/google-auth-vault-plugin

A plugin for Hashicorp Vault to allow Google Domain authentication.

Primary LanguageGoMozilla Public License 2.0MPL-2.0

HashiCorp Vault plugin for Google Auth.

A HashiCorp Vault plugin for Google Auth.

Setup

The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

  1. Compile the plugin from source.

  2. Move the compiled plugin into Vault's configured plugin_directory:

    $ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin
  3. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

    $ export SHA256=$(shasum -a 256 "/etc/vault/plugins/google-auth-vault-plugin" | cut -d' ' -f1)
    $ vault write sys/plugins/catalog/google-auth-vault-plugin \
        sha_256="${SHA256}" \
        command="google-auth-vault-plugin"
  4. Mount the auth method:

    $ vault auth-enable \
        -path="google" \
        -plugin-name="google-auth-vault-plugin" plugin
  5. Create an OAuth client ID in the Google Cloud Console, of type "Other".

  6. Configure the auth method:

    $ vault write auth/google/config \
        client_id=<GOOGLE_CLIENT_ID> \
        client_secret=<GOOGLE_CLIENT_SECRET>
  7. Create a role for a given set of Google users mapping to a set of policies:

    Create a policy called hello: vault polices

    $ vault write auth/google/role/hello \
        bound_domain=<DOMAIN> \
        bound_emails=myuseremail@<DOMAIN>,otheremail@<DOMAIN> \
        policies=hello

    The plugin can also map users to policies via Google Groups; however you need to consider how groups are retrieved and whether having administative permissions for the plugin is acceptable.

    Use with caution.

    Alternative auth method with groups enabled:

    $ vault write auth/google/config \
        client_id=<GOOGLE_CLIENT_ID> \
        client_secret=<GOOGLE_CLIENT_SECRET> \
        fetch_groups=true

    Create a role for a Google group mapping to a set of policies:

    $ vault write auth/google/role/hello \
        bound_domain=<DOMAIN> \
        bound_groups=SecurityTeam,WebTeam \
        policies=hello
  8. Login using Google credentials (NB we use open to navigate to the Google Auth URL to get the code).

    $ open $(vault read -field=url auth/google/code_url)
    $ vault write auth/google/login code=$GOOGLE_CODE role=hello

Notes

  • If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.

    e.g.

    $ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin
  • When building remember your target platform.

    e.g. on MacOS targeting Linux:

    GOOS=linux make
  • You may need to set api_addr

    This can be set at the top level for a standalone setup, or in a ha_storage stanza.

License

This code is licensed under the MPLv2 license.