Provide a mapping between google and vault groups when using GSuite IDP in OIDC backend

Is there a way (assuming I am able to fetch the information about what google groups a user belongs to) when using GSuite IDP in OIDC backend to provide a mapping between the user’s google group and vault groups?

i.e. if the user is a member of my-group-1 in google, to get assigned into manager vault group? (and so on…)

I am not familiar with the Google-specific parts of this, as I use a different OIDC provider.

For the Google-specific parts, this documentation exists: OIDC Provider Setup - Auth Methods - Google | Vault | HashiCorp Developer

Once that part of the setup is taken care of, the rest of it happens via the Vault “Identity” secrets engine:

  1. You create a group - Identity Secret Backend: Group - HTTP API | Vault | HashiCorp Developer - and at this step, you need to make it type=external. The name can be anything you want, e.g. manager to use your example.

  2. You create a group-alias - Identity Secret Backend: Group Alias - HTTP API | Vault | HashiCorp Developer - with the following settings:

  • name is the name of the Google group - e.g. my-group-1 in your example
  • canonical_id is the id of the group you created in step 1 above.
  • mount_accessor is a string that looks roughly similar to auth_oidc_6cf266fa that identifies the specific auth method in Vault this group will be used with - you can find this in the Accessor column when you run vault auth list

Now, whenever a user logs in, Vault will look at the groups Google says they are in, and add or remove them from the relevant type=external groups within Vault.

1 Like