(refactor) use service account

README.md

@@ -41,48 +41,23 @@ for regular synchronization.
 ## Configuration
 
 You need a few items of configuration. One side from AWS, and the other
-from Google Cloud / Apps to allow for API access to each. You should have configured
+from Google Cloud to allow for API access to each. You should have configured
 Google as your Identity Provider for AWS SSO already.
 
 You will need the files produced by these steps for AWS Lambda deployment as well
 as locally running the ssosync tool.
 
 ### Google
 
-Head to the [Google Cloud Console](https://console.cloud.google.com/) for your Domain
-(Specifically API & Services ->
-[Credentials](https://console.cloud.google.com/projectselector2/apis/credentials))
-and Create a Project.
+First, you have to setup your API. In the project you want to use go to the [Console](https://console.developers.google.com/apis) and select *API & Services* > *Enable APIs and Services*. Search for *Admin SDK* and *Enable* the API. 
 
-Creating a project will take a few seconds. Once it is complete, you can then Configure the Consent
-Screen (there will be a clear warning and button for it). Click Through and select "Internal". Give
-a name and press Save as you don't need the rest.
+You have to perform this [tutorial](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to create a service account that you use to sync your users. Save the JSON file your create during the process and rename it to `credentials.json`. 
 
-Now go back to Credentials, Click Create Credentials and then select OAuth client ID. Select Other and
-provide a name. You will be displayed credentials, press okay and then use the download button, and a
-JSON file will download.
+> you can also use the `--google-credentials` parameter to explicitly specify the file with the service credentials. Please, keep this file safe, or store it in the AWS Secrets Manager
 
-**THIS FILE IS IMPORTANT AND SECRET - KEEP IT SAFE**
+In the domain-wide delegation for the Admin API, you have to specificy the following scopes for user.
 
-With this done, you can log in and generate a token.json file. To create the file, use the
-`ssosync google` command. With help output, it looks like this:
-
-```text
-Log in to Google - use me to generate the files needed for the main command
-
-Usage:
-  ssosync google [flags]
-
-Flags:
-  -h, --help               help for google
-      --path string        set the path to find credentials (default "credentials.json")
-      --tokenPath string   set the path to put token.json output into (default "token.json")
-```
-
-When you run the command correctly, it will give a URL to load in your browser. Go to it, and you'll get
-a string to paste back and enter. Once you paste the line in, the file generates.
-
-The Token file is useless without the Credentials File - but keep it safe.
+`https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly`
 
 Back in the Console go to the Dashboard for the API & Services and select "Enable API and Services".
 In the Search box type `Admin` and select the `Admin SDK` option. Click the `Enable` button.
@@ -93,12 +68,13 @@ Go to the AWS Single Sign-On console in the region you have set up AWS SSO and s
 Settings. Click `Enable automatic provisioning`.
 
 A pop up will appear with URL and the Access Token. The Access Token will only appear
-at this stage. You want to copy both of these into a text file which ends in the extension
-`.toml`.
+at this stage. You want to copy both of these as a parameter to the `ssosync` command.
+
+Or you specifc these as environment variables.
 
-```toml
-Token    = "tokenHere"
-Endpoint = "https://scim.eu-west-1.amazonaws.com/a-guid-would-be-here/scim/v2/"
+```
+SSOSYNC_SCIM_ACCESS_TOKEN=<YOUR_TOKEN>
+SSOSYNC_SCIM_ENDPOINT=<YOUR_ENDPOINT>
 ```
 
 ## Local Usage
@@ -110,23 +86,21 @@ The default for ssosync is to run through the sync.
 ```text
 A command line tool to enable you to synchronise your Google
 Apps (G-Suite) users to AWS Single Sign-on (AWS SSO)
+Complete documentation is available at https://github.com/awslabs/ssosync
 
 Usage:
   ssosync [flags]
-  ssosync [command]
-
-Available Commands:
-  google      Log in to Google
-  help        Help about any command
 
