vault-plugin-auth-google

command module

v1.7.1 Latest Latest Go to latest Published: May 17, 2021 License: MPL-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/jetstack/vault-plugin-auth-google

Links

Open Source Insights

README ¶

HashiCorp Vault plugin for Google Auth.

A HashiCorp Vault plugin for Google Auth.

Setup

The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

Compile the plugin from source.

Move the compiled plugin into Vault's configured plugin_directory:

$ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin

Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/google-auth-vault-plugin" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/google-auth-vault-plugin \
    sha_256="${SHA256}" \
    command="google-auth-vault-plugin"

Mount the auth method:

$ vault auth-enable \
    -path="google" \
    -plugin-name="google-auth-vault-plugin" plugin

Create an OAuth client ID in the Google Cloud Console, of type "Other".

Configure the auth method:

$ vault write auth/google/config \
    client_id=<GOOGLE_CLIENT_ID> \
    client_secret=<GOOGLE_CLIENT_SECRET>

Create a role for a given set of Google users mapping to a set of policies:

Create a policy called hello: vault polices
```
$ vault write auth/google/role/hello \
    bound_domain=<DOMAIN> \
    bound_emails=myuseremail@<DOMAIN>,otheremail@<DOMAIN> \
    policies=hello
```
The plugin can also map users to policies via Google Groups; however you need to consider how groups are retrieved and whether having administative permissions for the plugin is acceptable.

Use with caution.

Alternative auth method with groups enabled:
```
$ vault write auth/google/config \
    client_id=<GOOGLE_CLIENT_ID> \
    client_secret=<GOOGLE_CLIENT_SECRET> \
    fetch_groups=true
```
Create a role for a Google group mapping to a set of policies:
```
$ vault write auth/google/role/hello \
    bound_domain=<DOMAIN> \
    bound_groups=SecurityTeam,WebTeam \
    policies=hello
```

Login using Google credentials (NB we use open to navigate to the Google Auth URL to get the code).

$ open $(vault read -field=url auth/google/code_url)
$ vault write auth/google/login code=$GOOGLE_CODE role=hello

Notes

If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.

e.g.
```
$ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin
```
When building remember your target platform.

e.g. on MacOS targeting Linux:
```
GOOS=linux make
```
You may need to set api_addr

This can be set at the top level for a standalone setup, or in a ha_storage stanza.

License

This code is licensed under the MPLv2 license.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
google
version

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL