credential storage for GAM

[Justin Brown]

I'm completely new to GAM...I have what may be a strange question. Is there a way to store GAM creds in a vault only to be opened when GAM is called? Is that a thing?

[Sergio Alvarez]

Hi, 

In theory it is possible but not by an automated process provided by GAM, it has to be done either manually or through other means, the files that you want to store are usually located on:

C:\Users\youruser\.gam

The files are 

client_secrets.json

oauth2service.json

oauth2.txt

You can store those files while not using GAM and once you are ready to use it just move it back to their location. 

[Jay Lee]

Exactly this. GAM stores service account and end user credentials directly to disk. If you need further physical / virtual security I'd suggest looking into an encryption tool like BitLocker or a virtual disk encryption tool like VeraCrypt. No endorsements here, just pointing out that there are established options to encrypt the local data outside of GAM.

Jay Lee

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/ac580e36-555c-48ff-b71d-08d1e437c1b4n%40googlegroups.com.

[Maj Marshall Giguere]

Justin;

The question is not strange in the sense that securing your credentials is desirable and necessary.  GAM itself provides no mechanism to do as you suggest.

There are measures you need to take to secure your credential files locally.  By default GAM keeps things in your home directory in the .gam directory. I certainly recommend that the .gam directory and its contents be kept as owner accessible only.  They are like RSA private keys, you need to keep access to them strictly limited.

All that being said you could consider something like this, using a tool like VeraCrypt to create an encrypted volume and storing your gam config and credentials there.  This is just a rough outline and I haven't tried it, I'm thinking out loud. The devil is in the details.  First create an encrypted volume either on your local drive, or on a USB storage device.  Next build a directory to hold your gam configuration and credentials.  Next change the default gam.cfg in your home .gam directory to point to the configuration directory on the encrypted volume.  I think the configuration variable "config_dir" is the one.  When gam is invoked I believe it will read the local gam.cfg which should point it to the encrypted volume.  Obviously you will need to mount the encrypted volume prior to invoking gam.  This meets your first criteria for secure storage.  However, you have the same difficulty as before, you need to secure the encryption key for the encrypted volume.  This method does not meet your second criteria that access only be triggered by gam when it is invoked.  Meaning that your gam credentials are only secure when at rest and the key is safely secured.  As you can see this is complicated and simply added another key that must be secured.  This could go on infinitely, seems complex and is  not guaranteed.  Securing private keys is the most difficult part of any security scenario.

A simpler alternative might be to put your gam configuration on a removable volume, USB stick, that you only plug in when you're using gam.  At least in this use case your credentials are secure when the USB stick is removed.  Here as in the previous you could secure the USB volume by encrypting it.

So, I think the conclusion is that the simplest way, by far, to secure  your credentials  is by restricting who has privileges to read/write them.  Maybe someone else in the group has some experience with this.

Respectfully,

Maj Marshall E Giguere
NH Wing Director of IT
Civil Air Patrol, U.S. Air Force Auxiliary
GoCivilAirPatrol.com
nhwg.cap.gov
Volunteers serving America's communities, saving lives, and shaping futures.

On Tue, Nov 15, 2022 at 5:53 PM Justin Brown <jus...@nuna.com> wrote:

I'm completely new to GAM...I have what may be a strange question. Is there a way to store GAM creds in a vault only to be opened when GAM is called? Is that a thing?

--

You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/16fff394-3a5b-4f06-b3a2-6a98aa49aaeen%40googlegroups.com.

[Justin Brown]

We are using Hashicorp Vault, would it be possible to write a script to call Vault for the credentials and create or update the json files needed for GAM? The script should also delete the credentials from the json files after the call to GAM is completed.