Learn how to configure your 1Password SCIM Bridge deployed on Cloud Run to connect to Google Workspace using Cloud Shell.
This directory includes a template JSON file used to configure the connection to Workspace and a Cloud Run YAML that includes the additional configuration required by Cloud Run.
Important
Complete the steps to deploy 1Password SCIM Bridge on Cloud Run before the next steps in this guide.
To connect your SCIM bridge to Workspace, you'll need permissions in Google Cloud to enable the required APIs, create a service account, and an administrator with the required permissions to use the service account with your Workspace tenant.
-
Sign in to the Google Cloud console and activate Cloud Shell: https://console.cloud.google.com?cloudshell=true
-
Enable the Admin SDK API, create a service account named
onepassword-provisioningand a secret namedworkspace-credentials, add a secret version from a private key for the service account, and enable Cloud Run to access it using the Compute Engine default service account for the project:gcloud services enable admin.googleapis.com && gcloud secrets create workspace-credentials && gcloud iam service-accounts keys create - --iam-account=$( gcloud iam service-accounts create onepassword-provisioning --format='value(email)' ) | gcloud secrets versions add workspace-credentials --data-file=- && gcloud secrets add-iam-policy-binding workspace-credentials --member=serviceAccount:$( gcloud iam service-accounts list --filter="$( gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)' )[email protected]" --format="value(email)" ) --role=roles/secretmanager.secretAccessor
-
Get the client ID of the service account:
gcloud secrets versions access latest --secret=workspace-credentials | jq '.client_id' --raw-output
Copy the client ID returned by this command to use in the next step.
-
In a separate browser tab or window, open the domain-wide delegation setup in the Workspace console: https://admin.google.com/ac/owl/domainwidedelegation. Click Add new, then fill out the information:
-
Client ID: paste the client ID for the service account key copied to your clipboard in the previous step.
-
OAuth scopes: copy and paste this comma-separated list:
https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly
-
- Download the
workspace-settings.jsontemplate file from this repository. - Edit the following in this file:
- Actor: Enter the email address for a Google Workspace administrator to use with the service account.
- Bridge Address: Enter your SCIM bridge URL.
Important
This is the URL for the Cloud Run service from Step 3: Deploy your SCIM bridge
(not your 1Password account sign-in address). For example: https://op-scim-bridge-example-uc.a.run.app.
- Save the file.
In the Cloud Console:
-
Click ⋮ (More) > Upload in the Cloud Shell terminal menu bar.
-
Click Choose Files. Select the
workspace-settings.jsonfile that you saved to your computer. -
Use the destination directory as is (or note the path if you saved it elsewhere). Click Upload.
-
Create a secret from the file:
gcloud secrets create workspace-settings --data-file=$HOME/workspace-settings.json
Tip
If the file was not saved using the suggested values, replace $HOME/workspace-settings.json with the actual path to
the file. For example:
gcloud secrets create workspace-settings --data-file=/example/path/to/workspace-settings.file-
Enable Cloud Run to access the secret using the Compute Engine default service account for the project:
gcloud secrets add-iam-policy-binding workspace-settings --member=serviceAccount:$( gcloud iam service-accounts list --filter="$( gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)' )[email protected]" --format="value(email)" ) --role=roles/secretmanager.secretAccessor
-
Use the
op-scim-bridge-gw.yamlCloud Run YAML from this repository to create a new revision of the service that is configured to connect to Google Workspace:curl --silent --show-error \ https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/google-workspace/op-scim-bridge-gw.yaml | gcloud run services replace - && gcloud run services describe op-scim-bridge --format="value(status.url)"
-
Sign in to your SCIM bridge in a web browser at the HTTPS endpoint provided by Cloud Run.
-
Select the Google group(s) you would like to assign to 1Password in the Google Workspace configuration. Click Save.
Learn more about automated provisioning in 1Password with Google Workspace: Connect Google Workspace to 1Password SCIM Bridge (Next steps).
-
Sign in to the Google Cloud console and activate Cloud Shell: https://console.cloud.google.com?cloudshell=true
-
Create a new revision of your SCIM bridge deployment using the latest version of the
op-scim-bridge-gw.yamlCloud Run services YAML from this directory in our repository:curl --silent --show-error \ https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/google-workspace/op-scim-bridge-gw.yaml | gcloud run services replace -
Tip
Check for 1Password SCIM Bridge updates on the SCIM bridge releases notes website.
- Test your SCIM bridge deployment using your bearer token.
The new version number that you updated to should appear in the health check, the container logs for 1Password SCIM Bridge, and the top left-hand side of the page if signing in to the SCIM bridge at its URL in a web browser. After you sign in to your SCIM bridge, the Automated User Provisioning page in your 1Password account will also update with the latest access time and SCIM bridge version.