Google Groups

Spinnaker supports G Suite accounts (formerly Google Apps for Work) and Google Groups to manage authorization.

Service account setup

In order to access a user’s group membership, we must use the Google Admin Directory API. We will setup a Google Cloud Platform (GCP) service account and grant it access to the Directory API.

  1. Enable the Admin SDK here .

  2. In your Cloud Console , create a service account that will access the G Suite Directory API.

    creating a service account for Fiat in GCP console

    1. Navigate to the “IAM & Admin” –> Service accounts section.
    2. Click “Create Service Account.”
    3. Give it a name like “spinnaker-fiat.”
    4. Select “Furnish a new private key” and select the JSON format.
    5. Select “Enable G Suite Domain-wide Delegation.”
    6. Click “Create”, which should download the private key for your new service account (see figure below).
    7. Transfer this JSON file to a known location in your Spinnaker deployment.
    8. You should see your newly created service account in the list, along with “DwD” and an option to “View Client ID”. Click “View Client ID” (see figure below).
    9. Note the Client ID displayed. It will be used in the next step.

    View the client ID

  3. Give your service account access to the G Suite Directory API in the G Suite Admin console .

    authorize the service account to access the Directory API

    1. Navigate to the “Security” Settings page.
    2. Under “Advanced settings”, click “Manage API client access.”
    3. Enter the Client ID noted above under “Client Name.”
    4. Enter https://www.googleapis.com/auth/admin.directory.group.readonly as the API scope.
    5. Click “Authorize.”

Configure with Halyard

  1. Make sure you’ve configured roles for accounts, as described here . Each role included in the command must match the name of a group in the organization.

  2. With the authorized service account’s credentials in hand, use Halyard to configure Fiat:

    1. ADMIN=admin@your.org              # An administrator's email address
    2. CREDENTIALS=/path/to/creds.json   # The downloaded service account credentials
    3. DOMAIN=your.org                   # Your organization's domain.
    5. hal config security authz google edit \
    6.     --admin-username $ADMIN \
    7.     --credential-path $CREDENTIALS \
    8.     --domain $DOMAIN
    10. hal config security authz edit --type google
    12. hal config security authz enable

Last modified May 4, 2021: rest of migration (700781a)