Google Authenticator

To use Google, you need a client cert with CommonName set to Google Apps (now G Suite) domain and Organization set to Google. To ease this process, use the Guard cli to issue a client cert/key pair.

$ guard init client {domain-name} -o Google

G Suite Domain-Wide Delegation of Authority

Guard server needs to determine the list of groups for any user in a G suite domain. This requires the domain administrator to grant Guard server with domain-wide access to its users’ data — this is referred as domain-wide delegation of authority. The following procedure has been adapted from official documentation found here.

Create the service account and its credentials

G Suite domain administrator needs to create a service account and its credentials. During this procedure you need to gather information that will be later passed to Guard server installer.

  • Open the Service accounts page. If prompted, select a project.
  • Click Create service account.
  • In the Create service account window, type a name for the service account, and select Furnish a new private key and Enable Google Apps Domain-wide Delegation. Then click Create.

You should now have gathered your service account’s Private Key file, Client ID and email address. You are ready to delegate domain-wide authority to your service account.

Delegate domain-wide authority to your service account

The service account that you created needs to be granted access to the G Suite domain’s user data that Guard server needs to access. The following tasks have to be performed by an administrator of the G Suite domain:

Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain. Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API.

Deploy Guard Server

For detailed instructions follow the guide here. To generate correct installer YAMLs for Guard server, pass the flags --google.admin-email and

# generate Kubernetes YAMLs for deploying guard server
$ guard get installer \
  --auth-providers="google" \
  --google.admin-email=<email-of-a-g-suite-admin> \<path-json-key-file> \
  > installer.yaml

$ kubectl apply -f installer.yaml


  "apiVersion": "",
  "kind": "TokenReview",
  "status": {
    "authenticated": true,
    "user": {
      "username": "[email protected]",
      "uid": "<google-id>",
      "groups": [
        "[email protected]",
        "[email protected]"

Guard uses the token found in TokenReview request object to read user’s profile information and list of Google Groups this user is member of. In the TokenReview response, status.user.username is set to user’s Google email, status.user.groups is set to email of Google groups under the domain found in client cert of which this user is a member of.

Configure kubectl

You can use the following command to issue a token:

$ guard get token -o google

This will open a login window in your browser. After logged into your account, user info will be written in ~/.kube/config. Your email will be used for user name.

$ guard get token -o google
I0312 12:36:40.927613   14596 logs.go:19] FLAG: --alsologtostderr="false"
I0312 12:36:40.927770   14596 logs.go:19] FLAG: --analytics="true"
I0312 12:36:40.927784   14596 logs.go:19] FLAG: --help="false"
I0312 12:36:40.927796   14596 logs.go:19] FLAG: --httptest.serve=""
I0312 12:36:40.927809   14596 logs.go:19] FLAG: --log_backtrace_at=":0"
I0312 12:36:40.927820   14596 logs.go:19] FLAG: --log_dir=""
I0312 12:36:40.927830   14596 logs.go:19] FLAG: --logtostderr="false"
I0312 12:36:40.927842   14596 logs.go:19] FLAG: --organization="google"
I0312 12:36:40.927855   14596 logs.go:19] FLAG: --stderrthreshold="0"
I0312 12:36:40.927867   14596 logs.go:19] FLAG: --v="0"
I0312 12:36:40.927877   14596 logs.go:19] FLAG: --vmodule=""
I0312 12:36:41.252150   14596 token.go:75] [Oauth2 callback receiver listening on]
I0312 12:36:41.252275   14596 token.go:91] [Auhtorization code URL:]
Current Kubeconfig is backed up as /home/ac/.kube/config.bak.2018-03-12T12-36.
Configuration has been written to /home/ac/.kube/config

$ cat ~/.kube/config
- name: <your_email>
        client-id: REDACTED
        client-secret: REDACTED
        id-token: REDACTED
        refresh-token: REDACTED

# using this <your_email> user for authenticaiton
$ kubectl get pods --user <your_email>
NAMESPACE     NAME                                    READY     STATUS    RESTARTS   AGE
kube-system   kube-dns-54cccfbdf8-jf9p2               3/3       Running   0          6h