open-vault/website/source/docs/auth/github.html.md

---
layout: "docs"
page_title: "Auth Backend: GitHub"
sidebar_current: "docs-auth-github"
description: |-
  The GitHub auth backend allows authentication with Vault using GitHub.
---

# Auth Backend: GitHub

Name: `github`

The GitHub auth backend can be used to authenticate with Vault using a GitHub
personal access token. This method of authentication is most useful for humans:
operators or developers using Vault directly via the CLI.

## Authentication

#### Via the CLI

```
$ vault auth -method=github token=<api token>
...
```

#### Via the API

The endpoint for the GitHub login is `auth/github/login`. 

The `github` mountpoint value in the url is the default mountpoint value.
If you have mounted the `github` backend with a different mountpoint, use that value.

The `token` should be sent in the POST body encoded as JSON.

```shell
$ curl $VAULT_ADDR/v1/auth/github/login \
    -d '{ "token": "your_github_personal_access_token" }'
```

The response will be in JSON. For example:

```javascript
{
  "auth": {
    "renewable": true,
    "lease_duration": 2764800,
    "metadata": {
      "username": "vishalnayak",
      "org": "hashicorp"
    },
    "policies": [
      "default",
      "dev-policy"
    ],
    "accessor": "f93c4b2d-18b6-2b50-7a32-0fecf88237b8",
    "client_token": "1977fceb-3bfa-6c71-4d1f-b64af98ac018"
  },
  "warnings": null,
  "wrap_info": null,
  "data": null,
  "lease_duration": 0,
  "renewable": false,
  "lease_id": "",
  "request_id": "3c346f3b-e089-39ab-a953-a349f2284e3c"
}
```

## Configuration

First, you must enable the GitHub auth backend:

```
$ vault auth-enable github
Successfully enabled 'github' at 'github'!
```

Now when you run `vault auth -methods`, the GitHub backend is available:

```
Path       Type      Description
github/    github
token/     token     token based credentials
```

Prior to using the GitHub auth backend, it must be configured. To
configure it, use the `/config` endpoint with the following arguments:

  * `organization` (string, required) - The organization name a user must
     be a part of to authenticate.
  * `base_url` (string, optional) - For GitHub Enterprise or other API-compatible
     servers, the base URL to access the server.
  * `max_ttl` (string, optional) - Maximum duration after which authentication will be expired.
     This must be a string in a format parsable by Go's [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)
  * `ttl` (string, optional) - Duration after which authentication will be expired.
     This must be a string in a format parsable by Go's [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)

###Generate a GitHub Personal Access Token
Access your Personal Access Tokens in GitHub at [https://github.com/settings/tokens](https://github.com/settings/tokens).
Generate a new Token that has the scope `read:org`. Save the generated token. This is what you will provide to vault.

For example:

```
$ vault write auth/github/config organization=hashicorp
Success! Data written to: auth/github/config
```

After configuring that, you must map the teams of that organization to
policies within Vault. Use the `map/teams/<team>` endpoints to do that.
Team names must be slugified, so if your team name is: `Some Amazing Team`, 
you will need to include it as: `some-amazing-team`. 
Example:

```
$ vault write auth/github/map/teams/dev value=dev-policy
Success! Data written to: auth/github/map/teams/dev
```

The above would make anyone in the `dev` team receive tokens with the policy
`dev-policy`.

You can then auth with a user that is a member of the `dev` team using a
Personal Access Token with the `read:org` scope.

GitHub token can also be supplied from the env variable `VAULT_AUTH_GITHUB_TOKEN`.

```
$ vault auth -method=github token=000000905b381e723b3d6a7d52f148a5d43c4b45
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: 0d9ab511-bc25-4fb6-a58b-94ce12b8da9c
token_duration: 2764800
token_policies: [default dev-policy]
```

Clients can use this token to perform an allowed set of operations on all the
paths contained by the policy set.
website: more auth 2015-04-18 20:45:50 +00:00			`---`
			`layout: "docs"`
			`page_title: "Auth Backend: GitHub"`
			`sidebar_current: "docs-auth-github"`
			`description: \|-`
			`The GitHub auth backend allows authentication with Vault using GitHub.`
			`---`

