Skip to content
This repository has been archived by the owner on Feb 11, 2023. It is now read-only.

Google Groups Setup

Jump to bottom
Uriah Carpenter edited this page Feb 12, 2018 · 13 revisions

Google Groups Authorization

For fine-grained authorization control when using Google authentication a Google Groups lookup provider is provided. This is very handy if your development group already using groups mailing lists.

The setup is a bit tricky, but the basic setups are:

  1. Create a Google APIs service account
  2. Add Google G-Suite permissions to the service account
  3. Run the cloudfront-auth build to bundle the authentication provider into the Lambda ZIP

Setup

  1. Perform the following steps using the Google Developers Console

    • Select the Project you created following the main README
    • On the Dashboard page, choose Enable APIs and Services
    • Enable two services: Admin SDK and Google+ API
    • On the Credentials page select Service account key from the Create credentials menu
    • Choose New service account for the Service Account and enter a name (e.g groups-query); set Role selector to Project --> Viewer; set key type to JSON
    • Clicking create will download a JSON file; save the file as google-groups-auth.json in your cloned cloudfront-auth project directory

  2. Perform the following setup as an administrator using the G-Suite Console

  3. Download your service account file

{
  "type": "service_account",
  "project_id": "example",
  "private_key_id": "h54h8t1eg65s1d6fg1re81r651g",
  "private_key": "-----BEGIN PRIVATE KEY-----\ndh54et5aa4rg5d4fht5e4h5d4fg5sdf54h5sh65s1651h51s\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "452521516513132321315",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudfront-google-authz%40example.iam.gserviceaccount.com"
}
  1. Add 'cloudfront_authz_groups' to the service account file and set its value to an array of google groups that you want the user to be a part of.
{
  "type": "service_account",
  "project_id": "example",
  "private_key_id": "h54h8t1eg65s1d6fg1re81r651g",
  "private_key": "-----BEGIN PRIVATE KEY-----\ndh54et5aa4rg5d4fht5e4h5d4fg5sdf54h5sh65s1651h51s\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "452521516513132321315",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudfront-google-authz%40example.iam.gserviceaccount.com",
  "cloudfront_authz_groups": [ "[email protected]", "[email protected]" ]
}
Clone this wiki locally