zboralski · March 19, 2023 20:58
diff --git a/vault-oidc-google-config.sh b/vault-oidc-google-config.sh
 #!/bin/bash

 # Configures Vault's OIDC authentication method to use Google as the provider.

 # It retrieves the client ID and client secret from Vault, formats the GSuite service account
 # JSON as required by Vault, and writes the configuration to Vault using the "gsuite" provider.
 # This script assumes that Vault has already been initialized and unsealed, and that the OIDC
 # authentication method has been enabled. 

 # Write first your Google Cloud Platform (GCP) credentials to HashiCorp Vault using 
 # https://gist.github.com/zboralski/709b2427bff863ab7868c6a1d2125591#file-vault-oidc-google-secrets-sh

 # OIDC Provider Configuration | Google
 # https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/google


 # Set project and service account variables
 PROJECT="example-vault-us"
 SERVICE_ACCOUNT="example-vault-us-1aab5d7d48ab.json"

 # Set the email address of the GSuite admin
 GSUITE_ADMIN="[email protected]"

 # Set secret paths
 SECRET_ROOT="secret/gcloud/${PROJECT}"
 SERVICE_ACCOUNT_SECRET="${SECRET_ROOT}/gsuite_service_account"
 CLIENT_SECRET="${SECRET_ROOT}/client_secret"

 # Retrieve the service account from Vault, format it as JSON, and encode it again with properly escaped characters
 GSUITE_SERVICE_ACCOUNT=$(vault kv get -format=json ${SERVICE_ACCOUNT_SECRET} | \
  jq -c '.data.data' | jq -c '. |= @json')

 # Set OIDC config variables
 OIDC_CONFIG="auth/oidc/config"
 OIDC_DISCOVERY_URL="https://accounts.google.com"
 OIDC_CLIENT_ID=$(vault kv get -format=json "${CLIENT_SECRET}"  | jq -r '.data.data.client_id')
 OIDC_CLIENT_SECRET=$(vault kv get -format=json "${CLIENT_SECRET}"  | jq -r '.data.data.client_secret')

 # Write the OIDC config to Vault using a heredoc
 vault write "${OIDC_CONFIG}" -<<EOF
 {
  "oidc_discovery_url": "${OIDC_DISCOVERY_URL}",
  "oidc_client_id": "${OIDC_CLIENT_ID}",
  "oidc_client_secret": "${OIDC_CLIENT_SECRET}",
  "default_role": "default",
  "provider_config": {
    "provider": "gsuite",
    "gsuite_service_account": ${GSUITE_SERVICE_ACCOUNT},
    "gsuite_admin_impersonate": "${GSUITE_ADMIN}",
    "fetch_groups": true,
    "fetch_user_info": true,
    "groups_recurse_max_depth": 5,
    "user_custom_schemas": "Preferences"
  }
 }
 EOF
	#!/bin/bash

	# Configures Vault's OIDC authentication method to use Google as the provider.

	# It retrieves the client ID and client secret from Vault, formats the GSuite service account
	# JSON as required by Vault, and writes the configuration to Vault using the "gsuite" provider.
	# This script assumes that Vault has already been initialized and unsealed, and that the OIDC
	# authentication method has been enabled.

	# Write first your Google Cloud Platform (GCP) credentials to HashiCorp Vault using
	# https://gist.github.com/zboralski/709b2427bff863ab7868c6a1d2125591#file-vault-oidc-google-secrets-sh

	# OIDC Provider Configuration \| Google
	# https://developer.hashicorp.com/vault/docs/auth/jwt/oidc-providers/google


	# Set project and service account variables
	PROJECT="example-vault-us"
	SERVICE_ACCOUNT="example-vault-us-1aab5d7d48ab.json"

	# Set the email address of the GSuite admin
	GSUITE_ADMIN="[email protected]"

	# Set secret paths
	SECRET_ROOT="secret/gcloud/${PROJECT}"
	SERVICE_ACCOUNT_SECRET="${SECRET_ROOT}/gsuite_service_account"
	CLIENT_SECRET="${SECRET_ROOT}/client_secret"

	# Retrieve the service account from Vault, format it as JSON, and encode it again with properly escaped characters
	GSUITE_SERVICE_ACCOUNT=$(vault kv get -format=json ${SERVICE_ACCOUNT_SECRET} \| \
	jq -c '.data.data' \| jq -c '. \|= @json')

	# Set OIDC config variables
	OIDC_CONFIG="auth/oidc/config"
	OIDC_DISCOVERY_URL="https://accounts.google.com"
	OIDC_CLIENT_ID=$(vault kv get -format=json "${CLIENT_SECRET}" \| jq -r '.data.data.client_id')
	OIDC_CLIENT_SECRET=$(vault kv get -format=json "${CLIENT_SECRET}" \| jq -r '.data.data.client_secret')

	# Write the OIDC config to Vault using a heredoc
	vault write "${OIDC_CONFIG}" -<<EOF
	{
	"oidc_discovery_url": "${OIDC_DISCOVERY_URL}",
	"oidc_client_id": "${OIDC_CLIENT_ID}",
	"oidc_client_secret": "${OIDC_CLIENT_SECRET}",
	"default_role": "default",
	"provider_config": {
	"provider": "gsuite",
	"gsuite_service_account": ${GSUITE_SERVICE_ACCOUNT},
	"gsuite_admin_impersonate": "${GSUITE_ADMIN}",
	"fetch_groups": true,
	"fetch_user_info": true,
	"groups_recurse_max_depth": 5,
	"user_custom_schemas": "Preferences"
	}
	}
	EOF