docs: document service account requirements (#999)

2025-05-30 01:17:21 +02:00 · 2020-06-25 19:32:36 -04:00 · 2020-06-25 19:32:36 -04:00 · c049d87362
commit c049d87362
parent 917d8ec61b
6 changed files with 59 additions and 41 deletions
--- a/docs/configuration/examples/config/config.example.env
+++ b/docs/configuration/examples/config/config.example.env
@ -40,10 +40,6 @@ export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
 export IDP_PROVIDER="google"
 export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google

-# IF GSUITE and you want to get user groups you will need to set a service account
-# see identity provider docs for gooogle for more info :
-# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
-
 # OKTA
 # export IDP_PROVIDER="okta"
 # export IDP_CLIENT_ID="REPLACEME"
@ -62,3 +58,7 @@ export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
 # directly as a base64 encoded yaml/json file, or as the policy key in the configuration
 # file
 export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"
+
+# For Group data you must set an IDP_SERVICE_ACCOUNT
+# https://www.pomerium.com/configuration/#identity-provider-service-account
+# export IDP_SERVICE_ACCOUNT=$( echo YOUR_SERVICE_ACCOUNT | base64)
--- a/docs/configuration/examples/config/config.example.yaml
+++ b/docs/configuration/examples/config/config.example.yaml
@ -64,6 +64,9 @@ authenticate_service_url: https://authenticate.corp.beyondperimeter.com

 # scope: "openid email" # generally, you want the default OIDC scopes

+# For Group data you must set an IDP_SERVICE_ACCOUNT
+# idp_service_account: YOUR_SERVICE_ACCOUNT
+
 # Proxied routes and per-route policies are defined in a policy block
 policy:
  - from: https://httpbin.corp.beyondperimeter.com
--- a/docs/configuration/examples/kubernetes/kubernetes-config.yaml
+++ b/docs/configuration/examples/kubernetes/kubernetes-config.yaml
@ -13,6 +13,9 @@ override_certificate_name: "*.corp.beyondperimeter.com"
 idp_provider: google
 idp_client_id: REPLACE_ME.apps.googleusercontent.com
 idp_client_secret: "REPLACE_ME"
+# Required for group data
+# https://www.pomerium.com/configuration/#identity-provider-service-account
+idp_service_account: YOUR_SERVICE_ACCOUNT

 policy:
  - from: https://httpbin.corp.beyondperimeter.com
--- a/docs/configuration/examples/kubernetes/values.yaml
+++ b/docs/configuration/examples/kubernetes/values.yaml
@ -3,6 +3,9 @@ authenticate:
    provider: "google"
    clientID: YOUR_CLIENT_ID
    clientSecret: YOUR_SECRET
+    # Required for group data
+    # https://www.pomerium.com/configuration/#identity-provider-service-account
+    serviceAccount: YOUR_SERVICE_ACCOUNT 
  service:
    annotations:
      cloud.google.com/app-protocols: '{"https":"HTTPS"}'
--- a/docs/configuration/readme.md
+++ b/docs/configuration/readme.md
@ -456,28 +456,28 @@ Expose a prometheus format HTTP endpoint on the specified port. Disabled by defa

