vault_client_auth_github: Vault GitHub Authentication Configuration

Description Methods Examples

Description

Interact with vault's GitHub authentication backend. For more details, please see the vault documentation at https://www.vaultproject.io/docs/auth/github.html

Methods

custom_mount

Set up a vault_client_auth_github object at a custom mount. For example, suppose you mounted the github authentication backend at /github-myorg you might use gh <- vault$auth$github2$custom_mount("/github-myorg") - this pattern is repeated for other secret and authentication backends.
Usage:

custom_mount(mount)

Arguments:

  • mount: String, indicating the path that the engine is mounted at.

configure

Configures the connection parameters for GitHub-based authentication.
Usage:

configure(organization, base_url = NULL, ttl = NULL, max_ttl = NULL)

Arguments:

  • organization: The organization users must be part of (note American spelling).

  • base_url: The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.

  • ttl: Duration after which authentication will be expired

  • max_ttl: Maximum duration after which authentication will be expired

configuration

Reads the connection parameters for GitHub-based authentication.
Usage:

configuration()
write

Write a mapping between a GitHub team or user and a set of vault policies.
Usage:

write(team_name, policies, user = FALSE)

Arguments:

  • team_name: String, with the GitHub team name

  • policies: A character vector of vault policies that this user or team will have for vault access if they match this team or user.

  • user: Scalar logical - if TRUE, then team_name is interpreted as a user instead.

read

Write a mapping between a GitHub team or user and a set of vault policies.
Usage:

read(team_name, user = FALSE)

Arguments:

  • team_name: String, with the GitHub team name

  • user: Scalar logical - if TRUE, then team_name is interpreted as a user instead.

login

Log into the vault using GitHub authentication. Normally you would not call this directly but instead use $login with method = "github" and proving the token argument. This function returns a vault token but does not set it as the client token.
Usage:

login(token = NULL)

Arguments:

  • token: A GitHub token to authenticate with.

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
server <- vaultr::vault_test_server(if_disabled = message)
if (!is.null(server)) {
  client <- server$client()

  client$auth$enable("github")
  # To enable login for members of the organisation "vimc":
  client$auth$github$configure(organization = "vimc")
  # To map members of the "robots" team *within* that organisation
  # to the "defaut" policy:
  client$auth$github$write("development", "default")

  # Once configured like this, if we have a PAT for a member of
  # the "development" team saved as an environment variable
  # "VAULT_AUTH_GITHUB_TOKEN" then doing
  #
  #   vaultr::vault_client(addr = ..., login = "github")
  #
  # will contact GitHub to verify the user token and vault will
  # then issue a client token

  # cleanup
  server$kill()
}

vimc/vaultr documentation built on Nov. 8, 2019, 6:23 p.m.