			`# Auth Backend: GitHub`

			Name: `github`

Update github login output in the docs 2016-10-15 02:39:56 +00:00			`The GitHub auth backend can be used to authenticate with Vault using a GitHub`
			`personal access token. This method of authentication is most useful for humans:`
			`operators or developers using Vault directly via the CLI.`
website: more auth 2015-04-18 20:45:50 +00:00
			`## Authentication`

			`#### Via the CLI`

			```
			`$ vault auth -method=github token=<api token>`
			`...`
			```

			`#### Via the API`

fixed login link,request params,add json response 1. fix login link 2. added personal access token to request message 3. added a sample json response 2016-01-23 01:38:32 +00:00			The endpoint for the GitHub login is `auth/github/login`.

Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token 2016-06-09 17:38:46 +00:00			The `github` mountpoint value in the url is the default mountpoint value.
			If you have mounted the `github` backend with a different mountpoint, use that value.
clarify default mountpoint 2016-01-23 19:02:00 +00:00
fixed login link,request params,add json response 1. fix login link 2. added personal access token to request message 3. added a sample json response 2016-01-23 01:38:32 +00:00			The `token` should be sent in the POST body encoded as JSON.

			```shell
			`$ curl $VAULT_ADDR/v1/auth/github/login \`
			`-d '{ "token": "your_github_personal_access_token" }'`
			```

			`The response will be in JSON. For example:`

			```javascript
			`{`
			`"auth": {`
Update github login output in the docs 2016-10-15 02:39:56 +00:00			`"renewable": true,`
			`"lease_duration": 2764800,`
fixed login link,request params,add json response 1. fix login link 2. added personal access token to request message 3. added a sample json response 2016-01-23 01:38:32 +00:00			`"metadata": {`
Update github login output in the docs 2016-10-15 02:39:56 +00:00			`"username": "vishalnayak",`
			`"org": "hashicorp"`
fixed login link,request params,add json response 1. fix login link 2. added personal access token to request message 3. added a sample json response 2016-01-23 01:38:32 +00:00			`},`
Update github login output in the docs 2016-10-15 02:39:56 +00:00			`"policies": [`
			`"default",`
			`"dev-policy"`
			`],`
			`"accessor": "f93c4b2d-18b6-2b50-7a32-0fecf88237b8",`
			`"client_token": "1977fceb-3bfa-6c71-4d1f-b64af98ac018"`
			`},`
			`"warnings": null,`
			`"wrap_info": null,`
			`"data": null,`
			`"lease_duration": 0,`
			`"renewable": false,`
			`"lease_id": "",`
			`"request_id": "3c346f3b-e089-39ab-a953-a349f2284e3c"`
fixed login link,request params,add json response 1. fix login link 2. added personal access token to request message 3. added a sample json response 2016-01-23 01:38:32 +00:00			`}`
			```
website: more auth 2015-04-18 20:45:50 +00:00
			`## Configuration`

Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00			`First, you must enable the GitHub auth backend:`

			```
			`$ vault auth-enable github`
			`Successfully enabled 'github' at 'github'!`
			```

			Now when you run `vault auth -methods`, the GitHub backend is available:

			```
			`Path Type Description`
			`github/ github`
			`token/ token token based credentials`
			```

