Is there a way (assuming I am able to fetch the information about what google groups a user belongs to) when using GSuite IDP in OIDC backend to provide a mapping between the user’s google group and vault groups?
i.e. if the user is a member of my-group-1 in google, to get assigned into manager vault group? (and so on…)
I am not familiar with the Google-specific parts of this, as I use a different OIDC provider.
For the Google-specific parts, this documentation exists: OIDC Provider Setup - Auth Methods - Google | Vault | HashiCorp Developer
Once that part of the setup is taken care of, the rest of it happens via the Vault “Identity” secrets engine:
You create a group - Identity Secret Backend: Group - HTTP API | Vault | HashiCorp Developer - and at this step, you need to make it type=external. The name can be anything you want, e.g. manager to use your example.
You create a group-alias - Identity Secret Backend: Group Alias - HTTP API | Vault | HashiCorp Developer - with the following settings:
name is the name of the Google group - e.g. my-group-1 in your examplecanonical_id is the id of the group you created in step 1 above.mount_accessor is a string that looks roughly similar to auth_oidc_6cf266fa that identifies the specific auth method in Vault this group will be used with - you can find this in the Accessor column when you run vault auth list
Now, whenever a user logs in, Vault will look at the groups Google says they are in, and add or remove them from the relevant type=external groups within Vault.