This repository has been archived by the owner on Feb 11, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 149
Google Groups Setup
Uriah Carpenter edited this page May 8, 2018
·
13 revisions
If using Google authentication, you can add fine-grained authorization control by using the provided Google Groups lookup service. This is very convenient if your organization already use Google Groups mailing lists.
The setup is a bit complicated, but the basic steps are:
- Create a Google APIs service account that Lambda@Edge will use to query the Google Groups API
- Edit the service account credentials JSON file to add the group email addresses that are allowed to access the Cloudfront distribution
- Grant permissions for the APIs service account to query your Google Groups domain
- Run the cloudfront-auth build to bundle the Google Groups authentication provider into the Lambda ZIP
- First, follow the initial Google setup setups in the main README (stop before running
make
) - Using the Google Developers Console
- On the Dashboard page, choose Enable APIs and Services
- Enable two services: Admin SDK and Google+ API
- From the Hamburger menu on the left, choose IAM & admin, then Service accounts, then Create service account
- Enter a name (e.g
groups-query
) - Set Role selector to Project --> Viewer
- Enable Furnish a new private key with key type of JSON
- Enable Enable G Suite Domain-wide Delegation
-
Create will download a JSON file; save the file as in your cloned cloudfront-auth project directory as
google-authz.json
- Enter a name (e.g
- Edit the JSON file and add the key
cloudfront_authz_groups
with an array of groups to be checked:"cloudfront_authz_groups": [ "foo@example.com", "bar@example.com" ]
. (Don't forget the comma required to separate key/value pairs. Use a JSON validator to ensure your file has no syntax errors.) - Take note of the value of the
client_id
key. You will need this value in the next step.
{
"type": "service_account",
"project_id": "example",
"private_key_id": "h54h8t1eg65s1d6fg1re81r651g",
"private_key": "-----BEGIN PRIVATE KEY-----\ndh54et5aa4rg5d4fht5e4h5d4fg5sdf54h5sh65s1651h51s\n-----END PRIVATE KEY-----\n",
"client_email": "cloudfront-google-authz@example.iam.gserviceaccount.com",
"client_id": "452521516513132321315",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudfront-google-authz%40example.iam.gserviceaccount.com",
"cloudfront_authz_groups": [ "foo@example.com", "bar@example.com" ]
}
- Perform the following setup as an administrator using the G-Suite Admin Console
- Navigate to
Security --> Advanced Settings --> Manage API client access
- Enter the
client_id
value (452521516513132321315
in the above example) in the Client Name field. - Enter
https://www.googleapis.com/auth/admin.directory.group.member.readonly
in the API Scopes field. - Click Authorize to submit the values
- Navigate to
- Run
make
- Choose Google Groups Lookup as the authorization method
- For Service Account Email enter an email address that the service account will impersonate to query the Groups API. This user will need sufficient permissions to view members the configured groups.