I am trying to configure OIDC login in Vault with G Suite/Google Cloud. Everything was working, but then I started to try to fetch groups from the GSuite API and now I can’t even login, I get the following error:
* failed to fetch groups: googleapi: Error 404: Domain not found., notFound
I have the following configuration:
vault write auth/oidc/config -<<EOF
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "<>",
"oidc_client_secret": "<>",
"default_role": "default_role",
"provider_config": {
"provider": "gsuite",
"gsuite_service_account": "/creds.json",
"gsuite_admin_impersonate": "vault-prod@<project_id>.iam.gserviceaccount.com",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5
}
}
EOF
The default_role:
vault write auth/oidc/role/default_role \
allowed_redirect_uris="https://vault.mydomain.com/ui/vault/auth/oidc/oidc/callback,http://localhost:8250/oidc/callback" \
user_claim="email" \
policies="reader" \
groups_claim="groups" \
verbose_oidc_logging="true" \
∙ oidc_scopes="openid email"
The group:
vault write identity/group name="engineers@mydomain.com" type="external" \
policies="reader" \
metadata=responsibility="Engineers"
Key Value
--- -----
id <id>
name engineers@mydomain.com
The alias:
vault write identity/group-alias name="engineers@mydomain.com" \
mount_accessor=$(cat accessor.txt) \
canonical_id="$GROUP_ID"
What am I missing or doing wrong?