![]() ![]() Change the Method to GitHub and supply your GitHub token to sign in. Let’s try using our snazzy new GitHub token to authenticate against Vault. If you find that a mistake was made, or you change your mind on the configuration of your organization, teams, or users, just run the related command an additional time with the correct values. Note: You cannot map a team or user to the root policy. vault write auth/github/map/users/chriswahl value=rubrik-manage This is handy in case you are not part of a team or want to grant yourself a specific policy. If desired, you can also map users directly to a Vault policy as shown below. vault read auth/github/map/teams/developer-relations The GitHub Team is developer-relations and the Vault policy is rubrik-manage for this scenario. Look at the policy map to ensure it’s correct. In my case, the GitHub Organization is rubrikinc. Once complete, you can check out the GitHub auth configuration to make sure things are setup as desired. It really boils down to the commands below. The Vault documentation and API documentation do a good job at showing you the few commands required to configure GitHub as an authentication source. Your GitHub login will be restricted to the default policy. Make sure to authenticate your token with your organization’s SSO provider.įailure to complete this step for SSO users will result in the token not being able to provide identify information. Click Authorize to complete the workflow with your SSO provider.Use the Enable SSO drop down button next to your token to select the desired organization.If your GitHub Team is part of an SSO organization, you’ll need to authorize the token for access. GitHub Single Sign-On (SSO) Organizations However, I tend to keep my identity information stored apart from my applications and systems. I suppose you could even store the token value in Vault since you can always go back into GitHub and generate a new token if this one is lost. The only permission required is read:org for your GitHub token.Ĭlick Generate Token at the bottom and then record the token value in your password safe. The only permission you’ll need to grant is the read:org permission. Mine is just vault-rubrik since this particular token is only used for the Vault instance running in the Rubrik lab. Click on the Generate New Token button to start the wizard.Įnter a description in the Note field (mandatory) so that you don’t forget the purpose of this token. This can be found in Settings > Developer Settings > Personal Access Tokens (or use the link). Start by heading to GitHub to create a Personal Access Token that will be used to verify your identity. This seemed like the most efficient design for the use case. There is no public access to Vault permitted and only ports 22 (SSH) and 8200 (UI/API) are allowed. In my case, Vault is deployed on an AWS EC2 t2.micro instance and is only accessible from an internal network that is piped directly into a co-location. The trade-off is that personal tokens are static and require more consideration when designing and deploying Vault, especially in a public space. ![]() This makes it much easier for individuals and teams to automatically inherit the appropriate Vault policy and access and manage their desired secrets engines. In this post, I’ll lay the starting groundwork for the series by showcasing how to configure Vault to use an external authentication source: GitHub Personal Access Tokens. My plan is to get deeper into how this all works and what has been configured. There is great value in having something like Vault to store encrypted secrets and using rotation to regularly render tokens and keys useless after a short period of time.
0 Comments
Leave a Reply. |