 #### Pomerium Metrics Tracked

-Name                                          | Type      | Description
--------------------------------------------- | --------- | -----------------------------------------------------------------------
-grpc_client_request_duration_ms               | Histogram | GRPC client request duration by service
-grpc_client_request_size_bytes                | Histogram | GRPC client request size by service
-grpc_client_requests_total                    | Counter   | Total GRPC client requests made by service
-grpc_client_response_size_bytes               | Histogram | GRPC client response size by service
-grpc_server_request_duration_ms               | Histogram | GRPC server request duration by service
-grpc_server_request_size_bytes                | Histogram | GRPC server request size by service
-grpc_server_requests_total                    | Counter   | Total GRPC server requests made by service
-grpc_server_response_size_bytes               | Histogram | GRPC server response size by service
-http_client_request_duration_ms               | Histogram | HTTP client request duration by service
-http_client_request_size_bytes                | Histogram | HTTP client request size by service
-http_client_requests_total                    | Counter   | Total HTTP client requests made by service
-http_client_response_size_bytes               | Histogram | HTTP client response size by service
-http_server_request_duration_ms               | Histogram | HTTP server request duration by service
-http_server_request_size_bytes                | Histogram | HTTP server request size by service
-http_server_requests_total                    | Counter   | Total HTTP server requests handled by service
-http_server_response_size_bytes               | Histogram | HTTP server response size by service
-pomerium_build_info                           | Gauge     | Pomerium build metadata by git revision, service, version and goversion
-pomerium_config_checksum_int64                | Gauge     | Currently loaded configuration checksum by service
-pomerium_config_last_reload_success           | Gauge     | Whether the last configuration reload succeeded by service
-pomerium_config_last_reload_success_timestamp | Gauge     | The timestamp of the last successful configuration reload by service
+| Name                                          | Type      | Description                                                             |
+| --------------------------------------------- | --------- | ----------------------------------------------------------------------- |
+| grpc_client_request_duration_ms               | Histogram | GRPC client request duration by service                                 |
+| grpc_client_request_size_bytes                | Histogram | GRPC client request size by service                                     |
+| grpc_client_requests_total                    | Counter   | Total GRPC client requests made by service                              |
+| grpc_client_response_size_bytes               | Histogram | GRPC client response size by service                                    |
+| grpc_server_request_duration_ms               | Histogram | GRPC server request duration by service                                 |
+| grpc_server_request_size_bytes                | Histogram | GRPC server request size by service                                     |
+| grpc_server_requests_total                    | Counter   | Total GRPC server requests made by service                              |
+| grpc_server_response_size_bytes               | Histogram | GRPC server response size by service                                    |
+| http_client_request_duration_ms               | Histogram | HTTP client request duration by service                                 |
+| http_client_request_size_bytes                | Histogram | HTTP client request size by service                                     |
+| http_client_requests_total                    | Counter   | Total HTTP client requests made by service                              |
+| http_client_response_size_bytes               | Histogram | HTTP client response size by service                                    |
+| http_server_request_duration_ms               | Histogram | HTTP server request duration by service                                 |
+| http_server_request_size_bytes                | Histogram | HTTP server request size by service                                     |
+| http_server_requests_total                    | Counter   | Total HTTP server requests handled by service                           |
+| http_server_response_size_bytes               | Histogram | HTTP server response size by service                                    |
+| pomerium_build_info                           | Gauge     | Pomerium build metadata by git revision, service, version and goversion |
+| pomerium_config_checksum_int64                | Gauge     | Currently loaded configuration checksum by service                      |
+| pomerium_config_last_reload_success           | Gauge     | Whether the last configuration reload succeeded by service              |
+| pomerium_config_last_reload_success_timestamp | Gauge     | The timestamp of the last successful configuration reload by service    |

 #### Envoy Proxy Metrics

@ -526,10 +526,10 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor

 #### Shared Tracing Settings

-Config Key          | Description                                                                          | Required
-:------------------ | :----------------------------------------------------------------------------------- | --------
-tracing_provider    | The name of the tracing provider. (e.g. jaeger, zipkin)                              | ✅
-tracing_sample_rate | Percentage of requests to sample in decimal notation. Default is `0.0001`, or `.01%` | ❌
+| Config Key          | Description                                                                          | Required |
+| :------------------ | :----------------------------------------------------------------------------------- | -------- |
+| tracing_provider    | The name of the tracing provider. (e.g. jaeger, zipkin)                              | ✅        |
+| tracing_sample_rate | Percentage of requests to sample in decimal notation. Default is `0.0001`, or `.01%` | ❌        |

 #### Jaeger (partial)

@ -543,10 +543,10 @@ tracing_sample_rate | Percentage of requests to sample in decimal notation. Defa
 - Service dependency analysis
 - Performance / latency optimization

-Config Key                        | Description                                 | Required
-:-------------------------------- | :------------------------------------------ | --------
-tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector.    | ✅
-tracing_jaeger_agent_endpoint     | Send spans to jaeger-agent at this address. | ✅
+| Config Key                        | Description                                 | Required |
+| :-------------------------------- | :------------------------------------------ | -------- |
+| tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector.    | ✅        |
+| tracing_jaeger_agent_endpoint     | Send spans to jaeger-agent at this address. | ✅        |

 #### Zipkin

@ -554,9 +554,9 @@ Zipkin is an open source distributed tracing system and protocol.

 Many tracing backends support zipkin either directly or through intermediary agents, including Jaeger. For full tracing support, we recommend using the Zipkin tracing protocol.

-Config Key              | Description                      | Required
-:---------------------- | :------------------------------- | --------
-tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅
+| Config Key              | Description                      | Required |
+| :---------------------- | :------------------------------- | -------- |
+| tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅        |

 #### Example

@ -637,9 +637,11 @@ Identity provider scopes correspond to access privilege scopes as defined in Sec
 - Environmental Variable: `IDP_SERVICE_ACCOUNT`
 - Config File Key: `idp_service_account`
 - Type: `string`
- Required, depending on provider
+- Required for group based policies

-Identity Provider Service Account is field used to configure any additional user account or access-token that may be required for querying additional user information during authentication. For a concrete example, Google an additional service account and to make a follow-up request to query a user's group membership. For more information, refer to the [identity provider] docs to see if your provider requires this setting.
+Identity Provider Service Account is field used to configure any additional user account or access-token that may be required for querying additional user information during authentication. 
+
+**All group membership from an IdP is queried via service account.**

 ### Identity Provider URL