Is there a way (assuming I am able to fetch the information about what google groups a user belongs to) when using GSuite IDP in OIDC backend to provide a mapping between the user’s google group and vault groups?
i.e. if the user is a member of
my-group-1 in google, to get assigned into
manager vault group? (and so on…)
I am not familiar with the Google-specific parts of this, as I use a different OIDC provider.
For the Google-specific parts, this documentation exists: OIDC Provider Setup - Auth Methods - Google | Vault | HashiCorp Developer
Once that part of the setup is taken care of, the rest of it happens via the Vault “Identity” secrets engine:
You create a group - Identity Secret Backend: Group - HTTP API | Vault | HashiCorp Developer - and at this step, you need to make it
name can be anything you want, e.g.
manager to use your example.
You create a group-alias - Identity Secret Backend: Group Alias - HTTP API | Vault | HashiCorp Developer - with the following settings:
name is the name of the Google group - e.g.
my-group-1 in your example
canonical_id is the
id of the group you created in step 1 above.
mount_accessor is a string that looks roughly similar to
auth_oidc_6cf266fa that identifies the specific auth method in Vault this group will be used with - you can find this in the
Accessor column when you run
vault auth list
Now, whenever a user logs in, Vault will look at the groups Google says they are in, and add or remove them from the relevant
type=external groups within Vault.