vault-github: user is not part of required org

[kleberbaum]

Module: vault-github
Coder Version: 2.4.0
Vault Version: 1.15.3
Issue: Error with ghu_ prefixed GitHub App token during workspace startup; ghp_ personal access tokens work fine.

Error Message on Workspace Startup:

Error authenticating: Error making API request.
URL: PUT http://192.168.1.105:8200/v1/auth/github/login
Code: 500. Errors:
* user is not part of required org

Configuration:

• Installed and configured the vault-github module in a Coder template.
• Engaged GitHub authentication and established GitHub organization in Vault settings.

Discovery:

• Authentication with GitHub App tokens (ghu_ prefix) fails upon workspace initialization.
• Authentication using personal access tokens (ghp_ prefix) performs correctly.

Steps to Reproduce:

1. Set up the vault-github module in Coder template.

   module "vault" {
     source     = "https://registry.coder.com/modules/vault-github"
     agent_id   = coder_agent.dev.id
     vault_addr = "http://192.168.1.105:8200"
     coder_github_auth_id   = "primary-github"
   }

2. Activated GitHub authentication and set the GitHub organization in Vault.

   vault auth enable github
   vault write auth/github/config organization=photonq-org

3. Encountered an error when starting the workspace using a GitHub App token.

   vault login -method=github token=ghu_MyGitHubAppAccessToken

4. Successfully logged in with a personal access token.

   vault login -method=github token=ghp_MyPersonalAccessToken

Question:
Is additional configuration required within HashiCorp Vault to enable authentication using GitHub App tokens (ghu_ prefix) as they produce an error stating the user is not part of the required organization?

[bpmct]

cc @matifali

[matifali]

Hi @kleberbaum as per Vault docs, this works with any valid GitHub access tokens.
see:

Any valid GitHub access token with the read:org scope for any user belonging to the Vault-configured organization can be used for authentication. If such a token is stolen from a third party service, and the attacker is able to make network calls to Vault, they will be able to log in as the user that generated the access token.

If the GitHub team is part of an organization with SSO enabled, the user will need to authorize the personal access token. Failing to do so for SSO users will result in the personal access token not providing identity information. The token issued by the auth method will only be assigned the default policy.

There is no special configuration needed at Vault or Coder's end. And you can create a GitHub app/OAuth app with scope read:org and configure Coder to use this as external auth,

CODER_EXTERNAL_AUTH_0_ID=primary-github
CODER_EXTERNAL_AUTH_0_TYPE=github
CODER_EXTERNAL_AUTH_0_CLIENT_ID=xxxxxx
CODER_EXTERNAL_AUTH_0_CLIENT_SECRET=xxxxxxx

Then setup vault with GitHub auth using this guide.

I have verefied in my setop and I am able to to auth using the app token e.g ghu_XXXXXXX....

[matifali]

@kleberbaum I think you are missing part 3 and 4 of this guide to map users to teams and assign an appropriate vault policy.

[matifali]

Closing in favour of #175