HashiCorp Vault plugin for Google Auth.

A HashiCorp Vault plugin for Google Auth.

Setup

The setup guide assumes some familiarity with Vault and Vault's plugin ecosystem. You must have a Vault server already running, unsealed, and authenticated.

1. Compile the plugin from source.

2. Move the compiled plugin into Vault's configured plugin_directory:

   $ mv google-auth-vault-plugin /etc/vault/plugins/google-auth-vault-plugin

3. Calculate the SHA256 of the plugin and register it in Vault's plugin catalog. If you are downloading the pre-compiled binary, it is highly recommended that you use the published checksums to verify integrity.

   $ export SHA256=$(shasum -a 256 "/etc/vault/plugins/google-auth-vault-plugin" | cut -d' ' -f1)
   $ vault write sys/plugins/catalog/google-auth-vault-plugin \
       sha_256="${SHA256}" \
       command="google-auth-vault-plugin"

4. Mount the auth method:

   $ vault auth-enable \
       -path="google" \
       -plugin-name="google-auth-vault-plugin" plugin

5. Create an OAuth client ID in the Google Cloud Console, of type "Other".

6. Configure the auth method:

   $ vault write auth/google/config \
       client_id=<GOOGLE_CLIENT_ID> \
       client_secret=<GOOGLE_CLIENT_SECRET>

7. Create a role for a given set of Google users mapping to a set of policies:

   Create a policy called hello: vault polices

   $ vault write auth/google/role/hello \
       bound_domain=<DOMAIN> \
       bound_emails=myuseremail@<DOMAIN>,otheremail@<DOMAIN> \
       policies=hello

   The plugin can also map users to policies via Google Groups; however you need to consider how groups are retrieved and whether having administative permissions for the plugin is acceptable.

   Use with caution.

   Alternative auth method with groups enabled:

   $ vault write auth/google/config \
       client_id=<GOOGLE_CLIENT_ID> \
       client_secret=<GOOGLE_CLIENT_SECRET> \
       fetch_groups=true

   Create a role for a Google group mapping to a set of policies:

   $ vault write auth/google/role/hello \
       bound_domain=<DOMAIN> \
       bound_groups=SecurityTeam,WebTeam \
       policies=hello

8. Login using Google credentials (NB we use open to navigate to the Google Auth URL to get the code).

   $ open $(vault read -field=url auth/google/code_url)
   $ vault write auth/google/login code=$GOOGLE_CODE role=hello

Notes

• If running this inside a docker container or similar, you need to ensure the plugin has the IPC_CAP as well as vault.

  e.g.

  $ sudo setcap cap_ipc_lock=+ep /etc/vault/plugins/google-auth-vault-plugin

• When building remember your target platform.

  e.g. on MacOS targeting Linux:

  GOOS=linux make

• You may need to set api_addr

  This can be set at the top level for a standalone setup, or in a ha_storage stanza.

License

This code is licensed under the MPLv2 license.