Created
November 9, 2019 19:09
-
-
Save salrashid123/e894e856c2851fe437eee5fc2b72c8ad to your computer and use it in GitHub Desktop.
Sample golang app that uses the Google CLoud Admin SDk to create a user and then add that user to a specific google group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "flag" | |
| "fmt" | |
| "io/ioutil" | |
| "log" | |
| "os" | |
| "golang.org/x/net/context" | |
| "golang.org/x/oauth2/google" | |
| admin "google.golang.org/api/admin/directory/v1" | |
| ) | |
| /* | |
| Sample golang app that uses the Google CLoud Admin SDk to create a user and then add that user to a specific google group | |
| go run main.go --serviceAccountFile ../svc_account_with_dwd.json --cx C023zw3x8 --adminUser [email protected] --firstname foo --lastname bar --email [email protected] --password dsfasdflbbbb --group [email protected] | |
| */ | |
| var ( | |
| serviceAccountFile = flag.String("serviceAccountFile", "", "serviceAccountFile ID") | |
| cx = flag.String("cx", "", "GSuites cx number") | |
| adminUser = flag.String("adminUser", "", "GSuites adminUser") | |
| firstName = flag.String("firstname", "", "user's firstname") | |
| lastName = flag.String("lastname", "", "users lastname") | |
| email = flag.String("email", "", "users email") | |
| password = flag.String("password", "", "users password") | |
| group = flag.String("group", "", "add user to group") | |
| ) | |
| func main() { | |
| flag.Parse() | |
| if *serviceAccountFile == "" { | |
| fmt.Fprintln(os.Stderr, "missing -serviceAccountFile flag") | |
| flag.Usage() | |
| os.Exit(2) | |
| } | |
| if *cx == "" { | |
| fmt.Fprintln(os.Stderr, "missing -cx flag") | |
| flag.Usage() | |
| os.Exit(2) | |
| } | |
| if *adminUser == "" { | |
| fmt.Fprintln(os.Stderr, "missing -adminUser flag") | |
| flag.Usage() | |
| os.Exit(2) | |
| } | |
| if *firstName == "" || *lastName == "" || *email == "" || *password == "" { | |
| fmt.Fprintln(os.Stderr, "must specify firstname, lastname, email, password flag") | |
| flag.Usage() | |
| os.Exit(2) | |
| } | |
| serviceAccountJSON, err := ioutil.ReadFile(*serviceAccountFile) | |
| if err != nil { | |
| log.Fatal(err) | |
| } | |
| config, err := google.JWTConfigFromJSON(serviceAccountJSON, | |
| admin.AdminDirectoryUserScope, admin.AdminDirectoryGroupScope, | |
| ) | |
| //config.User = "[email protected]" | |
| config.Subject = *adminUser | |
| srv, err := admin.New(config.Client(context.Background())) | |
| if err != nil { | |
| log.Fatal(err) | |
| } | |
| insertResp, err := srv.Users.Insert(&admin.User{ | |
| Name: &admin.UserName{ | |
| GivenName: *firstName, | |
| FamilyName: *lastName, | |
| }, | |
| PrimaryEmail: *email, | |
| Password: *password, | |
| }).Do() | |
| if err != nil { | |
| log.Fatal(err) | |
| } | |
| fmt.Printf("inserUser %v", insertResp.CustomerId) | |
| if *group != "" { | |
| member := &admin.Member{ | |
| Email: *email, | |
| } | |
| insertResp, err := srv.Members.Insert( | |
| *group, member, | |
| ).Do() | |
| if err != nil { | |
| log.Fatal(err) | |
| } | |
| fmt.Printf("add user to group ResponseCode %v", insertResp.Status) | |
| } | |
| usersReport, err := srv.Users.List().Customer(*cx).MaxResults(10).OrderBy("email").Do() | |
| if err != nil { | |
| log.Fatal(err) | |
| } | |
| if len(usersReport.Users) == 0 { | |
| fmt.Print("No users found.\n") | |
| } else { | |
| fmt.Print("Users:\n") | |
| for _, u := range usersReport.Users { | |
| fmt.Printf("%s (%s)\n", u.PrimaryEmail, u.Name.FullName) | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@StevenACoffman
While you can assign roles to users on demand or add/remove users to/from groups using that API, managing firecall and on-demand access is pretty involved (and a bit risky ify ou don't remove/revoke access).
There are variations of roles/groups too for on-demand access: some custoemrs assigned a service account to a role and then granted a user temp iam role to imersonate that credential: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
or utilized "token broker" to deliver a limited one-time token https://cloud.google.com/iam/docs/downscoping-short-lived-credentials
yet others delegated management of firecall access to 3rd party systems like vault:
https://www.vaultproject.io/docs/secrets/gcp
https://github.com/salrashid123/vault_gcp#GCP-Vault-Secrets
in that, you get a temp access token from vault which has the requsite roles
This is kind of a long way to say, its not easy to roll firecall manually. That being said, do you happen to have a Google Cloud TAM or SCE or account team assigned? if so, could you send them an email about this and we can followup separtely