In order to access a user’s group membership, we must use the Google Admin Directory API. We will setup a Google Cloud Platform (GCP) service account and grant it access to the Directory API.
Enable the Admin SDK here .
In your Cloud Console , create a service account that will access the G Suite Directory API.
Give your service account access to the G Suite Directory API in the G Suite Admin console .
https://www.googleapis.com/auth/admin.directory.group.readonlyas the API scope.
Make sure you’ve configured roles for accounts, as described here . Each role included in the command must match the name of a group in the organization.
With the authorized service account’s credentials in hand, use Halyard to configure Fiat:
ADMINfirstname.lastname@example.org # An administrator's email address CREDENTIALS=/path/to/creds.json # The downloaded service account credentials DOMAIN=your.org # Your organization's domain. hal config security authz google edit \ --admin-username $ADMIN \ --credential-path $CREDENTIALS \ --domain $DOMAIN hal config security authz edit --type google hal config security authz enable