Vault: Google Apps Authentication Backend

This kind of flow is definitely something we're interested in... one of the things we need to take the time to sort out is how we want to handle identity focused use cases, for this and other possible integrations. In past internal discussions we've shied away from moving Vault towards an identity server, as there are many kinds of those with established protocols and we want to focus Vault on the things that are currently harder to do (or to automate). But there are certainly integration points that require some understanding of identity...these kind of use cases are in our radar.

To be clearer than I was in my original write-up, I'm primarily interested in using a Google Apps backend for the same purpose as the GitHub backend is (presumably) used: to let developers trade their existing Google credentials for Vault tokens, and then in turn use Vault to get credentials for SSH, MySQL, etc.

I wasn't planning to use it as a general authentication solution for end-users; we already have other solutions in place for that.

@apparentlymart That sounds good.

When you start talking about federation, user account directories, OpenID Connect, representing domain user/group relationships, and so on, I start to think "identity server". But yes, I think the same model as the GitHub backend is likely a totally workable approach :-)

Is there any plan to include this backend in Vault?

@nanoz As of yet no PR has been submitted, although based on some recent traffic on the mailing list it seems like someone is likely going to work on it soon.

@jefferai if you have a link handy for that discussion, I'd be keen to peek.

@gtaylor Here you go: https://groups.google.com/d/msg/vault-tool/_tjbVbadnA0/UIbuRrGDCAAJ

Thanks, @jefferai !

hey all,
here is a pull request for this feature:
https://github.com/hashicorp/vault/pull/1219

Hi all, I work for Google and we're trying to get a better idea of the demand for this FR. If this is something you're still interested in, please thumbs up the issue. Thanks!
@emilymye

Please do not add +1 or thumbs ups to this issue. It has no effect on roadmap and simply creates notification noise. Thank you.

I think Maya was suggesting using the +1/thumbsup emoji on the issue, which
does not create notification noise.

On Jun 12, 2017 1:58 PM, "Jeff Mitchell" notifications@github.com wrote:

Please do not add +1 or thumbs ups to this issue. It has no effect on
roadmap and simply creates notification noise. Thank you.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/hashicorp/vault/issues/646#issuecomment-307917914, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAEnJCg78e7rc_6eBqfwk3LsOBoY7cWXks5sDaK3gaJpZM4GEJT1
.

We made an auth plugin for this: https://github.com/grapeshot/google-auth-vault-plugin

@tomwilkie Nice! Closing in favor of that.

any status on this in 2019?
this looks dead https://github.com/grapeshot/google-auth-vault-plugin and enabling it is not very user friendly...

No status specifically but if oidc works instead that's coming soon.

ok, thanks

@mayakacz I'd so cool if I could set with Vault on GKE with Login with Google button with minimal steps.

pretty much and update to https://github.com/kelseyhightower/vault-on-google-kubernetes-engine
with
google-auth-vault-plugin and https://learn.hashicorp.com/vault/operations/oidc-auth