Last active
March 19, 2023 20:58
-
-
Save zboralski/8f44f9a3ece6cd01fbc675943b490a80 to your computer and use it in GitHub Desktop.
Vault OIDC Google Provider Configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Configures Vault's OIDC authentication method to use Google as the provider. | |
| # It retrieves the client ID and client secret from Vault, formats the GSuite service account | |
| # JSON as required by Vault, and writes the configuration to Vault using the "gsuite" provider. | |
| # This script assumes that Vault has already been initialized and unsealed, and that the OIDC | |
| # authentication method has been enabled. | |
| # Write first your Google Cloud Platform (GCP) credentials to HashiCorp Vault using | |
| # https://gist.github.com/zboralski/709b2427bff863ab7868c6a1d2125591#file-vault-oidc-google-secrets-sh | |
| # OIDC Provider Configuration | Google | |
| # https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/google | |
| # Set project and service account variables | |
| PROJECT="example-vault-us" | |
| SERVICE_ACCOUNT="example-vault-us-1aab5d7d48ab.json" | |
| # Set the email address of the GSuite admin | |
| GSUITE_ADMIN="user@example.com" | |
| # Set secret paths | |
| SECRET_ROOT="secret/gcloud/${PROJECT}" | |
| SERVICE_ACCOUNT_SECRET="${SECRET_ROOT}/gsuite_service_account" | |
| CLIENT_SECRET="${SECRET_ROOT}/client_secret" | |
| # Retrieve the service account from Vault, format it as JSON, and encode it again with properly escaped characters | |
| GSUITE_SERVICE_ACCOUNT=$(vault kv get -format=json ${SERVICE_ACCOUNT_SECRET} | \ | |
| jq -c '.data.data' | jq -c '. |= @json') | |
| # Set OIDC config variables | |
| OIDC_CONFIG="auth/oidc/config" | |
| OIDC_DISCOVERY_URL="https://accounts.google.com" | |
| OIDC_CLIENT_ID=$(vault kv get -format=json "${CLIENT_SECRET}" | jq -r '.data.data.client_id') | |
| OIDC_CLIENT_SECRET=$(vault kv get -format=json "${CLIENT_SECRET}" | jq -r '.data.data.client_secret') | |
| # Write the OIDC config to Vault using a heredoc | |
| vault write "${OIDC_CONFIG}" -<<EOF | |
| { | |
| "oidc_discovery_url": "${OIDC_DISCOVERY_URL}", | |
| "oidc_client_id": "${OIDC_CLIENT_ID}", | |
| "oidc_client_secret": "${OIDC_CLIENT_SECRET}", | |
| "default_role": "default", | |
| "provider_config": { | |
| "provider": "gsuite", | |
| "gsuite_service_account": ${GSUITE_SERVICE_ACCOUNT}, | |
| "gsuite_admin_impersonate": "${GSUITE_ADMIN}", | |
| "fetch_groups": true, | |
| "fetch_user_info": true, | |
| "groups_recurse_max_depth": 5, | |
| "user_custom_schemas": "Preferences" | |
| } | |
| } | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment