GCP IAM AD principal in Looker

Audy · 05-18-2024 06:35 AM

With regards to assigning roles to AD based group, for some reason AD groups available in GCP IAM with 'Looker Instance User' permission are not showing up in Looker Admin -> Groups section and i do not see an LDAP section under Authentication within Looker Admin. This is needed to bring in AD groups which have been given access to BigQuery data so we have the AD group driving user access to Looker. I even tried adding the ldap principal as seen in GCP IAM section (e.g. a.b.c@x.com.au) to the looker group section as a new group thinking it may need to be manually added before it can pull in users but i think this isn't going to work and there should be a way for Looker groups to mirror groups available in IAM with the Looker Instance User permission. Or, Am i totally missing something here.

David-Google

Hey Audy!

If you're not seeing the "LDAP" option under the Admin -> Authentication group, I'd recommend reaching out to Looker support via in-app chat or via help.looker.com to submit an email-based ticket. Someone from that team should be able to toggle that on for you so you can get things configured properly.

If we're instead using Google Authentication in the meantime as an auth mechanism, the lack of groups and permissions from GCP IAM is expected as per this community post. But--like you mentioned--you should also be able to use Google Authentication via LDAP, and that configuration does support importing groups (as per this doc).

Best,

David

Audy

Thank you so much, let me get back with results once i work with other teams here.