dex icon indicating copy to clipboard operation
dex copied to clipboard

Published 20 hours ago verified publisher icon dexidp

Google: Implement groups fetch by default service account from metadata (support for GKE workload identity)

Open vsychov opened this issue 1 year ago • 9 comments

Overview

Hello,

This pull request addresses the need to fetch groups using the default service account from metadata in the Dex Google Connector. It adds more robust support for Google Cloud Platform environments, particularly GKE Workload Identity, and increases the module's resilience and versatility.

What this PR does / why we need it

Fix #2676

Special notes for your reviewer

Does this PR introduce a user-facing change?

No

Implement groups fetch by default service account from metadata (support for GKE workload identity)

Docs PR: https://github.com/dexidp/website/pull/138

vsychov avatar Jun 08 '23 11:06 vsychov

Hello @nabokihms, I have access to a Google provider. I'll start by building an image and use it to try it out. Please let me know if I can help out further with the review process. Thanks!

LaloLoop avatar Aug 05 '23 01:08 LaloLoop

@nabokihms I notice this was added v2.38.0 milestone, anything we can do to help it progress?

milesarmstrong avatar Dec 06 '23 16:12 milesarmstrong

👋🏻 FWIW, we've recently tested a very similar change (with domain delegation) in another tool that we use, and things seem to work as expected!

https://github.com/gocardless/theatre/pull/330

jace-ys avatar Dec 11 '23 10:12 jace-ys

@nabokihms the documentation change merged in dexidp/website#138 references features that are not available yet as this PR was not merged. This caused some confusion for myself and my team.

czuares avatar Feb 01 '24 17:02 czuares

We just hit this too - relied on the docs and have only found this after debugging it not working :(

mikebryant avatar Feb 13 '24 16:02 mikebryant

There's a small merge conflict in the go.mod file, but after fixing that locally, I also get good results from this PR, after banging my head on the failure. (We disable service account key creation org-wide, so we either have to rely on workload identity for group retrieval, or give up on Dex and the Google connector.) There's a pile of moving parts to rule out whenever something related to Workload Identity goes wrong, so it took a frustrating couple of days to suspect and then prove that the code simply wasn't doing what it's documented to do.

irons avatar Mar 28 '24 21:03 irons

Hey @nabokihms , I've resolved conflicts with the master. Is there a chance this will be merged? This is a working PR that has been tested by several people under different conditions, as seen from the comments above.

vsychov avatar Mar 29 '24 20:03 vsychov

Hello @sagikazarmark , maybe you also can take a look?

vsychov avatar Mar 29 '24 20:03 vsychov

Is this going to be merged ?

nightwatch92 avatar Apr 25 '24 10:04 nightwatch92

Thank you guys I've just tested this feature and it works well. The only thing left is to bring the documentation https://github.com/dexidp/website/pull/166 back to the website.

StepanKuksenko avatar Jun 12 '24 20:06 StepanKuksenko