top of page

How to configure ArgoCD OIDC with Google Workspace in 5 simple steps

There are different ways to handle authentication in ArgoCD, but indeed using the admin password is not secure enough. For this reason, we’ll learn how to configure your ArgoCD to integrate with Google Workspace for Login. In this TeraTip we’ll cover one of the approaches for authentication, using ‌groups from Google Workspace.

Before you get started…

In order to get the SSO working you need to have the SSL and URL for your server already configured, otherwise, you’ll get errors during the authentication.

Step #1: Create the OAuth Screen

First, you create a project with any name you want and configure the OAuth screen as follows:

In the Authorized domains section, it is important to configure the domain for the email your users have, in this case, we add the domain for our organization.

Finally, on the Scopes tab select the userinfo.profile and the openid scopes. Those are the scopes ArgoCD needs for the log in.

Step #2: Create the OAuth Client ID

On the Credentials tab, click on + Create Credentials and OAuth client ID.

Then select on Application type, Web Application, and configure the JavaScript origins and redirect URIs. In the Authorized JavaScripts origins section, configure the root URL for your ArgoCD. Then in Authorized redirect URIs copy this URL but append the /api/dex/callback path.

Then click on create and save your Client ID and Client Secret for later.

Step #3: Configure the Service Account on Google Workspace

Now create the Service Account and configure the Domain Wide delegation, in order to make ArgoCD able to read the groups. On the Service Account section of the Google Console we click on + CREATE SERVICE ACCOUNT. You only need to enter a name for the service account and enter any name you like.

Enter ‌your service account, go to the Keys tab, click on Add Key, and select JSON as format. Save the keys, we will use them later for configuring the OIDC.

Step #4: Set up Domain Wide delegation and enabling Admin SDK

To close with the Google configuration you’ll now have to configure Domain Wide delegation and enable the Admin SDK. First head to the Google Cloud Admin console, and then go to Security, Access and data control, API controls, and, lastly, then click on manage domain wide delegation. 

Click on Add Client, and then on Client ID paste the Client ID of your service account, and on the scopes section paste this:

Finally, head to and enable the Admin SDK for your project.

Step #5: Configure ArgoCD

To configure the OIDC create two secrets on your cluster, one for the Client Secret we got on Step 2 and one for the JSON we got on Step 3

For the client secret:

apiVersion: v1

kind: Secret


 name: argocd-cm-dex-secret

 namespace: argocd

 labels: argocd


For the JSON:

apiVersion: v1

kind: Secret


 name: argocd-google-groups-json

 namespace: argocd


 googleAuth.json: JSON_FILE_BASE64_ENCODED

Now if you are using the ArgoCD Helm Chart, you can use the following values, tested on version 5.27.1:

configs:  cm:    url:    dex.config: |      connectors:      - config:          redirectURI:          clientID: HERE_YOUR_CLIENT_ID          clientSecret: $          serviceAccountFilePath: /tmp/oidc/googleAuth.json          adminEmail: email_used_for_the_domain_wide_delegation          # A list of groups to add          groups:          -        type: google        id: google        name: Google dex:  enabled: true  volumeMounts:  - mountPath: /tmp/oidc    name: google-json    readOnly: true  volumes:  - name: google-json    secret:      defaultMode: 420      secretName: argocd-google-groups-json

Now you have your ArgoCD configured with Google SSO!

Juan Wiggenhauser

Cloud Engineer


Entradas recientes
Buscar por tags
  • Twitter Basic Square
bottom of page