diff --git a/website/content/docs/auth/gcp.mdx b/website/content/docs/auth/gcp.mdx index e2fe46d89..cc896281a 100644 --- a/website/content/docs/auth/gcp.mdx +++ b/website/content/docs/auth/gcp.mdx @@ -17,7 +17,7 @@ authentication of: - Google Compute Engine (GCE) instances This backend focuses on identities specific to Google _Cloud_ and does not -support authenticating arbitrary Google or G Suite users or generic OAuth +support authenticating arbitrary Google or Google Workspace users or generic OAuth against Google. This plugin is developed in a separate GitHub repository at diff --git a/website/content/docs/auth/jwt/oidc_providers.mdx b/website/content/docs/auth/jwt/oidc_providers.mdx index 19f791cab..60ab5b52a 100644 --- a/website/content/docs/auth/jwt/oidc_providers.mdx +++ b/website/content/docs/auth/jwt/oidc_providers.mdx @@ -165,23 +165,23 @@ Main reference: [Using OAuth 2.0 to Access Google APIs](https://developers.googl ### Optional Google-specific Configuration Google-specific configuration is available when using Google as an identity provider from the -Vault JWT/OIDC auth method. The configuration allows Vault to obtain G Suite group membership and -user information during the JWT/OIDC authentication flow. The group membership obtained from G Suite -may be used for Identity group alias association. The user information obtained from G Suite can be +Vault JWT/OIDC auth method. The configuration allows Vault to obtain Google Workspace group membership and +user information during the JWT/OIDC authentication flow. The group membership obtained from Google Workspace +may be used for Identity group alias association. The user information obtained from Google Workspace can be used to copy claims data into resulting auth token and alias metadata via [claim_mappings](/api/auth/jwt#claim_mappings). #### Setup To set up the Google-specific handling, you'll need: -- A G Suite account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en) +- A Google Workspace account with the [super admin role](https://support.google.com/a/answer/2405986?hl=en) for granting domain-wide delegation API client access. - The ability to create a service account in [Google Cloud Platform](https://console.developers.google.com/iam-admin/serviceaccounts). -The Google-specific handling that's used to fetch G Suite groups and user information in Vault uses -[G Suite Domain-Wide Delegation of Authority](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) +The Google-specific handling that's used to fetch Google Workspace groups and user information in Vault uses +[Google Workspace Domain-Wide Delegation of Authority](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) for authentication and authorization. You need to follow **all steps** in the [guide](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) -to obtain the key file for a Google service account capable of making requests to the G Suite +to obtain the key file for a Google service account capable of making requests to the Google Workspace [User Accounts](https://developers.google.com/admin-sdk/directory/v1/guides/manage-users) and [Groups](https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups) APIs. @@ -204,12 +204,12 @@ host that Vault is running on. - `gsuite_service_account` `(string: )` - Either the path to or the contents of a Google service account key file in JSON format. If given as a file path, it must refer to a file that's readable on the host that Vault is running on. If given directly as JSON contents, the JSON must be properly escaped. -- `gsuite_admin_impersonate` `(string: )` - Email address of a G Suite admin to impersonate. -- `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from G Suite. -- `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from G Suite using the configured [user_custom_schemas](#user_custom_schemas). +- `gsuite_admin_impersonate` `(string: )` - Email address of a Google Workspace admin to impersonate. +- `fetch_groups` `(bool: false)` - If set to true, groups will be fetched from Google Workspace. +- `fetch_user_info` `(bool: false)` - If set to true, user info will be fetched from Google Workspace using the configured [user_custom_schemas](#user_custom_schemas). - `groups_recurse_max_depth` `(int: )` - Group membership recursion max depth. Defaults to 0, which means don't recurse. -- `user_custom_schemas` `(string: )` - Comma-separated list of G Suite [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas). - Values set for G Suite users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/api/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true. +- `user_custom_schemas` `(string: )` - Comma-separated list of Google Workspace [custom schemas](https://developers.google.com/admin-sdk/directory/v1/guides/manage-schemas). + Values set for Google Workspace users using custom schema fields will be fetched and made available as claims that can be used with [claim_mappings](/api/auth/jwt#claim_mappings). Required if [fetch_user_info](#fetch_user_info) is set to true. Example configuration: