Skip to content
This repository has been archived by the owner on Feb 11, 2023. It is now read-only.

Google Groups Setup

Jump to bottom
Uriah Carpenter edited this page Feb 12, 2018 · 13 revisions

Google Groups Authorization

For fine-grained authorization control when using Google authentication a Google Groups lookup provider is provided. This is very handy if your development group already using groups mailing lists.

The setup is a bit tricky, but the basic steps are:

  1. Create a Google APIs service account that Lambda@Edge will use to query the Google Groups API
  2. Edit JSON credentials file to add group email addresses that are allowed to access the Cloudfront distribution
  3. Grant permissions for the service account to query your G-Suite groups
  4. Run the cloudfront-auth build to bundle the Google Groups authentication provider into the Lambda ZIP

Google Developers Console Setup

  1. Perform the following steps using the Google Developers Console
    • Select the Project you created following the main README
    • On the Dashboard page, choose Enable APIs and Services
    • Enable two services: Admin SDK and Google+ API
    • From the Hamburger menu on the left, choose IAM & admin, then Service accounts, click Create service account
      • Enter a name (e.g groups-query)
      • Set Role selector to Project --> Viewer
      • Enable Furnish a new private key with key type of JSON
      • Enable Enable G Suite Domain-wide Delegation
      • Clicking create will download a JSON file; save the file as in your cloned cloudfront-auth project directory as google-authz.json
    • Edit the JSON file and add the key cloudfront_authz_groups with an array of groups to be checked: "cloudfront_authz_groups": [ "[email protected]", "[email protected]" ]. (Don't forget the comma required to separate key/value pairs. Use a JSON validator to ensure your file has no syntax errors.)
    • Take note of the value of the client_id key. You will need this value in the next step.
{
  "type": "service_account",
  "project_id": "example",
  "private_key_id": "h54h8t1eg65s1d6fg1re81r651g",
  "private_key": "-----BEGIN PRIVATE KEY-----\ndh54et5aa4rg5d4fht5e4h5d4fg5sdf54h5sh65s1651h51s\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "452521516513132321315",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudfront-google-authz%40example.iam.gserviceaccount.com",
  "cloudfront_authz_groups": [ "[email protected]", "[email protected]" ]
}

Google Suites Console Setup

  1. Perform the following setup as an administrator using the G-Suite Admin Console
    • Navigate to Security --> Advanced Settings --> Manage API client access
    • Enter the client_id value (452521516513132321315 in the above example) in the Client Name field.
    • Enter https://www.googleapis.com/auth/admin.directory.group.member.readonly in the API Scopes field.
    • Click Authorize to submit the values

Build Lambda ZIP

  1. Run make
    • Choose Google Groups Lookup as the authorization method
    • For Service Account Email enter an email address that the service account will impersonate to query the Groups API.
Clone this wiki locally