You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Configure service account A with access to the Group API without DWDoA using the documentation above.
Grant service account B with iam.serviceAccountTokenCreator role over service account A.
Point serviceAccountFilePath to credentials of SA B.
Set domainToAdminEmail with email of SA A.
The following error is returned:
oauth2: cannot fetch token: 401 Unauthorized Response [...] Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested
Proposed Solution
Connector should allow the same level of configuration for example as Vault's OIDC provider.
Additional Information
Additionally, the flow should also works if serviceAccountFilePath points directly to credentials of the SA A, even without impersonation.
The text was updated successfully, but these errors were encountered:
This is currently an adoption blocker for my organization to use ArgoCD; we cannot enable domain-wide delegation because it is considered "too risky". Implementing this feature request would be great for us!
Second this, I would want to avoid domain-wide delegation as it's impersonating a privileged account and it could be challenging to audit. Would prefer to use service account with tightly scoped permissions.
Preflight Checklist
Problem Description
Google supports authenticating with the Groups API using a service account without domain-wide delegation. AFAICT from testing, DEX's connector doesn't support that method.
Tested with the following approach:
A
with access to the Group API without DWDoA using the documentation above.B
withiam.serviceAccountTokenCreator
role over service accountA
.serviceAccountFilePath
to credentials of SAB
.domainToAdminEmail
with email of SAA
.The following error is returned:
Proposed Solution
Connector should allow the same level of configuration for example as Vault's OIDC provider.
Additional Information
Additionally, the flow should also works if
serviceAccountFilePath
points directly to credentials of the SAA
, even without impersonation.The text was updated successfully, but these errors were encountered: