Skip to content

Configure Google OpenID Connect

You can use Google® OAuth 2.0 authentication system as an identity provider for Pachyderm. Google takes care of verifying the identity of users accessing your Pachyderm cluster.


Before you can configure Pachyderm to work with Keycloak, you need to have the following components up and running:

  • Pachyderm Enterprise 1.11.x or later. The enterprise token must be activated by running echo <your-activation-token> | pachctl enterprise activate. Check the status of your license by running:
pachctl enterprise get-state

For more information, see Activate Pachyderm Enterprise Edition.

  • A Google account, such as a Gmail account. You need to have access to the Google API Console and have a project there. For more information, see Google OpenID Connect documentation.

Configure Google OAuth 2.0

You need to create a project in the Google API Console within an organization. Some of the IAM features that are discussed in this section are no available to individual users. This section outlines Pachyderm specifics for setting up authentication with Google. For more specific details about the configuration, see Google OpenID Connect documentation.

To set up Google OAuth 2.0, complete the following steps:

  1. Go to your project in Google API Console.
  2. Click Credentials.
  3. Click Configure Consent Screen.
  4. Select a user type as needed for your project.
  5. Type the Application name.

This action creates a client within Google OAuth 2.0 authentication system. You can fill out other fields as needed, but to authorize with Pachyderm, only the application name is required.

  1. Save the settings.
  2. Go back to Credentials.
  3. Under OAuth 2.0 Client IDs, edit the client that you have created in the previous step.
  4. In the Authorized redirect URIs section, add the Pachyderm callback link in the following format:

This is your redirect_uri. The path cannot include an IP address and must have the OIDC protocol.

  1. Click Save.
  2. Go to Configure Pachyderm.

Configure Pachyderm

After you have completed the steps in Configure Google OAuth 2.0, you need to create a Pachyderm authentication config and login as a Google user to your Pachyderm cluster.

To configure Pachyderm, complete the following steps:

  1. Go to the terminal and forward the pachd pod to the OIDC port:

  2. Get the pachd pod ID:

    kubectl get pod

    Example system response:

    dash-5768cb7d98-j6cgt       2/2     Running   0          4h2m
    etcd-56d897697-xzsqr        1/1     Running   0          4h2m
    keycloak-857c59449b-htg99   1/1     Running   0          4h6m
    pachd-79f7f68c65-9qs8g      1/1     Running   0          4h2m
  3. Forward the pachd pod to the OIDC port:


    kubectl port-forward pachd-79f7f68c65-9qs8g 30657
  4. Enable Pachyderm authentication:

pachctl auth activate --initial-admin=robot:admin

Pachyderm returns a token.

WARNING! You must save the token to a secure location to avoid being locked out of your cluster.

  1. Log in as the admin user with the token you received in the previous step:

    pachctl auth use-auth-token
  2. Set up the authentication config:

pachctl auth set-config <<EOF
          "live_config_version": 2,
          "id_providers": [{
          "name": "google-oauth",
          "description": "oidc-based authentication with Google OAuth 2.0",
                  "issuer": "",
                  "client_id": "<client-id>",
                  "client_secret": "<client-secret>",
                  "redirect_uri": "http://<hostname>:30657/authorization-code/callback"

You need to replace the following placeholders with relevant values:

  • issuer — In ase of Google OAuth 2.0, this will always be

  • client_id — The Pachyderm Client ID in the Google OAuth 2.0 Credentials page.

  • client_secret - The Pachyderm client secret in in the Google OAuth 2.0 Credentials page.

  • redirect_uri - This parameter should match what you have added to Authorized redirect URIs in the previous section.

  • Log in as the user you have created in the Pachyderm application or sing in with Google:

  • Run:

    pachctl auth login

    You should be prompted to a web-browser. Sign in with your Google account.

    You should see the following message printed out in your browser:

    You are now logged in. Go back to the terminal to use Pachyderm!
  • In the terminal, check that you are logged in as the Auth0 user:

pachctl auth whoami

Example of System Response:

You are ""
session expires: 07 Aug 20 16:27 PDT

Last update: August 31, 2021
Does this page need fixing? Edit me on GitHub