How to configure Argo login using Google or Jumpcloud
July 09, 2026 — LiveStream
Disclosure: some links above are affiliate links — if you buy through them I may earn a small commission at no extra cost to you. Thanks for supporting the channel!
Securing your GitOps workflows is paramount in today's cloud-native landscape, and that often begins with how users log into your core tools. This deep dive will walk you through configuring Argo CD to leverage enterprise-grade authentication using either Google's OAuth 2.0 or JumpCloud's SAML 2.0, ensuring a streamlined and secure login experience for your team.
As a DevOps engineer, you know how crucial it is to have robust, yet user-friendly, authentication for your critical tools. Argo CD, our go-to GitOps continuous delivery tool, is no exception. Gone are the days of managing local user accounts for every developer. Integrating with a centralized Identity Provider (IdP) like Google or JumpCloud not only enhances security but also simplifies user management considerably. Let's grab some chai and unravel the mysteries of integrating these IdPs with Argo CD, step by step, just like we'd discuss a deployment strategy.
Before we dive into the nitty-gritty configuration, let's briefly touch upon why this even matters. Using external authentication providers like Google or JumpCloud for Argo CD login offers several compelling advantages:
In essence, it’s about making your life easier while making your systems more secure. A win-win, if you ask me!
Before we start tinkering with authentication settings, let's ensure your Argo CD instance is up and running. The instructions here assume you have a Kubernetes cluster (be it AKS, EKS, GKE, or a self-managed one) and Argo CD already deployed. If not, don't worry, the setup is quite straightforward.
Typically, you'd start by creating a dedicated namespace for Argo CD:
kubectl create namespace argocd
Once the namespace is ready, you can deploy Argo CD using its official manifest. This command fetches the latest stable version and deploys all necessary components into your `argocd` namespace:
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
This command creates various Kubernetes resources like Deployments, Services, ConfigMaps, and Custom Resource Definitions (CRDs) for Argo CD. After a few moments, all pods should be running, and you'll have a fully functional Argo CD instance. You can verify the deployment by checking the pods:
kubectl get pods -n argocd
For initial access, you'd typically port-forward the Argo CD UI service and retrieve the default admin password. But since we're setting up external auth, let's fast-forward to the good stuff!
The core of Argo CD's configuration for external authentication lies within its `argocd-cm` ConfigMap (for general settings) and `argocd-secret` Secret (for sensitive data like client secrets). We'll be modifying these resources to enable Google OAuth and JumpCloud SAML.
Let's kick things off with Google. If your organization uses Google Workspace, this is probably the most natural choice. Google uses the OAuth 2.0 protocol for authentication, which is widely adopted and relatively simple to configure. Think of it as granting permission for Argo CD to say, "Hey Google, is this user legit?" and Google replying, "Haan, boss, they are!"
This is where you'll tell Google about your Argo CD instance. Open up your browser and head over to the Google Developer Console. You'll need an active Google Cloud Platform (GCP) project. If you don't have one, create a new project – it's free to create projects, and you only pay for resources you consume, which for this setup is practically nil.
https://your-argo-domain.com/api/v1/auth/callback.
You can also add an "Authorized JavaScript origins" if needed for more complex scenarios, but for basic Argo CD login, the redirect URI is sufficient.
Chalo, that's half the battle won. You've prepared Google to talk to Argo CD.
Now that you have your Client ID and Client Secret, it's time to tell Argo CD how to use them. This involves editing the `argocd-cm` ConfigMap and `argocd-secret` Secret in your Kubernetes cluster.
Open the `argocd-cm` ConfigMap for editing:
kubectl edit configmap argocd-cm -n argocd
Locate the `data:` section and add the `url` of your Argo CD instance and the `oidc.config` section for Google. Replace `argocd.mycompany.com` with your actual domain and `YOUR_CLIENT_ID` with the ID you got from Google.
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
url: https://argocd.mycompany.com # IMPORTANT: This must match your Argo CD's public URL
oidc.config: |
name: Google
issuer: https://accounts.google.com
clientID: YOUR_CLIENT_ID
clientSecret: $argocd.oidc.google.clientSecret # Reference to the Kubernetes Secret
requestedScopes: ["openid", "profile", "email"]
# For more advanced scenarios, like limiting access to specific Google Groups:
# See the 'groups' claim below, requires configuring Google Cloud Identity/Workspace
# rootCACert: | # If you need a custom CA certificate for Google (rare)
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# For roles based on Google Groups:
# groupsClaim: hd # For Hosted Domain (Google Workspace)
# groupsClaim: groups # Requires specific Google API scope for groups, more complex
A little note on `requestedScopes`: `openid` is fundamental for OIDC, `profile` provides basic user profile info, and `email` fetches the user's email address. These are generally sufficient.
