From 580fc6bed5097f130253d877789ee93ff7fc8e54 Mon Sep 17 00:00:00 2001 From: Viacheslav Sychov Date: Thu, 8 Jun 2023 15:02:46 +0200 Subject: [PATCH] adjust documentation according to pr's dexidp/dex#2989 and dexidp/dex#2911 Signed-off-by: Viacheslav Sychov --- content/docs/connectors/google.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/content/docs/connectors/google.md b/content/docs/connectors/google.md index 20ce3ed..ff3affa 100644 --- a/content/docs/connectors/google.md +++ b/content/docs/connectors/google.md @@ -50,7 +50,9 @@ connectors: # of a G Suite admin to impersonate: # #serviceAccountFilePath: googleAuth.json - #adminEmail: super-user@example.com + #domainToAdminEmail: + # *: super-user@example.com + # my-domain.com: super-user@my-domain.com ``` ## Fetching groups from Google @@ -63,6 +65,9 @@ To get group fetching set up: - During service account creation, a JSON key file will be created that contains authentication information for the service account. This needs storing in a location accessible by Dex and you will set the `serviceAccountFilePath` to point at it. - When delegating the API scopes to the service account, delegate the `https://www.googleapis.com/auth/admin.directory.group.readonly` scope and only this scope. If you delegate more scopes to the service account, it will not be able to access the API. 2. Enable the [Admin SDK](https://console.developers.google.com/apis/library/admin.googleapis.com/) -3. Add the `serviceAccountFilePath` and `adminEmail` configuration options to your Dex config. +3. Add the `serviceAccountFilePath` and `domainToAdminEmail` configuration options to your Dex config. - `serviceAccountFilePath` should point to the location of the service account JSON key file - - `adminEmail` should be the email of a Google Workspace user with a minimum of the `Groups Reader (BETA)` Role assigned. The service account you created earlier will impersonate this user when making calls to the admin API. A valid user should be able to retrieve a list of groups when [testing the API](https://developers.google.com/admin-sdk/directory/v1/reference/groups/list#try-it). + - `domainToAdminEmail` should be the map of emails (domain - key, email - value) of a Google Workspace user with a minimum of the `Groups Reader (BETA)` Role assigned. The service account you created earlier will impersonate this user when making calls to the admin API. A valid user should be able to retrieve a list of groups when [testing the API](https://developers.google.com/admin-sdk/directory/v1/reference/groups/list#try-it). + +## GKE Workload Identity +When operating DEX on GKE or GCE, it's possible and better to use the service account derived from [metadata](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) to retrieve groups. The google service account must have the Service Account Token Creator role (`roles/iam.serviceAccountTokenCreator`). If this is the case, it becomes unnecessary to specify the `serviceAccountFilePath` configuration option. \ No newline at end of file