Google: Add functionality to impersonate GSuite Admin identity without JSON

[NaurisSadovskis]

Overview

Hi folks, adding an option to impersonate GSuite Admin identity without service account key JSON. This functionality has been recently added as part of google-api-go-client v0.46.0

What this PR does / why we need it

This feature is primarily aimed at folks running within Google Cloud Platform (GCE/GKE):

• Removes the need for (long-lived) user-managed service account keys when configuring Dex

Addresses: #1756

Special notes for your reviewer

I have not tested this with an actual GSuite tenant, as I don't have one, but can test it sometime next week.

Does this PR introduce a user-facing change?

Add the ability to impersonate GSuite Admin identity without service account JSON when running on Google Cloud Platform

[sagikazarmark]

I wonder if impersonation should be the default instead when service account file is not provided.

[sagikazarmark]

cc @JoelSpeed

[NaurisSadovskis]

If I understand your comment correctly, we cannot directly interact with GSuite Admin API with service accounts without a GSuite account impersonation. So regardless of the authentication method (key or no key), we will require to go through impersonation step.

[aslamkhan-dremio]

@NaurisSadovskis - did you test this out? We are looking to use workload-identity instead of long-lived keys. when can we expect this to rollout?

[JoelSpeed]

I wonder if impersonation should be the default instead when service account file is not provided.

This makes sense, I guess in that case we don't need an explicit option for it?

[NaurisSadovskis]

hey folks, apologies for not responding earlier. I'll try to test it in the coming weeks.

[aslamkhan-dremio]

@NaurisSadovskis - any progress on this?

[frezbo]

Anything pending to get this moving forward? happy to contribute

[jetersen]

I would be happy to test this. @sagikazarmark is it simply docker build -t img .? or is the build process more complex?

Maybe it would be good to share gcloud commands required to setup the service account with impersonation permissions? 😅

[jetersen]

Got to

Failed to authenticate: google: could not retrieve groups: could not list groups: Get "https://admin.googleapis.com/admin/directory/v1/groups?alt=json&pageToken=&prettyPrint=false&userKey=user%40company.com": impersonate: status code 404: { "error": { "code": 404, "message": "Requested entity was not found.", "status": "NOT_FOUND" } }

Not sure how I can validate that the service account is working.

Any hints @NaurisSadovskis

[jinnjwu]

What is latest status, we need this feature too, we hosting argocd in GKE, there is a service account in work nodes, do not want to paste a service acccount key, because our service account key needs to be rotated.

[renan]

Is this possible now? To impersonate GSuite Admin using workload identity?

[renan]

I am looking for something similar for Vault and I found this: hashicorp/vault#23983 (comment)

I have yet to try on Dex / Argo CD, but it looks promising!