vault-plugin-auth-google

command module
v0.0.0-...-a53f778 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 8, 2020 License: MPL-2.0 Imports: 5 Imported by: 0

README

HashiCorp Vault plugin for Google Auth.

A HashiCorp Vault plugin for Google Auth.

Setup

The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

  1. Compile the plugin from source.

  2. Move the compiled plugin into Vault's configured plugin_directory:

    $ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin
    
  3. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

    $ export SHA256=$(shasum -a 256 "/etc/vault/plugins/google-auth-vault-plugin" | cut -d' ' -f1)
    $ vault write sys/plugins/catalog/google-auth-vault-plugin \
        sha_256="${SHA256}" \
        command="google-auth-vault-plugin"
    
  4. Mount the auth method:

    $ vault auth-enable \
        -path="google" \
        -plugin-name="google-auth-vault-plugin" plugin
    
  5. Create an OAuth client ID in the Google Cloud Console, of type "Other".

  6. Configure the auth method:

    $ vault write auth/google/config \
        client_id=<GOOGLE_CLIENT_ID> \
        client_secret=<GOOGLE_CLIENT_SECRET>
    
  7. Create a role for a given set of Google users mapping to a set of policies:

    Create a policy called hello: vault polices

    $ vault write auth/google/role/hello \
        bound_domain=<DOMAIN> \
        bound_emails=myuseremail@<DOMAIN>,otheremail@<DOMAIN> \
        policies=hello
    

    The plugin can also map users to policies via Google Groups; however you need to consider how groups are retrieved and whether having administative permissions for the plugin is acceptable.

    Use with caution.

    Alternative auth method with groups enabled:

    $ vault write auth/google/config \
        client_id=<GOOGLE_CLIENT_ID> \
        client_secret=<GOOGLE_CLIENT_SECRET> \
        fetch_groups=true
    

    Create a role for a Google group mapping to a set of policies:

    $ vault write auth/google/role/hello \
        bound_domain=<DOMAIN> \
        bound_groups=SecurityTeam,WebTeam \
        policies=hello
    
  8. Login using Google credentials (NB we use open to navigate to the Google Auth URL to get the code).

    $ open $(vault read -field=url auth/google/code_url)
    $ vault write auth/google/login code=$GOOGLE_CODE role=hello
    

Notes

  • If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.

    e.g.

    $ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin
    
  • When building remember your target platform.

    e.g. on MacOS targeting Linux:

    GOOS=linux make
    
  • You may need to set api_addr

    This can be set at the top level for a standalone setup, or in a ha_storage stanza.

License

This code is licensed under the MPLv2 license.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL