Google Groups

Spinnaker supports G Suite accounts (formerly Google Apps for Work) and Google Groups to manage authorization.

Service account setup

In order to access a user’s group membership, we must use the Google Admin Directory API. We will setup a Google Cloud Platform (GCP) service account and grant it access to the Directory API.

  1. Enable the Admin SDK here .

  2. In your Cloud Console , create a service account that will access the G Suite Directory API.

    creating a service account for Fiat in GCP console

    1. Navigate to the “IAM & Admin” –> Service accounts section.
    2. Click “Create Service Account.”
    3. Give it a name like “spinnaker-fiat.”
    4. Select “Furnish a new private key” and select the JSON format.
    5. Select “Enable G Suite Domain-wide Delegation.”
    6. Click “Create”, which should download the private key for your new service account (see figure below).
    7. Transfer this JSON file to a known location in your Spinnaker deployment.
    8. You should see your newly created service account in the list, along with “DwD” and an option to “View Client ID”. Click “View Client ID” (see figure below).
    9. Note the Client ID displayed. It will be used in the next step.

    View the client ID

  3. Give your service account access to the G Suite Directory API in the G Suite Admin console .

    authorize the service account to access the Directory API

    1. Navigate to the “Security” Settings page.
    2. Under “Advanced settings”, click “Manage API client access.”
    3. Enter the Client ID noted above under “Client Name.”
    4. Enter https://www.googleapis.com/auth/admin.directory.group.readonly as the API scope.
    5. Click “Authorize.”

Configure Fiat

NOTE you’ll want to make sure fiat is enabled in the spinnaker.yml file as it defaults to disabled at this point in time. It’s likely to become mandatory in a future release.

  1. Make sure you’ve configured roles for accounts, as described here . Each role included in the command must match the name of a group in the organization.

  2. With the authorized service account’s credentials in hand, add the following to fiat-local.yml

auth:
  group-membership:
    service: google
    google:
      credentialPath: /mnt/something/sa-creds.json
      adminUsername: emailOfServiceAccount
      domain: googleappsworkspacedomain
      ## this defaults to false.
      expandIndirectGroups: false|true
      ## this is a new parameter to parallel query the google APIs to lookup group information.
      groupLookupConcurrency:  10
Last modified April 17, 2026: chore(docs): Redo install docs off of halyard (#591) (c7a31a6)