Retrieving Google Groups
ConsoleMe can retrieve your google groups information and use it to authorize roles for an entire group. But unfortunately, google doesn't provide groups information via access tokens. To get google groups to work you will need to complete a few extra steps.
These steps have been tested to work with ALB auth + google workflow for ConsoleMe.
Setup a service account in GCP
Login to the google account in which the GCP app for consoleme was setup
Go to the service accounts page and select your consoleme project
Click on create service account option
Fill in the details but skip the optional steps
Click Done
Enable Domain wide delegation for the service account
Click on the name of the service account created above
Check the box which says Enable Google Domain-wide Delegation
This will assign a unique client ID for the service account which will be used in a later step.
Generate service account keys
On the service account page, go to the Keys tab
Click on Create new key under the Add key dropdown
Select the JSON type key option and click Create
This will generate a public-private key pair which will be used for establishing the identity of the service account outside of Google cloud, in our case ConsoleMe. The service account key file will be downloaded to your computer automatically.
Sample structure is shown below:
Enable Admin SDK API for ConsoleMe
Visit Admin SDK link and select the consoleme project
Enable the Admin SDK API
Delegate domain-wide authority to your service account
The following steps require google admin account access. This may/maynot be the google account that you have setup consoleme in.
Go to the admin console for your google workspace domain
In the Domain wide delegation pane, select Manage Domain Wide Delegation
Click Add new
In the Client ID field, enter the client ID obtained from the service account creation steps above
In the OAuth Scopes field, enter a comma-delimited list of the following scopes
ConsoleMe static config changes
Add the contents of the key file that was downloaded while generating service account keys as a dictionary in your consoleme static config.
There are newline characters in the private_key inside the service account key. You have to split the line on the newline character when you paste it into the YAML file.
If you're using the Google Workspace then make sure that credential_subject is the email of workspace admin.
Your static config should look similar to this:
Re-deploy your consoleme instance (if you have static config reload option enabled then re-deployment is not needed)
Clear your existing browser cookies.
ConsoleMe should now be able to get groups info from Google IDP.
Check if group info is properly retrieved
One way to check is by decoding the JWT in the consoleme_auth cookie.
Copy the contents of the consoleme_auth cookie from your consoleme domain
Go to jwt.io and paste in the contents of the cookie
It will decode the JWT and you can validate the groups information as seen by ConsoleMe
Last updated