GitHub auth method
The github
auth method can be used to authenticate with Vault using a GitHub
personal access token. This method of authentication is most useful for humans:
operators or developers using Vault directly via the CLI.
IMPORTANT NOTE: Vault does not support an OAuth workflow to generate GitHub tokens, so does not act as a GitHub application. As a result, this method uses personal access tokens. If the risks below are unacceptable to you, consider using a different authentication method.
Any valid GitHub access token with the read:org
scope for any user belonging
to the Vault-configured organization can be used for authentication. If such a
token is stolen from a third party service, and the attacker is able to make
network calls to Vault, they will be able to log in as the user that generated
the access token.
Authentication
Via the CLI
The default path is /github
. If this auth method was enabled at a different
path, specify -path=/my-path
in the CLI.
Via the API
The default endpoint is auth/github/login
. If this auth method was enabled
at a different path, use that value instead of github
.
The response will contain a token at auth.client_token
:
Configuration
Auth methods must be configured in advance before users or machines can authenticate. These steps are usually completed by an operator or configuration management tool.
Enable the GitHub auth method:
Use the
/config
endpoint to configure Vault to talk to GitHub.For the complete list of configuration options, please see the API documentation.
Map the users/teams of that GitHub organization to policies in Vault. Team names must be "slugified":
In this example, when members of the team "dev" in the organization "hashicorp" authenticate to Vault using a GitHub personal access token, they will be given a token with the "dev-policy" policy attached.
You can also create mappings for a specific user
map/users/<user>
endpoint:In this example, a user with the GitHub username
sethvargo
will be assigned thesethvargo-policy
policy in addition to any team policies.
API
The GitHub auth method has a full HTTP API. Please see the GitHub Auth API for more details.