Does CircleCI need a github service account for proper isolation?

Note: I don’t know a lot about this stuff; I’ve had to make many assumptions and guesses, please correct if wrong!

Hi, I’m setting up circle to build my company’s github repos. I’m an admin of the company org, so I authorised circle as an Application.

Even this was confusing - github’s auth model is bonkers. What I /think/ happened is that I, as a user (orgs can log in), SSO’d into circle with my github account, then authorized circle with github. This seems to have authorized the circle “application” with both my org (settings -> third party access) AND also my personal account (my implicit personal org, if you like) (settings -> applications -> authorized oauth apps). So, confusing, and over-reaching I’d argue (please ask per org when doing this set-up rather than auto-enrolling everything), but I think I understand.

My problem is now this: I need to create a circle API token some that some bot I’ve got at work can manipulate company jobs. The problem is that API tokens are personal, i.e. per circle user. Surely this means that anyone who holds that token not only has access to manipulate my org’s jobs (which is what I want), but also my personal jobs, and by extension has API access to private info and repos in my personal github (not what I want). Sure, I could go an deauthorize circle from my personal account, but I like it and want to use it for personal projects as well, I just want to isolate the security.

I would say that github’s weird auth structure where they force everyone to have one account for home and work, and to use orgs for work stuff, doesn’t help here. But I think what I want is the ability to be able to create “native” accounts on circle. I want to make one that’s authorized to my personal github account & repos, and another that’s authorized only to my company org. Then I can make two separate access tokens that can each only touch what they’re meant to. The problem seems to stem from circle only accepting log-in via SSO from github, and see above about github forcing everyone onto the same account. Except with github, I can make separate “personal access tokens” with authority over either my user or my org.

Have I understood what’s going on here? Is there a way to get what I want?
For now I’ve made a separate github user, which is a member of my company org, and signed that into circleci, but this is clunky and really not the github model.


1 Like

We have the same problem for a project in which I participate.
The org admin wants me to switch to “travis” because of the issue.
You have at least given me a hint of a work-around.
But a real “fix” would be nice.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.