awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
525 stars 181 forks source link

Question about the `--google-admin` flag #121

Closed johnnyplaydrums closed 1 year ago

johnnyplaydrums commented 1 year ago

Is your feature request related to a problem? Please describe. Missing / unclear documentation about the --google-admin flag

Describe the solution you'd like Hello! First off, thank you so much for this amazing project. I was able to get it up and running fairly quickly, the documentation is quite good! I'm wondering about the --google-admin flag. Why is it needed, and what is it used for? I was surprised it was needed since I thought the service account credentials are used for authenticating to all things Google. Would you mind helping me understand what it's used for? The docs say it needs be an admin, but what admin permissions are needed (e.g. Services Admin, or Groups Admin)? Thank you in advance for the help! 🙏

ChrisPates commented 1 year ago

So this is a common practice with many tools that use the admin api, GAM for example does the same. I've not personally dug into this too deeply myself but I believe it is used to identify the tenant or domain within the Google platform.

The permissions are associated with the api client token, and privileges of the user are not used by ssosync.

johnnyplaydrums commented 1 year ago

Thanks for the context Chris! For any future readers, I had to give this google user the Groups Admin role in order for the sync to succeed. I tried Groups Reader but got a 403. Not sure if there's a more limited set of permissions, but this is what I was able to make work.