feat: use workload identity federation to gain access to google

.goreleaser.yml

@@ -44,4 +44,3 @@ archives:
     format_overrides:
     - goos: windows
       format: zip
-

README.md

@@ -72,11 +72,32 @@ as locally running the ssosync tool.
 
 ### Google
 
-First, you have to setup your API. In the project you want to use go to the [Console](https://console.developers.google.com/apis) and select *API & Services* > *Enable APIs and Services*. Search for *Admin SDK* and *Enable* the API.
+First, you have to setup your API. In the project you want to use go to the [Console](https://console.developers.google.com/apis) and select
+*API & Services* > *Enable APIs and Services*. Search for *Admin SDK* and *Enable* the API.
 
-You have to perform this [tutorial](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to create a service account that you use to sync your users. Save the `JSON file` you create during the process and rename it to `credentials.json`.
+You have to perform this [tutorial](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to create a
+service account that you use to sync your users. This is the service account that is used to impersonate a user
+(via `--google-admin`). You have two possibilities to use this service account. Create a service account key credential,
+as describe in the tutorial above. Or use
+[Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation).
+
+#### Service account key credential
+
+Save the `JSON file` you create during the process described in the tutorial above and rename it to `credentials.json`.
+Please, keep this file safe, or store it in the AWS Secrets Manager.
+
+#### Workload Identity Federation
+
+Set up Workload Identity Federation for AWS as described
+[here](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds) and save the `JSON file`, and
+rename it to `credentials.json`. Provide the email address of service account used to impersonate a user using
+`--google-service-account-email`.
+Note that the `JSON file` created using this approach **does not** contain any sensitive data.
+
+> You can also use the `--google-credentials` parameter to explicitly specify the file containing the credentials.
+> Setting this parameter to an empty string will use
+> [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials).
 
-> you can also use the `--google-credentials` parameter to explicitly specify the file with the service credentials. Please, keep this file safe, or store it in the AWS Secrets Manager
 
 In the domain-wide delegation for the Admin API, you have to specify the following scopes for the user.
 
@@ -89,6 +110,9 @@ In the Search box type `Admin` and select the `Admin SDK` option. Click the `Ena
 
 You will have to specify the email address of an admin via `--google-admin` to assume this users role in the Directory.
 
+> When running this tool as AWS Lambda, the parameter `--google-credentials` is expected to contain the content of the
+> `JSON file`.
+
 ### AWS
 
 Go to the AWS Single Sign-On console in the region you have set up AWS SSO and select

SAR.md

@@ -23,6 +23,7 @@ There are general configuration parameters to the application stack.
 
 * `GoogleCredentials` contains the content of the `credentials.json` file
 * `GoogleAdminEmail` contains the email address of an admin
+* `GoogleSAEmail` contains the email address of a Google service account used to impersonate the admin user
 
 The secrets are stored in the [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/).
 

cmd/root.go

@@ -20,14 +20,14 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/awslabs/ssosync/internal"
-	"github.com/awslabs/ssosync/internal/config"
-	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-lambda-go/events"
-        "github.com/aws/aws-sdk-go/service/codepipeline"
 	"github.com/aws/aws-lambda-go/lambda"
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/codepipeline"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
+	"github.com/awslabs/ssosync/internal"
+	"github.com/awslabs/ssosync/internal/config"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -157,6 +157,7 @@ func initConfig() {
 
 	appEnvVars := []string{
 		"google_admin",
+		"google_sa_email",
 		"google_credentials",
 		"scim_access_token",
 		"scim_endpoint",
@@ -201,6 +202,12 @@ func configLambda() {
 	}
 	cfg.GoogleAdmin = unwrap
 
+	unwrap, err = secrets.GoogleSAEmail()
+	if err != nil {
+		log.Fatalf(errors.Wrap(err, "cannot read config").Error())
+	}
+	cfg.GoogleSAEmail = unwrap
+
 	unwrap, err = secrets.GoogleCredentials()
 	if err != nil {
 		log.Fatalf(errors.Wrap(err, "cannot read config").Error())
@@ -241,6 +248,7 @@ func addFlags(cmd *cobra.Command, cfg *config.Config) {
 	rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "AWS SSO SCIM API Endpoint")
 	rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "path to Google Workspace credentials file")
 	rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google Workspace admin user email")
+	rootCmd.Flags().StringVarP(&cfg.GoogleSAEmail, "google-service-account-email", "W", "", "Google Workload Identity Federation SA email. If set, google-credentials must be associated with a Workload Identity Federation json file")
 	rootCmd.Flags().StringSliceVar(&cfg.IgnoreUsers, "ignore-users", []string{}, "ignores these Google Workspace users")
 	rootCmd.Flags().StringSliceVar(&cfg.IgnoreGroups, "ignore-groups", []string{}, "ignores these Google Workspace groups")
 	rootCmd.Flags().StringSliceVar(&cfg.IncludeGroups, "include-groups", []string{}, "include only these Google Workspace groups, NOTE: only works when --sync-method 'users_groups'")

go.mod

@@ -3,25 +3,36 @@ module github.com/awslabs/ssosync
 go 1.16
 
 require (
-	github.com/BurntSushi/toml v1.0.0
-	github.com/aws/aws-lambda-go v1.23.0
-	github.com/aws/aws-sdk-go v1.44.102
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/golang/mock v1.5.0
+	github.com/BurntSushi/toml v1.3.2
+	github.com/aws/aws-lambda-go v1.41.0
+	github.com/aws/aws-sdk-go v1.44.319
+	github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c // indirect
+	github.com/coreos/bbolt v1.3.2 // indirect
+	github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e // indirect
+	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
+	github.com/golang/mock v1.6.0
+	github.com/gorilla/websocket v1.4.2 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.0
-	github.com/magiconair/properties v1.8.5 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
-	github.com/pelletier/go-toml v1.9.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.4
+	github.com/jonboulle/clockwork v0.1.0 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/cobra v1.1.3
+	github.com/prometheus/tsdb v0.7.1 // indirect
+	github.com/sirupsen/logrus v1.9.3
+	github.com/smartystreets/goconvey v1.6.4 // indirect
+	github.com/soheilhy/cmux v0.1.4 // indirect
+	github.com/spf13/cobra v1.7.0
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/viper v1.7.1
-	github.com/stretchr/testify v1.7.0
-	golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c
-	google.golang.org/api v0.46.0
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	github.com/spf13/viper v1.16.0
+	github.com/stretchr/testify v1.8.4
+	github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 // indirect
+	github.com/urfave/cli/v2 v2.2.0 // indirect
+	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
+	go.etcd.io/bbolt v1.3.2 // indirect
+	golang.org/x/oauth2 v0.11.0
+	google.golang.org/api v0.136.0
+	gopkg.in/resty.v1 v1.12.0 // indirect
 )