Replies: 1 comment
-
|
Hi @bojanraic,
I'm thinking of something like this:
apiVersion: "vault.banzaicloud.com/v1alpha1"
kind: "Vault"
metadata:
name: "vault"
namespace: "vault-namespace"
spec:
auth:
- type: jwt
path: google-workspace
description: "Login via Google Workspace"
config:
oidc_discovery_url: "https://accounts.google.com"
bound_issuer: "https://accounts.google.com"
default_role: "google-user-role"
# Configure your client ID and secret from Google Workspace OAuth setup
oidc_client_id: "<GOOGLE_CLIENT_ID>"
oidc_client_secret: "<GOOGLE_CLIENT_SECRET>"
roles:
- name: "google-user-role"
bound_audiences:
- "<GOOGLE_CLIENT_ID>"
user_claim: "email"
groups_claim: "groups"
policies: ["allow_secrets"]
ttl: "1h"
max_ttl: "24h"A JWT example that might help you: https://github.com/bank-vaults/vault-operator/blob/main/deploy/examples/vault-config-jwt.yaml |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
I've been looking at https://developer.hashicorp.com/vault/tutorials/auth-methods/google-workspace-oauth
and trying to see if a similar Google auth setup is possible with Vault CR.
I'd want to enable users to sign in with their internal workspace Google ID and then control further access via Vault groups and policies.
Has anyone done something similar? Any YAML snippets you could share?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions