A super specific process to synchronize selected G.Workspace groups into Boundary groups following an authoritative approach
Boundary service has the capability of using GCP Oauth2 as OIDC provider, but GCP does not set the groups into JWTs claims. This could be solved performing a second call to G. Workspace Admin API to retrieve them, but Boundary has not this capability implemented nowadays*.
This synchronizer does this job in the background. It creates and synchronizes some groups and their memberships for you, following an authoritative approach.
Every configuration parameter can be defined by flags that can be passed to the CLI. They are described in the following table:
| Name | Description | Default | Example |
|---|---|---|---|
--log-level |
Define the verbosity of the logs | info |
--log-level info |
--disable-trace |
Disable traces from logs | false |
--disable-trace true |
--google-sa-credentials-path |
Google ServiceAccount credentials JSON file path | google.json |
--google-sa-credentials-path="~/something.json" |
--sync-time |
Waiting time between group synchronizations (in duration type) | 10m |
--sync-time 5m |
--google-group |
(Repeatable or comma-separated list) G.Workspace groups | - |
--google-group group1@company.com |
--boundary-oidc-id |
Boundary oidc auth method ID to compare its users against G.Workspace | amoidc_changeme |
--boundary-oidc-id "amoidc_example" |
--boundary-scope-id |
Boundary scope ID where the users and groups are synchronized | global |
--boundary-scope-id "global" |
Security-critical parameters are managed by environment variables. They are described in the following table:
| Name | Description | Default | Example |
|---|---|---|---|
BOUNDARY_ADDR |
Address where your Boundary instance is hosted | - |
https://hashicorp-boundary.company.com |
BOUNDARY_AUTHMETHODPASS_ID |
ID of boundary auth method where the privileged user is stored | - |
ampw_example |
BOUNDARY_AUTHMETHODPASS_USER |
Username of boundary privileged user that perform synchronization | - |
user_example_changeit |
BOUNDARY_AUTHMETHODPASS_PASS |
Password of boundary privileged user that perform synchronization | - |
super_secure_password |
Here you have a complete example to use this command.
Output is thrown always in JSON as it is more suitable for automations
export BOUNDARY_ADDR="https://your-boundary.you-company.com/"
export BOUNDARY_AUTHMETHODPASS_ID="ampw_example"
export BOUNDARY_AUTHMETHODPASS_USER="automation-google-workspace-groups-syncer"
export BOUNDARY_AUTHMETHODPASS_PASS='super_secure_password'
bgos run \
--log-level=info \
--google-sa-credentials-path=le_credentials.json \
--google-group sre@your-company.com \
--google-group developers@your-company.comThis project provides binary files and Docker images to make it easy to use wherever wanted
Binary files for the most popular platforms will be added to the releases
Docker images can be found in GitHub's packages related to this repository
Do you need it in a different container registry? We think this is not needed, but if we're wrong, please, let's discuss it in the best place for that: an issue
We are open to external collaborations for this project: improvements, bugfixes, whatever.
For doing it, open an issue to discuss the need of the changes, then:
- Fork the repository
- Make your changes to the code
- Open a PR and wait for review
The code will be reviewed and tested (always)
We are developers and hate bad code. For that reason we ask you the highest quality on each line of code to improve this project on each iteration.
Copyright 2022.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project was done using IDEs from JetBrains. They helped us to develop faster, so we recommend them a lot! 🤓