The `clientSecret` is sensitive, so we store it in a Kubernetes Secret. If you don't already have an `argocd-secret`, you might need to create it. More often, you'll edit an existing one. Remember, secrets are base64 encoded.
First, base64 encode your Google Client Secret:
echo -n "YOUR_GOOGLE_CLIENT_SECRET" | base64
Then, edit the `argocd-secret`:
kubectl edit secret argocd-secret -n argocd
Add the encoded client secret under the `data:` section:
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
type: Opaque
data:
oidc.google.clientSecret: <YOUR_BASE64_ENCODED_GOOGLE_CLIENT_SECRET>
# ... other secrets might be here ...
The key `oidc.google.clientSecret` here directly corresponds to the `$argocd.oidc.google.clientSecret` reference we used in the `argocd-cm` ConfigMap. This is how Argo CD securely fetches the secret without hardcoding it.
By default, newly authenticated users from Google won't have any specific roles in Argo CD. You'll want to map them to roles like `read-only`, `admin`, or custom roles. This is done in the `argocd-rbac-cm` ConfigMap.
kubectl edit configmap argocd-rbac-cm -n argocd
You can map users by their email or Google groups (if `groupsClaim` is configured). For example, to give admin access to a specific email:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.csv: |
g, your.email@yourdomain.com, role:admin
# p, role:admin, applications, *, *, allow
# p, role:admin, clusters, get, *, allow
# p, role:admin, projects, get, *, allow
# ... more policies ...
policy.default: role:readonly # What role unassigned users get
If you've configured `groupsClaim` (e.g., `hd` for Hosted Domain or `groups` for specific Google groups), you can map groups:
g, your-google-group-name, role:admin
Remember to check Argo CD's documentation for the most accurate and flexible RBAC policies. This is a topic that merits its own blog post!
Related: Implementing Robust RBAC in Kubernetes: A Deep Dive
Once you save these ConfigMaps and Secret, Argo CD's pods might restart to pick up the changes, or you might need to manually restart them for changes to take effect immediately.
Now, let's switch gears to JumpCloud. If your organization relies on JumpCloud for directory services and SSO across various applications, integrating it with Argo CD via SAML 2.0 is the way to go. SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). Here, JumpCloud is the IdP, and Argo CD is the SP.
This part happens within your JumpCloud Administrator Console. You'll essentially be creating a new custom SAML application for Argo CD.
Note: If JumpCloud provides a metadata URL, that's your best bet. If not, you'll manually input the Issuer, SSO URL, and Certificate.
Okay, the JumpCloud side is ready. Ab, let's integrate it with Argo CD.
Similar to Google OAuth, we'll configure Argo CD using the `argocd-cm` ConfigMap and potentially the `argocd-secret` Secret.
Open the `argocd-cm` ConfigMap for editing:
kubectl edit configmap argocd-cm -n argocd
Locate the `data:` section and add the `url` of your Argo CD instance and the `oidc.config` section for SAML. Yes, it's still under `oidc.config` in Argo CD, as it's the general external SSO configuration.
Option A: Using IdP Metadata URL (Preferred)
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
url: https://argocd.mycompany.com # IMPORTANT: This must match your Argo CD's public URL
oidc.config: |
name: JumpCloud
issuer: https://sso.jumpcloud.com/saml2/<JumpCloud-IdP-Entity-ID> # Your IdP Entity ID from JumpCloud
# OR: If JumpCloud provides a metadata URL, use this instead of manual config
# idpMetadataURL: https://sso.jumpcloud.com/saml2/<JumpCloud-IdP-Entity-ID>/saml2/metadata
# If using idpMetadataURL, Argo CD will fetch everything else automatically.
# Otherwise, continue with manual configuration below:
ssoURL: https://sso.jumpcloud.com/saml2/<JumpCloud-IdP-Entity-ID> # Your IdP SSO URL from JumpCloud
# The certificate should be base64 encoded and stored in argocd-secret,
# or provided directly here if it's a short value and not super sensitive (less recommended).
# If providing directly:
# rootCACert: |
# -----BEGIN CERTIFICATE-----
# MII...
# -----END CERTIFICATE-----
# If providing via secret (recommended):
rootCACert: $argocd.oidc.jumpcloud.rootCACert # Reference to the Kubernetes Secret
# Other settings like `requestedScopes` are typically not applicable for SAML as attributes are mapped directly.
# For user mapping in Argo CD, we often use the email attribute from SAML assertion.
groupsClaim: email # Or a custom attribute name if JumpCloud sends group info differently
Option B: Manual Configuration (If no Metadata URL)
If JumpCloud only gives you the Issuer, SSO URL, and Certificate, you'll input them manually as shown above without the `idpMetadataURL` field. You'll need to paste the raw certificate content (including `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`) either directly into `rootCACert` (less secure if ConfigMap is easily accessible) or refer to a Kubernetes Secret as shown below.