website: more auth 2015-04-18 20:45:50 +00:00			`Prior to using the GitHub auth backend, it must be configured. To`
Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00			configure it, use the `/config` endpoint with the following arguments:
website: more auth 2015-04-18 20:45:50 +00:00
			* `organization` (string, required) - The organization name a user must
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`be a part of to authenticate.`
add GitHub Enterprise base_url to docs In https://github.com/hashicorp/vault/issues/716 @jefferai confirmed that the GitHub Auth Backend supports GitHub enterprise using an undocumented ``base_url`` parameter. This adds that parameter to the relevant documentation page. 2015-10-23 13:18:07 +00:00			* `base_url` (string, optional) - For GitHub Enterprise or other API-compatible
			`servers, the base URL to access the server.`
add documentation for GitHub Auth Backend 'ttl' and 'max_ttl' parameters 2015-10-23 13:30:48 +00:00			* `max_ttl` (string, optional) - Maximum duration after which authentication will be expired.
			`This must be a string in a format parsable by Go's [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)`
			* `ttl` (string, optional) - Duration after which authentication will be expired.
			`This must be a string in a format parsable by Go's [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)`
website: more auth 2015-04-18 20:45:50 +00:00
Added details in the github auth docs for the website. These details clarify end-to-end use of the github auth backend. Specifically: noting how to create a usable GitHub PAT and an example of how to auth with the PAT. 2015-05-14 20:20:58 +00:00			`###Generate a GitHub Personal Access Token`
			`Access your Personal Access Tokens in GitHub at [https://github.com/settings/tokens](https://github.com/settings/tokens).`
			Generate a new Token that has the scope `read:org`. Save the generated token. This is what you will provide to vault.

Add instructions for enabling the auth first 2015-05-07 17:41:23 +00:00			`For example:`

			```
			`$ vault write auth/github/config organization=hashicorp`
			`Success! Data written to: auth/github/config`
			```

website: more auth 2015-04-18 20:45:50 +00:00			`After configuring that, you must map the teams of that organization to`
			policies within Vault. Use the `map/teams/<team>` endpoints to do that.
Update github doc with note about slugifying team 2016-04-10 15:11:40 +00:00			Team names must be slugified, so if your team name is: `Some Amazing Team`,
			you will need to include it as: `some-amazing-team`.
website: more auth 2015-04-18 20:45:50 +00:00			`Example:`

			```
Update github login output in the docs 2016-10-15 02:39:56 +00:00			`$ vault write auth/github/map/teams/dev value=dev-policy`
			`Success! Data written to: auth/github/map/teams/dev`
website: more auth 2015-04-18 20:45:50 +00:00			```

Update github login output in the docs 2016-10-15 02:39:56 +00:00			The above would make anyone in the `dev` team receive tokens with the policy
			`dev-policy`.
Added details in the github auth docs for the website. These details clarify end-to-end use of the github auth backend. Specifically: noting how to create a usable GitHub PAT and an example of how to auth with the PAT. 2015-05-14 20:20:58 +00:00
Update github login output in the docs 2016-10-15 02:39:56 +00:00			You can then auth with a user that is a member of the `dev` team using a
			Personal Access Token with the `read:org` scope.
Added details in the github auth docs for the website. These details clarify end-to-end use of the github auth backend. Specifically: noting how to create a usable GitHub PAT and an example of how to auth with the PAT. 2015-05-14 20:20:58 +00:00
s/VAULT_GITHUB_AUTH_TOKEN/VAULT_AUTH_GITHUB_TOKEN 2016-06-09 18:00:56 +00:00			GitHub token can also be supplied from the env variable `VAULT_AUTH_GITHUB_TOKEN`.
Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token 2016-06-09 17:38:46 +00:00
Added details in the github auth docs for the website. These details clarify end-to-end use of the github auth backend. Specifically: noting how to create a usable GitHub PAT and an example of how to auth with the PAT. 2015-05-14 20:20:58 +00:00			```
			`$ vault auth -method=github token=000000905b381e723b3d6a7d52f148a5d43c4b45`
Update github login output in the docs 2016-10-15 02:39:56 +00:00			`Successfully authenticated! You are now logged in.`
			`The token below is already saved in the session. You do not`
			`need to "vault auth" again with the token.`
			`token: 0d9ab511-bc25-4fb6-a58b-94ce12b8da9c`
			`token_duration: 2764800`
			`token_policies: [default dev-policy]`
Added details in the github auth docs for the website. These details clarify end-to-end use of the github auth backend. Specifically: noting how to create a usable GitHub PAT and an example of how to auth with the PAT. 2015-05-14 20:20:58 +00:00			```

Update github login output in the docs 2016-10-15 02:39:56 +00:00			`Clients can use this token to perform an allowed set of operations on all the`
			`paths contained by the policy set.`