This post documents a real-world example of integrating Google OIDC login into Argo CD.
It's written based on an infrastructure where the Argo CD Helm chart is managed via Terraform.
If you're looking to unify authentication across your organization using OIDC, this guide may help.
👉 For better understanding, check out this related post first:
Three Ways to Apply Google OIDC in Argo CD
🔗 Official Docs: Google - Argo CD - Declarative GitOps CD for Kubernetes
- OpenID Connect using Dex This method does not support Google Workspace group claims (i.e., you can’t authorize users based on group membership).
💡 Since our company doesn’t actively use Google Workspace groups, we chose this method.
SAML App Auth using Dex
This method is discouraged by the Dex maintainers.OpenID Connect + Google Groups using Dex
Supports access control based on group claims (if you actively use Google Groups).
What is Dex?
🔗 Dex Connectors Documentation
Dex is an identity provider (IdP) that connects to various authentication backends such as SAML, LDAP, GitHub, and Google, and exposes a unified OpenID Connect (OIDC) interface to clients.
In other words, Dex acts as a bridge that standardizes diverse authentication sources under a single OIDC protocol.
Implementation Steps
Reference: Argo CD Docs - OpenID Connect using Dex
1. Creating OAuth Client in Google Cloud Console
This process could potentially be replaced with the Terraform resource google_iam_oauth_client in the future:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client
I plan to refactor accordingly.
Steps:
- Log in to Google Cloud Console
- Select a project
- Navigate to APIs & Services
- Go to Credentials
- Click Create credentials → OAuth client ID
- Select Web application as the Application type
- Set a name
- Add your ArgoCD origin in Authorized JavaScript origins
-
Set the redirect URI as defined in the official documentation:
https://<argocd domain>/api/dex/callback Once created, securely store the
client_idandclient_secret(e.g., Vault, AWS Secrets Manager)
2. Configuring argocd-cm via Helm + Terraform
// modules/argocd/main.tf
resource "helm_release" "default" {
...
chart = "argo-cd"
repository = "https://argoproj.github.io/argo-helm"
...
values = [
file("${path.module}/values.yaml"),
yamlencode({
...
configs = {
...
rbac = {
"policy.csv" = join("\n", concat([
"p, role:terraform, repositories, *, *, allow",
"g, terraform-user, role:terraform"
], var.additional_policies))
scopes = var.rbac_scopes // This corresponds to OIDC scopes
}
cm = {
"server.rbac.log.enforce.enable" = true
...
"dex.config" = yamlencode(var.dex_config)
url = "https://${local.argocd_ingress_domain}" // required for redirect URI
...
}
}
...
})
]
}
// argocd.tf
module "argocd" {
source = "../modules/argocd"
cluster_name = var.cluster_name
argocd_ingress_root_domain = "my-company.com"
...
// Google OIDC uses email as the username
rbac_scopes = "[email]"
dex_config = {
"connectors" = [
{
config = {
issuer = "https://accounts.google.com"
clientId = local.argocd_secrets.argocd_google_client_id
clientSecret = local.argocd_secrets.argocd_google_client_secret
}
type = "oidc"
id = "google"
name = "Google"
}
]
}
...
}
The clientId and clientSecret were injected using the values generated in the previous step.
Other configuration values were referenced from the following documentation:
💡Since clientId and clientSecret are sensitive credentials,
it is highly recommended not to hardcode them in .tfvars or local blocks. Instead, use a secret manager such as Vault or AWS Secrets Manager to securely retrieve and inject these values.
locals {
...
argocd_secrets = jsondecode(data.aws_secretsmanager_secret_version.argocd_secrets.secret_string)
...
}
Top comments (0)