forked from dexidp/website
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adjust documentation according to pr's dexidp/dex#2989 and dexidp/dex…
…#2911 Signed-off-by: Viacheslav Sychov <[email protected]>
- Loading branch information
Showing
1 changed file
with
8 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -50,7 +50,9 @@ connectors: | |
| # of a G Suite admin to impersonate: | ||
| # | ||
| #serviceAccountFilePath: googleAuth.json | ||
| #adminEmail: [email protected] | ||
| #domainToAdminEmail: | ||
| # *: [email protected] | ||
| # my-domain.com: [email protected] | ||
| ``` | ||
|
|
||
| ## Fetching groups from Google | ||
|
|
@@ -63,6 +65,9 @@ To get group fetching set up: | |
| - During service account creation, a JSON key file will be created that contains authentication information for the service account. This needs storing in a location accessible by Dex and you will set the `serviceAccountFilePath` to point at it. | ||
| - When delegating the API scopes to the service account, delegate the `https://www.googleapis.com/auth/admin.directory.group.readonly` scope and only this scope. If you delegate more scopes to the service account, it will not be able to access the API. | ||
| 2. Enable the [Admin SDK](https://console.developers.google.com/apis/library/admin.googleapis.com/) | ||
| 3. Add the `serviceAccountFilePath` and `adminEmail` configuration options to your Dex config. | ||
| 3. Add the `serviceAccountFilePath` and `domainToAdminEmail` configuration options to your Dex config. | ||
| - `serviceAccountFilePath` should point to the location of the service account JSON key file | ||
| - `adminEmail` should be the email of a Google Workspace user with a minimum of the `Groups Reader (BETA)` Role assigned. The service account you created earlier will impersonate this user when making calls to the admin API. A valid user should be able to retrieve a list of groups when [testing the API](https://developers.google.com/admin-sdk/directory/v1/reference/groups/list#try-it). | ||
| - `domainToAdminEmail` should be the map of emails (domain - key, email - value) of a Google Workspace user with a minimum of the `Groups Reader (BETA)` Role assigned. The service account you created earlier will impersonate this user when making calls to the admin API. A valid user should be able to retrieve a list of groups when [testing the API](https://developers.google.com/admin-sdk/directory/v1/reference/groups/list#try-it). | ||
|
|
||
| ## GKE Workload Identity | ||
| When operating DEX on GKE or GCE, it's possible and better to use the service account derived from [metadata](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) to retrieve groups. The google service account must have the Service Account Token Creator role (`roles/iam.serviceAccountTokenCreator`). If this is the case, it becomes unnecessary to specify the `serviceAccountFilePath` configuration option. | ||