Skip to content
This repository has been archived by the owner on Feb 11, 2023. It is now read-only.

Google Groups Setup

Uriah Carpenter edited this page May 8, 2018 · 13 revisions

Google Groups Authorization

If using Google authentication, you can add fine-grained authorization control by using the provided Google Groups lookup service. This is very convenient if your organization already use Google Groups mailing lists.

The setup is a bit complicated, but the basic steps are:

  1. Create a Google APIs service account that Lambda@Edge will use to query the Google Groups API
  2. Edit the service account credentials JSON file to add the group email addresses that are allowed to access the Cloudfront distribution
  3. Grant permissions for the APIs service account to query your Google Groups domain
  4. Run the cloudfront-auth build to bundle the Google Groups authentication provider into the Lambda ZIP

Google Developers Console Setup

  1. First, follow the initial Google setup setups in the main README (stop before running make)
  2. Using the Google Developers Console
    • On the Dashboard page, choose Enable APIs and Services
    • Enable two services: Admin SDK and Google+ API
    • From the Hamburger menu on the left, choose IAM & admin, then Service accounts, then Create service account
      • Enter a name (e.g groups-query)
      • Set Role selector to Project --> Viewer
      • Enable Furnish a new private key with key type of JSON
      • Enable Enable G Suite Domain-wide Delegation
      • Create will download a JSON file; save the file as in your cloned cloudfront-auth project directory as google-authz.json
    • Edit the JSON file and add the key cloudfront_authz_groups with an array of groups to be checked: "cloudfront_authz_groups": [ "foo@example.com", "bar@example.com" ]. (Don't forget the comma required to separate key/value pairs. Use a JSON validator to ensure your file has no syntax errors.)
    • Take note of the value of the client_id key. You will need this value in the next step.
{
  "type": "service_account",
  "project_id": "example",
  "private_key_id": "h54h8t1eg65s1d6fg1re81r651g",
  "private_key": "-----BEGIN PRIVATE KEY-----\ndh54et5aa4rg5d4fht5e4h5d4fg5sdf54h5sh65s1651h51s\n-----END PRIVATE KEY-----\n",
  "client_email": "cloudfront-google-authz@example.iam.gserviceaccount.com",
  "client_id": "452521516513132321315",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudfront-google-authz%40example.iam.gserviceaccount.com",
  "cloudfront_authz_groups": [ "foo@example.com", "bar@example.com" ]
}

Google Suites Console Setup

  1. Perform the following setup as an administrator using the G-Suite Admin Console
    • Navigate to Security --> Advanced Settings --> Manage API client access
    • Enter the client_id value (452521516513132321315 in the above example) in the Client Name field.
    • Enter https://www.googleapis.com/auth/admin.directory.group.member.readonly in the API Scopes field.
    • Click Authorize to submit the values

Build Lambda ZIP

  1. Run make
    • Choose Google Groups Lookup as the authorization method
    • For Service Account Email enter an email address that the service account will impersonate to query the Groups API. This user will need sufficient permissions to view members the configured groups.