In this section we will guide you through using Google as an OIDC provider for Arrikto EKF.

What You'll Need


  1. Create a new project in Google Cloud. From your admin account go to IAM & Admin -> Manage Resources -> Create Project and create a new project:

    Project name <PROJECT_NAME>
    Organization <ORGANIZATION>
    Location <LOCATION>


    • <PROJECT_NAME> with the desired name for your project.
    • <ORGANIZATION> with the name of your organization.
    • <LOCATION> with the locations of your project.


    I don't have permissions to create a Google Cloud project.

    In this case, you need to either

    • Contact your Google Cloud organization administrator.
    • Reuse an existing one you have access to.
  2. Select your new project from the drop-down list at the top of the page.

  3. Configure the OAuth consent screen for your Google Cloud project. Google presents this screen to users when they attempt to login, including a summary of your project, its policies and the requested scopes of access.

    From your admin account go to APIs & Services -> OAuth consent screen and configure your OAuth consent screen as follows:

    OAuth consent screen
    User Type Internal
    App name Rok
    User support email <USER_SUPPORT_EMAIL>
    Developer contact information <DEVELOPER_EMAIL>
    Scopes No need to edit any of the scopes options


    • <USER_SUPPORT_EMAIL> with the email where users can contact you with questions about their consent.
    • <DEVELOPER_EMAIL> with the email address that Google will use to notify you about any changes to your project.


    My Google Cloud project has specific scope requirements

    As long as you allow OIDC applications to request the following scopes:

    • profile
    • email
    • openid

    then there shouldn't be any issue.

    Contact Arrikto

    If you encounter any issue, please contact the Arrikto Tech Team.

  4. Create an application in Google Cloud. From your admin account go to APIs & Services -> Credentials -> CREATE CREDENTIALS -> OAuth client ID and create the following settings:

    Application type Web application
    Authorized redirect URIs <FQDN>/authservice/oidc/callback

    Replace <FQDN> with the public URL of your EKF installation, for example,

  5. Copy the client ID and secret that the application generated to your clipboard, as you are going to use them in later steps.

  6. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  7. Specify the OIDC client ID:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_ID=<Client_ID>

    Replace <Client_ID> with your client ID generated in the steps above.

  8. Specify the OIDC client secret:

    root@rok-tools:~/ops/deployments# export OIDC_CLIENT_SECRET=<Client_secret>

    Replace <Client_secret> with your client secret generated in the steps above.

  9. Render the AuthService credentials:

    root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env.j2 \
    > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/secret_params.env
  10. Set the public URL of your EKF installation:

    root@rok-tools:~/ops/deployments# export FQDN=<FQDN>

    Replace <FQDN> with your installation's public URL. For example:

    root@rok-tools:~/ops/deployments# export FQDN=
  11. Configure AuthService to convert user emails to usernames:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@<DOMAIN>", "replaces": "" }]'

    Replace <DOMAIN> with the domain of your organization. For example:

    root@rok-tools:~/ops/deployments# export USERID_TRANSFORMERS='[{"matches": "@example\\.com", "replaces": "" }]'

    Make sure to include \\. With this example domain, AuthService will convert user IDs like into user.


    USERID_TRANSFORMERS accepts a JSON formatted list of UserID transformation rules with the following format:

    USERID_TRANSFORMERS=[{"matches": "regex",  "replaces": "value" }]

    AuthService will transform the UserID by finding the first transformation rule that matches regex and replacing it with value.

  12. Set the default Google settings and render the AuthService configuration:

    root@rok-tools:~/ops/deployments# export USERID_CLAIM=email
    root@rok-tools:~/ops/deployments# export OIDC_PROVIDER=
    root@rok-tools:~/ops/deployments# export OIDC_SCOPES=profile,email,openid
    root@rok-tools:~/ops/deployments# export AUTHSERVICE_URL_PREFIX=${FQDN?}/authservice/
    root@rok-tools:~/ops/deployments# export TEMPLATE_PATH=''
    root@rok-tools:~/ops/deployments# j2 kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env.j2 \
    > -o kubeflow/manifests/common/oidc-authservice/overlays/deploy/params.env
  13. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Use the Google OIDC provider for Kubeflow authentication"
  14. Apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy --apply install/kubeflow
  15. For changes to take effect, restart the pods manually:

    root@rok-tools:~/ops/deployments# kubectl delete pods -n istio-system -l app=authservice


  1. Ensure that the authservice StatefulSet is running. Verify that field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get pods -n istio-system -l app=authservice
    NAME            READY   STATUS    RESTARTS   AGE
    authservice-0   1/1     Running   0          13s
  2. Log in with your Google credentials at <FQDN>, where <FQDN> is the public URL of your EKF installation. For example,


You have successfully configured your EKF installation to allow users to login with their Google accounts.

What's Next

Check out the rest of the services you can integrate Arrikto EKF with.