Allow Boundary to fetch Google Workspace group membership#2
Draft
dggreenbaum wants to merge 4 commits intomainfrom
Draft
Allow Boundary to fetch Google Workspace group membership#2dggreenbaum wants to merge 4 commits intomainfrom
dggreenbaum wants to merge 4 commits intomainfrom
Conversation
added 4 commits
May 6, 2026 10:11
This is a first go at enabling Boundary to fetch group membership info about Google Workspace users. Google does not return group membership in OIDC tokens by default. Boundary needs to fetch this information from the Directory API in order to use it. The method in this PR is similar to how Hashicorp Vault does it. These steps must be completed by a Google Workspace super-admin before Boundary is configured. **a. Create a service account in Google Cloud Console** - Create a new service account in the Google Cloud project associated with your Workspace domain - Generate and download a JSON key for it **b. Grant domain-wide delegation** - In the service account settings, enable domain-wide delegation - In the **Google Workspace Admin Console** → Security → API controls → Domain-wide delegation, add the service account's Client ID with the scope: ``` https://www.googleapis.com/auth/admin.directory.group.readonly ``` **c. Identify an admin email to impersonate** - This must be the email of an existing Google Workspace admin user in your domain. Boundary will impersonate this account when calling the Directory API. ```bash boundary database migrate -config /path/to/boundary.hcl ``` This applies migration `100/02_oidc_google_workspace.up.sql`, adding the two new columns to `auth_oidc_method`. The migration is additive and backward-compatible — existing auth methods are unaffected (both columns are nullable). Update or create the OIDC auth method with the two new fields. The service account JSON is encrypted at rest by Boundary's KMS. **Via Terraform:** ```hcl resource "boundary_auth_method_oidc" "google_workspace" { scope_id = boundary_scope.org.id issuer = "https://accounts.google.com" client_id = "<google-oauth-client-id>" client_secret = "<google-oauth-client-secret>" signing_algorithms = ["RS256"] api_url_prefix = "https://boundary.example.com" # New fields — both must be set together google_workspace_service_account_json = file("/path/to/service-account.json") google_workspace_admin_email = "admin@yourcompany.com" } ``` **Via CLI (update an existing auth method):** ```bash boundary auth-methods update oidc \ -id amoidc_xxxxxxxxxxxx \ -google-workspace-service-account-json "$(cat /path/to/service-account.json)" \ -google-workspace-admin-email admin@yourcompany.com ``` > **Note:** The Terraform provider and CLI handler for these new attributes are not part of this PR — they live in separate layers (`internal/daemon/`, the public API proto, and the Terraform provider). Wiring those up is the follow-on work required before operators can set the fields through standard tooling. For now the fields can be set directly via the Go API or a custom migration. ```bash boundary managed-groups create oidc \ -auth-method-id amoidc_xxxxxxxxxxxx \ -name "Engineering" \ -filter '"engineering@yourcompany.com" in "/userinfo/groups"' boundary managed-groups create oidc \ -auth-method-id amoidc_xxxxxxxxxxxx \ -name "Infra Admins" \ -filter '"infra-admins@yourcompany.com" in "/userinfo/groups"' ```bash boundary roles add-principals \ -id r_xxxxxxxxxxxx \ -principal mgoidc_xxxxxxxxxxxx # managed group ID - **Group membership is evaluated at login time only.** If a user's Google Workspace group memberships change, Boundary won't reflect that until their next login. - **Directory API failures are non-fatal.** If the API is unreachable or the service account credentials are invalid, Boundary logs the error and completes authentication with no group claims — users will not match any group-based managed groups, but login will succeed. - **Both fields are all-or-nothing.** Setting only `google_workspace_service_account_json` without `google_workspace_admin_email` (or vice versa) is rejected at validation time by both the Go layer and a database `CHECK` constraint. - **The service account JSON is encrypted at rest** using the same KMS wrapping path as the OIDC `client_secret`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a first go at enabling Boundary to fetch group membership info about Google Workspace users. Google does not return group membership in OIDC tokens by default. Boundary needs to fetch this information from the Directory API in order to use it. The method in this PR is similar to how Hashicorp Vault does it.
Google Workspace Admin Console prerequisites
These steps must be completed by a Google Workspace super-admin before Boundary is configured.
a. Create a service account in Google Cloud Console
b. Grant domain-wide delegation
https://www.googleapis.com/auth/admin.directory.group.readonlyc. Identify an admin email to impersonate
Run the database migration
This applies migration
100/02_oidc_google_workspace.up.sql, adding the two new columns toauth_oidc_method. The migration is additive and backward-compatible — existing auth methods are unaffected (both columns are nullable).Configure the OIDC auth method
Update or create the OIDC auth method with the two new fields. The service account JSON is encrypted at rest by Boundary's KMS.
Via Terraform:
Via CLI (update an existing auth method):
boundary auth-methods update oidc \ -id amoidc_xxxxxxxxxxxx \ -google-workspace-service-account-json "$(cat /path/to/service-account.json)" \ -google-workspace-admin-email admin@yourcompany.comCreate managed groups with group-based filters
Assign roles to managed groups
boundary roles add-principals \ -id r_xxxxxxxxxxxx \ -principal mgoidc_xxxxxxxxxxxx # managed group IDNotes
google_workspace_service_account_jsonwithoutgoogle_workspace_admin_email(or vice versa) is rejected at validation time by both the Go layer and a databaseCHECKconstraint.client_secret.