dex
dex copied to clipboard
Google: Add functionality to impersonate GSuite Admin identity without JSON
Overview
Hi folks, adding an option to impersonate GSuite Admin identity without service account key JSON. This functionality has been recently added as part of google-api-go-client v0.46.0
What this PR does / why we need it
This feature is primarily aimed at folks running within Google Cloud Platform (GCE/GKE):
- Removes the need for (long-lived) user-managed service account keys when configuring Dex
Addresses: #1756
Special notes for your reviewer
I have not tested this with an actual GSuite tenant, as I don't have one, but can test it sometime next week.
Does this PR introduce a user-facing change?
Add the ability to impersonate GSuite Admin identity without service account JSON when running on Google Cloud Platform
Anything pending to get this moving forward? happy to contribute
I would be happy to test this. @sagikazarmark is it simply docker build -t img .
? or is the build process more complex?
Maybe it would be good to share gcloud commands required to setup the service account with impersonation permissions? 😅
Got to
Failed to authenticate: google: could not retrieve groups: could not list groups: Get "https://admin.googleapis.com/admin/directory/v1/groups?alt=json&pageToken=&prettyPrint=false&userKey=user%40company.com": impersonate: status code 404: { "error": { "code": 404, "message": "Requested entity was not found.", "status": "NOT_FOUND" } }
Not sure how I can validate that the service account is working.
Any hints @NaurisSadovskis
What is latest status, we need this feature too, we hosting argocd in GKE, there is a service account in work nodes, do not want to paste a service acccount key, because our service account key needs to be rotated.