If you're using the `$argocd.oidc.jumpcloud.rootCACert` reference, you'll need to base64 encode your JumpCloud IdP certificate and add it to `argocd-secret`:
First, base64 encode your certificate. Ensure you include the `BEGIN` and `END` lines.
echo -n "YOUR_JUMPCLOUD_CERTIFICATE_CONTENT" | base64
Then, edit the `argocd-secret`:
kubectl edit secret argocd-secret -n argocd
Add the encoded certificate under the `data:` section:
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
type: Opaque
data:
oidc.jumpcloud.rootCACert: <YOUR_BASE64_ENCODED_JUMPCLOUD_CERTIFICATE>
# ... other secrets might be here ...
Similar to Google, you'll use `argocd-rbac-cm` to map authenticated users to Argo CD roles. For SAML, you'll typically use the `email` attribute that JumpCloud sends in the SAML assertion as the user identifier.
kubectl edit configmap argocd-rbac-cm -n argocd
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.csv: |
g, user.from.jumpcloud@yourdomain.com, role:admin
# If JumpCloud sends group info (e.g., in a 'groups' attribute):
# g, jumpcloud-group-name, role:admin
policy.default: role:readonly
The `g` prefix signifies a group or user. For individual users, you map their `NameID` (which is typically their email) from the SAML assertion.
Save your changes. Argo CD should now be configured to use JumpCloud SAML for authentication. The Argo CD UI will show a "LOGIN VIA JUMPCLOUD" button.
Configuration done, boss! Ab, time to test if it actually works. Remember, "trust but verify" is the mantra in DevOps.
Yeh sab straight forward nahi hota hai, kuch issues toh aate hi hain. Here are some common problems and how to debug them:
kubectl logs -f <argocd-server-pod-name> -n argocd
Look for errors related to OIDC, SAML, or authentication. You might see messages about invalid issuer, signature verification failures, or incorrect claims.
Just like we discuss security post-deployment, a few best practices for auth:
Further Reading: Best Practices for Kubernetes Secrets Management
OAuth 2.0 is primarily an authorization framework that enables third-party applications (like Argo CD) to obtain limited access to a user's resources (e.g., profile info from Google) without exposing their credentials. SAML 2.0, on the other hand, is an XML-based standard specifically designed for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP), typically for Single Sign-On (SSO) purposes in enterprise environments. While both facilitate SSO, SAML is more verbose and often preferred for formal enterprise identity federation, whereas OAuth is more flexible for delegated authorization and widely used by consumer applications.
Argo CD supports multiple OIDC/SAML providers concurrently. You can configure both Google and JumpCloud (or any other supported IdP) in your `argocd-cm` ConfigMap. Users will then see multiple login options on the Argo CD UI, allowing them to choose their preferred authentication method. This is great for organizations with diverse user bases or during migration periods.
User roles and permissions are managed through Argo CD's RBAC (Role-Based Access Control) system, which is configured in the `argocd-rbac-cm` ConfigMap. After authentication by the external IdP (Google or JumpCloud), Argo CD receives user identity information (like email or group memberships). You then define policies in `argocd-rbac-cm` that map these external identities to internal Argo CD roles (e.g., `role:admin`, `role:readonly`) and permissions.
If your Argo CD is not publicly accessible, the external IdP (Google or JumpCloud) will not be able to redirect users back to the `callback` URL. In such scenarios, you typically need to either: 1) Expose Argo CD to the internet via an Ingress Controller and a public domain, ensuring it's properly secured. 2) Use a VPN or reverse proxy setup that can bridge the private network access to the IdP's redirection process. The `callback` URL must be reachable by the user's browser, which in turn needs to reach your Argo CD instance. Make sure your network configuration allows for this flow.
Toh, that's the full lowdown on setting up Argo CD login with Google or JumpCloud. Implementing these centralized authentication methods might seem like a bit of a setup initially, but the long-term benefits in terms of security, user experience, and reduced operational overhead are immense. If you found this useful, don't forget to watch the original video on @explorenystream for a visual walkthrough and subscribe for more such in-depth DevOps content!