Skip to content
This repository has been archived by the owner on Feb 11, 2023. It is now read-only.

Google Groups Setup

Jump to bottom
Uriah Carpenter edited this page Feb 12, 2018 · 13 revisions

Google Groups Authorization

For fine-grained authorization control when using Google authentication a Google Groups lookup provider is provided. This is very handy if your development group already using groups mailing lists.

The setup is a bit tricky, but the basic setups are:

  1. Create a Google APIs service account
  2. Edit JSON credentials file to add permissioned groups
  3. Add Google G-Suite permissions to the service account
  4. Run the cloudfront-auth build to bundle the Google Groups authentication provider into the Lambda ZIP

Developers Console Setup

  1. Perform the following steps using the Google Developers Console
    • Select the Project you created following the main README
    • On the Dashboard page, choose Enable APIs and Services
    • Enable two services: Admin SDK and Google+ API
    • From the Hamburger menu on the left, choose IAM & admin, then Service accounts, click Create service account
      • Enter a name (e.g groups-query)
      • Set Role selector to Project --> Viewer
      • Enable Furnish a new private key with key type of JSON
      • Enable Enable G Suite Domain-wide Delegation
      • Clicking create will download a JSON file; save the file as in your cloned cloudfront-auth project directory as google-authz.json
    • Edit the JSON file and add the key cloudfront_authz_groups with an array of groups to be checked: "cloudfront_authz_groups": [ "[email protected]", "[email protected]" ]. (Don't forget the comma required to separate key/value pairs. Use a JSON validator to ensure your file has no syntax errors.)
    • Take note of the value of the client_id key. You will need this value in the next step.
{
  "type": "service_account",
  "project_id": "example",
  "private_key_id": "h54h8t1eg65s1d6fg1re81r651g",
  "private_key": "-----BEGIN PRIVATE KEY-----\ndh54et5aa4rg5d4fht5e4h5d4fg5sdf54h5sh65s1651h51s\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "452521516513132321315",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudfront-google-authz%40example.iam.gserviceaccount.com",
  "cloudfront_authz_groups": [ "[email protected]", "[email protected]" ]
}

Admin Console Setup

  1. Perform the following setup as an administrator using the G-Suite Console
    • Navigate to Security --> Advanced Settings --> Manage API client access
    • Enter the client_id value (452521516513132321315 in the above example) in the Client Name field.
    • Enter https://www.googleapis.com/auth/admin.directory.group.member.readonly in the API Scopes field.
    • Click Authorize to submit the values

Build Lambda ZIP

  1. Run make
    • Choose Google Groups Lookup as the authorization method
    • For Service Account Email enter an email address that the service account will impersonate to query the Groups API.
Clone this wiki locally