A HashiCorp Vault plugin for Google Auth.
The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.
-
Compile the plugin from source.
-
Move the compiled plugin into Vault's configured
plugin_directory
:$ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin
-
Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/google-auth-vault-plugin" | cut -d' ' -f1) $ vault write sys/plugins/catalog/google-auth-vault-plugin \ sha_256="${SHA256}" \ command="google-auth-vault-plugin"
-
Mount the auth method:
$ vault auth-enable \ -path="google" \ -plugin-name="google-auth-vault-plugin" plugin
-
Create an OAuth client ID in the Google Cloud Console, of type "Other".
-
Configure the auth method:
$ vault write auth/google/config \ client_id=<GOOGLE_CLIENT_ID> \ client_secret=<GOOGLE_CLIENT_SECRET>
-
Create a role for a given Google group, mapping to a set of policies:
$ vault write auth/google/role/hello \ bound_domain=<DOMAIN> \ bound_emails=tom@<DOMAIN> \ policies=hello
-
Login using Google credentials (NB we use
open
to navigate to the Google Auth URL to get the code).$ open $(vault read -field=url auth/google/code_url) $ vault write auth/google/login code=$GOOGLE_CODE role=hello
This code is licensed under the MPLv2 license.