 Flags:
-  -d, --debug                          Enable verbose / debug logging
-  -c, --googleCredentialsPath string   set the path to find credentials for Google (default "credentials.json")
-  -t, --googleTokenPath string         set the path to find token for Google (default "token.json")
-  -h, --help                           help for ssosync
-  -s, --scimConfig string              AWS SSO SCIM Configuration (default "aws.toml")
-
-Use "ssosync [command] --help" for more information about a command.
+  -t, --access-token string         SCIM Access Token
+  -d, --debug                       Enable verbose / debug logging
+  -e, --endpoint string             SCIM Endpoint
+  -u, --google-admin string         Google Admin Email
+  -c, --google-credentials string   set the path to find credentials for Google (default "credentials.json")
+  -h, --help                        help for ssosync
+      --log-format string           log format (default "text")
+      --log-level string            log level (default "warn")
+  -v, --version                     version for ssosync
 ```
 
 The output of the command when run without 'debug' turned on looks like this:

cmd/lambda.go

@@ -85,7 +85,7 @@ func removeFileSilently(name string) {
 	_ = os.Remove(name)
 }
 
-// lambdaHandler is the Lambda entry point
+// lambdaHandler is the Lambda entry point.
 func lambdaHandler(cfg *config.Config) func() error {
 	return func() error {
 		if err := internal.DoSync(cfg); err != nil {

cmd/root.go

@@ -72,11 +72,9 @@ func init() {
 
 	// initialize cobra
 	cobra.OnInitialize(initConfig)
-
 	addFlags(rootCmd, cfg)
 
 	rootCmd.SetVersionTemplate(fmt.Sprintf("%s, commit %s, built at %s by %s\n", version, commit, date, builtBy))
-	rootCmd.AddCommand(googleCmd)
 
 	// silence on the root cmd
 	rootCmd.SilenceUsage = true
@@ -90,8 +88,8 @@ func initConfig() {
 	viper.AutomaticEnv()
 
 	viper.BindEnv("google_credentials")
-	viper.BindEnv("google_token")
-	viper.BindEnv("aws_toml")
+	viper.BindEnv("scim_access_token")
+	viper.BindEnv("scim_endpoint")
 	viper.BindEnv("log_level")
 	viper.BindEnv("log_format")
 
@@ -104,12 +102,14 @@ func initConfig() {
 }
 
 func addFlags(cmd *cobra.Command, cfg *config.Config) {
-	rootCmd.PersistentFlags().StringVarP(&cfg.GoogleCredentialsPath, "googleCredentialsPath", "c", config.DefaultGoogleCredentialsPath, "set the path to find credentials for Google")
-	rootCmd.PersistentFlags().StringVarP(&cfg.GoogleTokenPath, "googleTokenPath", "t", config.DefaultGoogleTokenPath, "set the path to find token for Google")
+	rootCmd.PersistentFlags().StringVarP(&cfg.GoogleCredentials, "google-admin", "a", config.DefaultGoogleCredentials, "set the path to find credentials for Google")
 	rootCmd.PersistentFlags().BoolVarP(&cfg.Debug, "debug", "d", config.DefaultDebug, "Enable verbose / debug logging")
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogFormat, "log-format", "", config.DefaultLogFormat, "log format")
 	rootCmd.PersistentFlags().StringVarP(&cfg.LogLevel, "log-level", "", config.DefaultLogLevel, "log level")
-	rootCmd.Flags().StringVarP(&cfg.SCIMConfig, "scimConfig", "s", config.DefaultSCIMConfig, "AWS SSO SCIM Configuration")
+	rootCmd.Flags().StringVarP(&cfg.SCIMAccessToken, "access-token", "t", "", "SCIM Access Token")
+	rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "SCIM Endpoint")
+	rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "set the path to find credentials for Google")
+	rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google Admin Email")
 }
 
 func logConfig(cfg *config.Config) {

internal/config/config.go

@@ -8,12 +8,14 @@ type Config struct {
 	LogLevel string `mapstructure:"log_level"`
 	// LogFormat is the format that is used for logging
 	LogFormat string `mapstructure:"log_format"`
-	// GoogleCredentialsPath is the path to the credentials
-	GoogleCredentialsPath string `mapstructure:"google_credentials"`
-	// GoogleTokenPath is the path to the token
-	GoogleTokenPath string `mapstructure:"google_token"`
-	// SCIMConfig is the path to the AWS SSO SCIM Config
-	SCIMConfig string `mapstructure:"aws_toml"`
+	// GoogleCredentials ...
+	GoogleCredentials string `mapstructure:"google_credentials"`
+	// GoogleAdmin ...
+	GoogleAdmin string `mapstructure:"google_admin"`
+	// SCIMEndpoint ....
+	SCIMEndpoint string `mapstructure:"scim_endpoint"`
+	// SCIMAccessToken ...
+	SCIMAccessToken string `mapstructure:"scim_access_token"`
 }
 
 const (
@@ -23,22 +25,16 @@ const (
 	DefaultLogFormat = "text"
 	// DefaultDebug is the default debug status.
 	DefaultDebug = false
-	// DefaultGoogleCredentialsPath is the default credentials path
-	DefaultGoogleCredentialsPath = "credentials.json"
-	// DefaultGoogleTokenPath is the default token path
-	DefaultGoogleTokenPath = "token.json"
-	// DefaultSCIMConfig is the default for the AWS SSO SCIM Configuraiton
-	DefaultSCIMConfig = "aws.toml"
+	// DefaultGoogleCredentials is the default credentials path
+	DefaultGoogleCredentials = "credentials.json"
 )
 
 // New returns a new Config
 func New() *Config {
 	return &Config{
-		Debug:                 DefaultDebug,
-		LogLevel:              DefaultLogLevel,
-		LogFormat:             DefaultLogFormat,
-		GoogleCredentialsPath: DefaultGoogleCredentialsPath,
-		GoogleTokenPath:       DefaultGoogleTokenPath,
-		SCIMConfig:            DefaultSCIMConfig,
+		Debug:             DefaultDebug,
+		LogLevel:          DefaultLogLevel,
+		LogFormat:         DefaultLogFormat,
+		GoogleCredentials: DefaultGoogleCredentials,
 	}
 }

internal/config/config_test.go

@@ -18,7 +18,5 @@ func TestConfig(t *testing.T) {
 	assert.Equal(cfg.LogLevel, DefaultLogLevel)
 	assert.Equal(cfg.LogFormat, DefaultLogFormat)
 	assert.Equal(cfg.Debug, DefaultDebug)
-	assert.Equal(cfg.GoogleCredentialsPath, DefaultGoogleCredentialsPath)
-	assert.Equal(cfg.GoogleTokenPath, DefaultGoogleTokenPath)
-	assert.Equal(cfg.SCIMConfig, DefaultSCIMConfig)
+	assert.Equal(cfg.GoogleCredentials, DefaultGoogleCredentials)
 }