2015-04-18 20:45:50 +00:00
---
layout: "docs"
page_title: "Auth Backend: GitHub"
sidebar_current: "docs-auth-github"
description: |-
The GitHub auth backend allows authentication with Vault using GitHub.
---
# Auth Backend: GitHub
Name: `github`
The GitHub auth backend can be used to authenticate with Vault using
a GitHub personal access token.
This method of authentication is most useful for humans: operators or
developers using Vault directly via the CLI.
## Authentication
#### Via the CLI
```
$ vault auth -method=github token=< api token >
...
```
#### Via the API
2016-01-23 01:38:32 +00:00
The endpoint for the GitHub login is `auth/github/login` .
2016-01-23 19:02:00 +00:00
The `github` mountpoint value in the url is the default mountpoint value. If you have mounted the `github` backend with a different mountpoint, use that value.
2016-01-23 01:38:32 +00:00
The `token` should be sent in the POST body encoded as JSON.
```shell
$ curl $VAULT_ADDR/v1/auth/github/login \
-d '{ "token": "your_github_personal_access_token" }'
```
The response will be in JSON. For example:
```javascript
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"warnings": null,
"auth": {
"client_token": "c4f280f6-fdb2-18eb-89d3-589e2e834cdb",
"policies": [
"root"
],
"metadata": {
"org": "test_org",
"username": "rajanadar",
},
"lease_duration": 0,
"renewable": false
}
}
```
2015-04-18 20:45:50 +00:00
## Configuration
2015-05-07 17:41:23 +00:00
First, you must enable the GitHub auth backend:
```
$ vault auth-enable github
Successfully enabled 'github' at 'github'!
```
Now when you run `vault auth -methods` , the GitHub backend is available:
```
Path Type Description
github/ github
token/ token token based credentials
```
2015-04-18 20:45:50 +00:00
Prior to using the GitHub auth backend, it must be configured. To
2015-05-07 17:41:23 +00:00
configure it, use the `/config` endpoint with the following arguments:
2015-04-18 20:45:50 +00:00
* `organization` (string, required) - The organization name a user must
2015-10-12 16:10:22 +00:00
be a part of to authenticate.
2015-10-23 13:18:07 +00:00
* `base_url` (string, optional) - For GitHub Enterprise or other API-compatible
servers, the base URL to access the server.
2015-10-23 13:30:48 +00:00
* `max_ttl` (string, optional) - Maximum duration after which authentication will be expired.
This must be a string in a format parsable by Go's [time.ParseDuration ](https://golang.org/pkg/time/#ParseDuration )
* `ttl` (string, optional) - Duration after which authentication will be expired.
This must be a string in a format parsable by Go's [time.ParseDuration ](https://golang.org/pkg/time/#ParseDuration )
2015-04-18 20:45:50 +00:00
2015-05-14 20:20:58 +00:00
###Generate a GitHub Personal Access Token
Access your Personal Access Tokens in GitHub at [https://github.com/settings/tokens ](https://github.com/settings/tokens ).
Generate a new Token that has the scope `read:org` . Save the generated token. This is what you will provide to vault.
2015-05-07 17:41:23 +00:00
For example:
```
$ vault write auth/github/config organization=hashicorp
Success! Data written to: auth/github/config
```
2015-04-18 20:45:50 +00:00
After configuring that, you must map the teams of that organization to
policies within Vault. Use the `map/teams/<team>` endpoints to do that.
Example:
```
$ vault write auth/github/map/teams/owners value=root
2015-05-07 17:41:23 +00:00
Success! Data written to: auth/github/map/teams/owners
2015-04-18 20:45:50 +00:00
```
The above would make anyone in the "owners" team a root user in Vault
2015-05-18 16:37:31 +00:00
(not recommended).
2015-05-14 20:20:58 +00:00
You can then auth with a user that is a member of the "owners" team using a Personal Access Token with the `read:org` scope.
```
$ vault auth -method=github token=000000905b381e723b3d6a7d52f148a5d43c4b45
Successfully authenticated! The policies that are associated
with this token are listed below:
root
```