Open nia-potato opened 8 months ago
Can you describe your use case? I make it successfully work on GKE workload identity without DWDoA. It requires to not provide gsuite_service_account
as it forces whole plugin to use ADC. My only problem was that I had to provide domain parameter to provider_config
.
"provider_config": {
"provider": "gsuite",
"fetch_groups": true,
"domain": "my-domain.org"
}
Are you still having an issue with this @nia-potato? You might take a look at https://github.com/hashicorp/vault/issues/24190 with details on using workload identity.
I was able to get this working using workload identity.
You don't need to specify any fields for impersonation.
Instead of using domain wide delegation, authorize the service account as a group reader
in Google Workspace.
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "$OIDC_CLIENT_ID",
"oidc_client_secret": "$OIDC_CLIENT_SECRET",
"default_role": "default",
"provider_config": {
"provider": "gsuite",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"domain": "MY_ORGS_DOMAIN"
}
}
Is your feature request related to a problem? Please describe.
Most of vault configs support workload identity by know, but that is not the case work oidc, it would be nice for oidc to config to also support workload identity.
Describe the solution you'd like support workload identity for oidc config