rfuelsh
commented
1 year ago @Voxelot - need to work with you on Google Admin side
The AWS Lambda was deployed, but invoking it run into these issues
"level": "fatal",
"msg": "Notifying Lambda and mark this execution as Failure: Get \"https://admin.googleapis.com/admin/directory/v1/groups?alt=json&customer=my_customer&prettyPrint=false&query=name%!A(MISSING)AWS%!A(MISSING)\": oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\n \"error\": \"unauthorized_client\",\n \"error_description\": \"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.\"\n}",Like you mentioned there is some OAuth issue with Google side - i think GCP service account is missing some IAM permissions-
We need to update the Google-AWS SSO Integration to automatically sync our "Fuel Developers" google group with AWS SSO integration setup
We must find a way to automatically sync this periodically or by manual trigger
Possibly using a Kubernetes cronjob or using an AWS Lambda
a) Ask Sam for the Google admin credentials to login into https://admin.google.com
b) Ask Nick for access to the master/owner account for the Fuel AWS Organization- this is where the SSO is setup
https://medium.com/@yihucd/how-to-set-up-aws-single-sign-on-sso-using-google-workspace-formerly-g-suite-b9fb4969bbe0
https://github.com/awslabs/ssosync
For the github link there is reference to sync google directory with AWS SSO - there is a few options