# GitHub authentication Vault supports authentication methods for human operators. GitHub authentication enables a user to authenticate with Vault by providing their GitHub credentials and receive a Vault token. {% hint style="info" %} This authentication method, as described in the exercises, requires that you have a GitHub profile, belong to a team in a GitHub organization, and have generated a GitHub access token with the `read:org` scope. {% endhint %} Enable the GitHub auth method. ```shell-session $ vault auth enable github Success! Enabled github auth method at: github/ ``` The auth method is enabled and available at the path `auth/github/`. This auth method requires that you set a GitHub organization in the configuration. A GitHub organization maintains a list of users which you are allowing to authenticate with Vault. Set the `organization` for the `github` authentication. ```shell-session $ vault write auth/github/config organization=enclaive Success! Data written to: auth/github/config ``` Now all users within the `enclaive` GitHub organization are able to authenticate. GitHub organizations can define teams. Each team may have access to different actions across all the repositories that the organization maintains. These teams may also need access to specific secrets within Vault. Configure the GitHub `engineering` team authentication to be granted the `default` and `applications` policies. ```shell-session $ vault write auth/github/map/teams/engineering value=default,applications Success! Data written to: auth/github/map/teams/engineering ``` The members of the GitHub `engineering` team in the `enclaive` organization will authenticate and are authorized with the `default` and `applications` policies. {% hint style="info" %} The application policy is not yet defined in Vault. Vault still allows users to authenticate but produces a warning until that policy is defined. {% endhint %} Display all the authentication methods that Vault has enabled. ```shell-session $ vault auth list Path Type Description ---- ---- ----------- github/ github n/a token/ token token based credentials ``` The output displays the `github` and `token` auth methods. Learn more about the github auth method using `help`. ```shell-session $ vault auth help github Usage: vault login -method=github [CONFIG K=V...] The GitHub auth method allows users to authenticate using a GitHub personal access token. Users can generate a personal access token from the settings page on their GitHub account. Authenticate using a GitHub token: $ vault login -method=github token=abcd1234 ## ... ``` The output displays an example of login with the `github` method. This method requires that the method be defined and that an operator provide a [GitHub personal access token](https://help.github.com/articles/creating-an-access-token-for-command-line-use/). Since you will attempt to login with an auth method, you should ensure that the `VAULT_TOKEN` environment variable is not set for this shell session since its value will take precedence over any token you obtain from Vault. Unset the environment variable. ```shell-session $ unset VAULT_TOKEN ``` Attempt to login with the github auth method. ```shell-session $ vault login -method=github GitHub Personal Access Token (will be hidden): Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.DNtKCjVQ1TxAzgMqtDuwjjC2 token_accessor e7zLJuPg2tLpav66ZSu5AyDC token_duration 768h token_renewable true token_policies [default applications] token_meta_org enclaive token_meta_username my-user ``` When the [GitHub personal access token](https://help.github.com/articles/creating-an-access-token-for-command-line-use/) is not provided to the command the Vault CLI prompts the operator. If a valid GitHub personal access token is provided then the operator logs in and the output displays a Vault token. The operator can use the Vault token until it is revoked or its lifetime exceeds the `token_duration`. Log back in with the root token. ```shell-session $ vault login root ``` Revoke all tokens generated the `github` auth method. ```shell-session $ vault token revoke -mode path auth/github ``` All tokens generated by logins to the path `auth/github` are revoked. All authentication methods, except for the token auth method, can be disabled. Disable the `github` auth method. ```shell-session $ vault auth disable github Success! Disabled the auth method (if it existed) at: github/ ``` All tokens generated by logins using this authentication method are revoked. Because you have the `VAULT_TOKEN` environment variable set, the CLI commands will always use this value (the initial root token) unless the environment variable gets unset or overwritten by another token value. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/vault/tutorials/cli/authentication/github-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.