Skip to content

Latest commit

 

History

History
120 lines (81 loc) · 6.4 KB

README.md

File metadata and controls

120 lines (81 loc) · 6.4 KB

BGOS (Boundary Gsuite OIDC Syncer)

GitHub go.mod Go version (subdirectory of monorepo) GitHub

YouTube Channel Subscribers GitHub followers X (formerly Twitter) Follow

A super specific process to synchronize selected G.Workspace groups into Boundary groups following an authoritative approach

Motivation

Boundary service has the capability of using GCP Oauth2 as OIDC provider, but GCP does not set the groups into JWTs claims. This could be solved performing a second call to G. Workspace Admin API to retrieve them, but Boundary has not this capability implemented nowadays*.

This synchronizer does this job in the background. It creates and synchronizes some groups and their memberships for you, following an authoritative approach.

Flags

Every configuration parameter can be defined by flags that can be passed to the CLI. They are described in the following table:

Name Description Default Example
--log-level Define the verbosity of the logs info --log-level info
--disable-trace Disable traces from logs false --disable-trace true
--google-sa-credentials-path Google ServiceAccount credentials JSON file path google.json --google-sa-credentials-path="~/something.json"
--sync-time Waiting time between group synchronizations (in duration type) 10m --sync-time 5m
--google-group (Repeatable or comma-separated list) G.Workspace groups - --google-group [email protected]
--boundary-oidc-id Boundary oidc auth method ID to compare its users against G.Workspace amoidc_changeme --boundary-oidc-id "amoidc_example"
--boundary-scope-id Boundary scope ID where the users and groups are synchronized global --boundary-scope-id "global"

Environment Variables

Security-critical parameters are managed by environment variables. They are described in the following table:

Name Description Default Example
BOUNDARY_ADDR Address where your Boundary instance is hosted - https://hashicorp-boundary.company.com
BOUNDARY_AUTHMETHODPASS_ID ID of boundary auth method where the privileged user is stored - ampw_example
BOUNDARY_AUTHMETHODPASS_USER Username of boundary privileged user that perform synchronization - user_example_changeit
BOUNDARY_AUTHMETHODPASS_PASS Password of boundary privileged user that perform synchronization - super_secure_password

Examples

Here you have a complete example to use this command.

Output is thrown always in JSON as it is more suitable for automations

export BOUNDARY_ADDR="https://your-boundary.you-company.com/"
export BOUNDARY_AUTHMETHODPASS_ID="ampw_example"
export BOUNDARY_AUTHMETHODPASS_USER="automation-google-workspace-groups-syncer" 
export BOUNDARY_AUTHMETHODPASS_PASS='super_secure_password'

bgos run \
     --log-level=info \
     --google-sa-credentials-path=le_credentials.json \
     --google-group [email protected] \
     --google-group [email protected]

How to use

This project provides binary files and Docker images to make it easy to use wherever wanted

Binaries

Binary files for the most popular platforms will be added to the releases

Docker

Docker images can be found in GitHub's packages related to this repository

Do you need it in a different container registry? We think this is not needed, but if we're wrong, please, let's discuss it in the best place for that: an issue

How to contribute

We are open to external collaborations for this project: improvements, bugfixes, whatever.

For doing it, open an issue to discuss the need of the changes, then:

  • Fork the repository
  • Make your changes to the code
  • Open a PR and wait for review

The code will be reviewed and tested (always)

We are developers and hate bad code. For that reason we ask you the highest quality on each line of code to improve this project on each iteration.

License

Copyright 2022.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Special mention

This project was done using IDEs from JetBrains. They helped us to develop faster, so we recommend them a lot! 🤓

JetBrains Logo (Main) logo.