Google Groups via G Suite

Organizations that have a G Suite account (formerly Google Apps for Work) can use Google Groups to manage the roles users are granted.

Service Account Setup

In order to access a user’s group membership, we must use the Google Admin Directory API. We will setup a Google Cloud Platform (GCP) service account and grant it access to the Directory API.

  1. Enable the Admin SDK here.

  2. In your Cloud Console, create a service account that will access the G Suite Directory API.

    creating a service account for Fiat in GCP console

    1. Navigate to the “IAM & Admin” –> Service accounts section.
    2. Click “Create Service Account.”
    3. Give it a name like “spinnaker-fiat.”
    4. Select “Furnish a new private key” and select the JSON format.
    5. Select “Enable G Suite Domain-wide Delegation.”
    6. Click “Create”, which should download the private key for your new service account (see figure below).
    7. Transfer this JSON file to a known location in your Spinnaker deployment.
    8. You should see your newly created service account in the list, along with “DwD” and an option to “View Client ID”. Click “View Client ID” (see figure below).
    9. Note the Client ID displayed. It will be used in step 2.

    View the client ID

  3. Give your service account access to the G Suite Directory API in the G Suite Admin console.

    authorize the service account to access the Directory API

    1. Navigate to the “Security” Settings page.
    2. Under “Advanced settings”, click “Manage API client access.”
    3. Enter the Client ID noted above under “Client Name.”
    4. Enter https://www.googleapis.com/auth/admin.directory.group.readonly as the API scope.
    5. Click “Authorize.”

Configure with Halyard

With the authorized service account’s credentials in hand, use Halyard to configure Fiat:

ADMIN=[email protected]              # An administrator's email address
CREDENTIALS=/path/to/creds.json   # The downloaded service account credentials
DOMAIN=your.org                   # Your organization's domain.

hal config security authz google edit \
    --admin-username $ADMIN \
    --credential-path $CREDENTIALS \
    --domain $DOMAIN
    
hal config security authz edit --type google

hal config security authz enable

Troubleshooting