2015-04-18 20:45:50 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: GitHub - Auth Methods
|
|
|
|
description: The GitHub auth method allows authentication with Vault using GitHub.
|
2015-04-18 20:45:50 +00:00
|
|
|
---
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
# GitHub Auth Method
|
2015-04-18 20:45:50 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The `github` auth method can be used to authenticate with Vault using a GitHub
|
2016-10-15 02:39:56 +00:00
|
|
|
personal access token. This method of authentication is most useful for humans:
|
|
|
|
operators or developers using Vault directly via the CLI.
|
2015-04-18 20:45:50 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
~> **IMPORTANT NOTE:** Vault does not support an OAuth workflow to generate
|
|
|
|
GitHub tokens, so does not act as a GitHub application. As a result, this method
|
2022-01-05 17:23:55 +00:00
|
|
|
uses personal access tokens. If the risks below are unacceptable to you, consider
|
|
|
|
using a different authentication method.
|
|
|
|
|
|
|
|
~> Any valid GitHub access token with the `read:org` scope for any user belonging
|
|
|
|
to the Vault-configured organization can be used for authentication. If such a
|
2017-09-13 01:48:52 +00:00
|
|
|
token is stolen from a third party service, and the attacker is able to make
|
2017-08-11 21:03:18 +00:00
|
|
|
network calls to Vault, they will be able to log in as the user that generated
|
2022-01-05 17:23:55 +00:00
|
|
|
the access token.
|
2017-08-08 14:25:48 +00:00
|
|
|
|
2015-04-18 20:45:50 +00:00
|
|
|
## Authentication
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
### Via the CLI
|
2015-04-18 20:45:50 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The default path is `/github`. If this auth method was enabled at a different
|
|
|
|
path, specify `-path=/my-path` in the CLI.
|
2015-04-18 20:45:50 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2017-09-13 01:48:52 +00:00
|
|
|
$ vault login -method=github token="MY_TOKEN"
|
|
|
|
```
|
2016-01-23 01:38:32 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
### Via the API
|
2016-01-23 19:02:00 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The default endpoint is `auth/github/login`. If this auth method was enabled
|
|
|
|
at a different path, use that value instead of `github`.
|
2016-01-23 01:38:32 +00:00
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
```shell-session
|
2017-09-13 01:48:52 +00:00
|
|
|
$ curl \
|
|
|
|
--request POST \
|
|
|
|
--data '{"token": "MY_TOKEN"}' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/github/login
|
2016-01-23 01:38:32 +00:00
|
|
|
```
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The response will contain a token at `auth.client_token`:
|
2016-01-23 01:38:32 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
```json
|
2016-01-23 01:38:32 +00:00
|
|
|
{
|
|
|
|
"auth": {
|
2016-10-15 02:39:56 +00:00
|
|
|
"renewable": true,
|
|
|
|
"lease_duration": 2764800,
|
2016-01-23 01:38:32 +00:00
|
|
|
"metadata": {
|
2017-09-13 01:48:52 +00:00
|
|
|
"username": "my-user",
|
|
|
|
"org": "my-org"
|
2016-01-23 01:38:32 +00:00
|
|
|
},
|
2020-01-18 00:18:09 +00:00
|
|
|
"policies": ["default", "dev-policy"],
|
2016-10-15 02:39:56 +00:00
|
|
|
"accessor": "f93c4b2d-18b6-2b50-7a32-0fecf88237b8",
|
|
|
|
"client_token": "1977fceb-3bfa-6c71-4d1f-b64af98ac018"
|
2017-09-13 01:48:52 +00:00
|
|
|
}
|
2016-01-23 01:38:32 +00:00
|
|
|
}
|
|
|
|
```
|
2015-04-18 20:45:50 +00:00
|
|
|
|
|
|
|
## Configuration
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
Auth methods must be configured in advance before users or machines can
|
|
|
|
authenticate. These steps are usually completed by an operator or configuration
|
|
|
|
management tool.
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
1. Enable the GitHub auth method:
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
```text
|
|
|
|
$ vault auth enable github
|
|
|
|
```
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2018-03-22 13:29:59 +00:00
|
|
|
1. Use the `/config` endpoint to configure Vault to talk to GitHub.
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
```text
|
|
|
|
$ vault write auth/github/config organization=hashicorp
|
|
|
|
```
|
2015-04-18 20:45:50 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
For the complete list of configuration options, please see the API
|
|
|
|
documentation.
|
2015-04-18 20:45:50 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
1. Map the users/teams of that GitHub organization to policies in Vault. Team
|
|
|
|
names must be "slugified":
|
2015-05-14 20:20:58 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
```text
|
|
|
|
$ vault write auth/github/map/teams/dev value=dev-policy
|
|
|
|
```
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
In this example, when members of the team "dev" in the organization
|
|
|
|
"hashicorp" authenticate to Vault using a GitHub personal access token, they
|
|
|
|
will be given a token with the "dev-policy" policy attached.
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
***
|
2015-04-18 20:45:50 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
You can also create mappings for a specific user `map/users/<user>`
|
|
|
|
endpoint:
|
2015-05-14 20:20:58 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
```text
|
|
|
|
$ vault write auth/github/map/users/sethvargo value=sethvargo-policy
|
|
|
|
```
|
2015-05-14 20:20:58 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
In this example, a user with the GitHub username `sethvargo` will be
|
|
|
|
assigned the `sethvargo-policy` policy **in addition to** any team policies.
|
2017-08-09 15:22:19 +00:00
|
|
|
|
|
|
|
## API
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The GitHub auth method has a full HTTP API. Please see the
|
2023-01-26 00:12:15 +00:00
|
|
|
[GitHub Auth API](/vault/api-docs/auth/github) for more
|
2017-08-11 21:03:18 +00:00
|
|
|
details.
|