Provide a mapping between google and vault groups when using GSuite IDP in OIDC backend

maxb · December 17, 2022, 1:14pm

I am not familiar with the Google-specific parts of this, as I use a different OIDC provider.

For the Google-specific parts, this documentation exists: OIDC Provider Setup - Auth Methods - Google | Vault | HashiCorp Developer

Once that part of the setup is taken care of, the rest of it happens via the Vault “Identity” secrets engine:

You create a group - Identity Secret Backend: Group - HTTP API | Vault | HashiCorp Developer - and at this step, you need to make it type=external. The name can be anything you want, e.g. manager to use your example.
You create a group-alias - Identity Secret Backend: Group Alias - HTTP API | Vault | HashiCorp Developer - with the following settings:

name is the name of the Google group - e.g. my-group-1 in your example
canonical_id is the id of the group you created in step 1 above.
mount_accessor is a string that looks roughly similar to auth_oidc_6cf266fa that identifies the specific auth method in Vault this group will be used with - you can find this in the Accessor column when you run vault auth list

Now, whenever a user logs in, Vault will look at the groups Google says they are in, and add or remove them from the relevant type=external groups within Vault.

Topic		Replies	Views
Pre-assign oidc identities to roles Vault vault	7	504	December 21, 2022
SSO with GSuite for vault Vault	3	554	December 6, 2022
Use groups_claim OIDC auth method with google Vault	2	6722	April 6, 2020
Vault oidc google workspace iam groups Vault connect , vault	0	564	March 1, 2021
Vault OIDC with google, how to restrict roles to specific groups Vault	8	2916	October 26, 2020

Provide a mapping between google and vault groups when using GSuite IDP in OIDC backend

Related topics