Open nia-potato opened 8 months ago
miecio45
commented
6 months ago Can you describe your use case? I make it successfully work on GKE workload identity without DWDoA. It requires to not provide gsuite_service_account as it forces whole plugin to use ADC. My only problem was that I had to provide domain parameter to provider_config.
"provider_config": {
"provider": "gsuite",
"fetch_groups": true,
"domain": "my-domain.org"
}
austingebauer
commented
5 months ago Are you still having an issue with this @nia-potato? You might take a look at https://github.com/hashicorp/vault/issues/24190 with details on using workload identity.
sourcec0de
commented
4 days ago I was able to get this working using workload identity.
You don't need to specify any fields for impersonation.
Instead of using domain wide delegation, authorize the service account as a group reader in Google Workspace.
{
"oidc_discovery_url": "https://accounts.google.com",
"oidc_client_id": "$OIDC_CLIENT_ID",
"oidc_client_secret": "$OIDC_CLIENT_SECRET",
"default_role": "default",
"provider_config": {
"provider": "gsuite",
"fetch_groups": true,
"fetch_user_info": true,
"groups_recurse_max_depth": 5,
"domain": "MY_ORGS_DOMAIN"
}
}
Is your feature request related to a problem? Please describe.
Most of vault configs support workload identity by know, but that is not the case work oidc, it would be nice for oidc to config to also support workload identity.
Describe the solution you'd like support workload identity for oidc config