docs: document service account requirements (#999)

docs/configuration/examples/config/config.example.env

@@ -40,10 +40,6 @@ export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
 export IDP_PROVIDER="google"
 export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
 
-# IF GSUITE and you want to get user groups you will need to set a service account
-# see identity provider docs for gooogle for more info :
-# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
-
 # OKTA
 # export IDP_PROVIDER="okta"
 # export IDP_CLIENT_ID="REPLACEME"
@@ -62,3 +58,7 @@ export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
 # directly as a base64 encoded yaml/json file, or as the policy key in the configuration
 # file
 export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"
+
+# For Group data you must set an IDP_SERVICE_ACCOUNT
+# https://www.pomerium.com/configuration/#identity-provider-service-account
+# export IDP_SERVICE_ACCOUNT=$( echo YOUR_SERVICE_ACCOUNT | base64)

docs/configuration/examples/config/config.example.yaml

@@ -64,6 +64,9 @@ authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 
 # scope: "openid email" # generally, you want the default OIDC scopes
 
+# For Group data you must set an IDP_SERVICE_ACCOUNT
+# idp_service_account: YOUR_SERVICE_ACCOUNT
+
 # Proxied routes and per-route policies are defined in a policy block
 policy:
   - from: https://httpbin.corp.beyondperimeter.com