https://www.vaultproject.io/docs/configuration/index.html#api_addr)This can be set at the top level for a standalone setup, or in a ha_storage stanza.
## License
This code is licensed under the MPLv2 license.