Drone provides an official extension to limit system access based on GitHub organization and team membership. You can use this extension to configure access policies, such as:
- If user is organization member, grant access
- If user is organization admin, grant admin access
- If user is member of designated team, grant admin access (optional)
- Else deny access
- Github API base URL. This is only required when integrating with GitHub Enterprise. The URL format should be
- GitHub API personal access token. This token must have adequate permissions to access organization and team endpoints.
- Comma-separated lists of organizations. If defined, the user must be a member of at least one organization in the list.
- Comma-separated lists of teams. If defined, users that are members of this team are granted administrative access.
Create a shared secret.
$ openssl rand -hex 16 bea26a2221fd8090ea38720fc445eca6
Download and run the extension.
$ docker run -d \ --publish=3000:3000 \ --env=DRONE_DEBUG=true \ --env=DRONE_SECRET=bea26a2221fd8090ea38720fc445eca6 \ --env=DRONE_GITHUB_TOKEN=3da541559918a808c2402bba5012f6c6 \ --env=DRONE_GITHUB_ORG=acme \ --env=DRONE_GITHUB_TEAM=admins \ --restart=always \ --name=admitter drone/drone-admit-members
Update your Drone server configuration to include the extension address and the shared secret.
You can verify the extension is configured and is processing requests using the command line utility.
Provide the command line utility with the extension endpoint and secret.
export DRONE_ADMISSION_ENDPOINT=http://localhost:3000 export DRONE_ADMISSION_SECRET=bea26a2221fd8090ea38720fc445eca6
Use the command line utility to check if a user is admitted:
$ drone plugins admit octocat
This extension is considered a reference implementation of an admission controller, and has limited scope. You are encouraged to fork and customize this extension as needed. You can find the source code at drone/drone-admit-members.