Skip to contents

Vault GitHub Authentication Configuration

Vault GitHub Authentication Configuration

Details

Interact with vault's GitHub authentication backend. For more details, please see the vault documentation at https://developer.hashicorp.com/vault/docs/auth/github

Super class

vaultr::vault_client_object -> vault_client_auth_github

Methods

Inherited methods


Method new()

Create a vault_client_github object. Not typically called by users.

Usage

vault_client_auth_github$new(api_client, mount)

Arguments

api_client

A vault_api_client object

mount

Mount point for the backend


Method custom_mount()

Set up a vault_client_auth_github object at a custom mount. For example, suppose you mounted the github authentication backend at /github-myorg you might use gh <- vault$auth$github2$custom_mount("/github-myorg") - this pattern is repeated for other secret and authentication backends.

Usage

vault_client_auth_github$custom_mount(mount)

Arguments

mount

String, indicating the path that the engine is mounted at.


Method configure()

Configures the connection parameters for GitHub-based authentication.

Usage

vault_client_auth_github$configure(
  organization,
  base_url = NULL,
  ttl = NULL,
  max_ttl = NULL
)

Arguments

organization

The organization users must be part of (note American spelling).

base_url

The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.

ttl

Duration after which authentication will be expired

max_ttl

Maximum duration after which authentication will be expired


Method configuration()

Reads the connection parameters for GitHub-based authentication.

Usage

vault_client_auth_github$configuration()


Method write()

Write a mapping between a GitHub team or user and a set of vault policies.

Usage

vault_client_auth_github$write(team_name, policies, user = FALSE)

Arguments

team_name

String, with the GitHub team name

policies

A character vector of vault policies that this user or team will have for vault access if they match this team or user.

user

Scalar logical - if TRUE, then team_name is interpreted as a user instead.


Method read()

Write a mapping between a GitHub team or user and a set of vault policies.

Usage

vault_client_auth_github$read(team_name, user = FALSE)

Arguments

team_name

String, with the GitHub team name

user

Scalar logical - if TRUE, then team_name is interpreted as a user instead.


Method login()

Log into the vault using GitHub authentication. Normally you would not call this directly but instead use $login with method = "github" and proving the token argument. This function returns a vault token but does not set it as the client token.

Usage

vault_client_auth_github$login(token = NULL)

Arguments

token

A GitHub token to authenticate with.

Examples

server <- vaultr::vault_test_server(if_disabled = message)
#> ...waiting for Vault to start
#> ...waiting for Vault to start
token <- Sys.getenv("VAULT_TEST_AUTH_GITHUB_TOKEN")
if (!is.null(server) && nzchar(token)) {
  client <- server$client()

  client$auth$enable("github")
  # To enable login for members of the organisation "example":
  client$auth$github$configure(organization = "example")
  # To map members of the "robots" team *within* that organisation
  # to the "defaut" policy:
  client$auth$github$write("development", "default")

  # Once configured like this, if we have a PAT for a member of
  # the "development" team saved as an environment variable
  # "VAULT_AUTH_GITHUB_TOKEN" then doing
  #
  #   vaultr::vault_client(addr = ..., login = "github")
  #
  # will contact GitHub to verify the user token and vault will
  # then issue a client token

  # cleanup
  server$kill()
}