Could not get audit logs from the graphql explorer

GitHub Ecosystem GraphQL API
#1

the following query fails with error. my login is the owner of the org.

query {
    organization(login:"<org>") {
      auditLog(last:100){
        edges{
          node{
            ... on AuditEntry {
              action
              actorLogin
              createdAt
            }
          }
        }
      }
    }
}

{
  "data": {
    "organization": null
  },
  "errors": [
    {
      "type": "FORBIDDEN",
      "path": [
        "organization",
        "auditLog"
      ],
      "locations": [
        {
          "line": 8,
          "column": 7
        }
      ],
      "message": "vivekthangathurai does not have permission to retrieve auditLog information."
    }
  ]
}
#2

@vivekthangathurai, does the personal access token used have admin:org scope?

#3

I am not using the personal token, I am just logged in into the explorer using my login which is the owner of the org used in the query.

Also we tried with a github app ( with admin write access) but could not fetch the response.

#4

@vivekthangathurai, it is still permission scope related.
When you use GraphQL API Explorer you are not technically logged in as your user with all your user permissions. What you have done is installed an Authorised and OAuth App (GraphQL API Explorer) for your account.
This OAUth App does not have the full permissions of your account and does not have admin:scope permission, hence the does not have permission error you see.
You can view Authorized OAuth Apps (github.com) in the GUI and if you click on it you can see its permissions

You simple json query does work with a correctly scoped token, I tested just now using Postman as the GraphQL and a correctly scoped token client, you could use any GraphpQL client you desire or a simple CURL command for the purpose of an initial test.
There is curl example in the docs here
https://docs.github.com/en/free-pro-team@latest/graphql/guides/forming-calls-with-graphql

#5

Thanks @byrneh. one last question. Can we use the github app to authenticate the graphql api for audit logs?

#6

@vivekthangathurai, I cannot comment from my own experience or usage as I have not used GitHub Apps myself.
This blog suggests it is supported
https://developer.github.com/changes/2018-04-30-graphql-supports-github-apps/
As mentioned earlier it will need the equivalent of admin:org scope permission

You can see the permissions when you create and app (you can also edit for an existing
Register new GitHub App
It not clear looking under Organization Permissions, select one or all the options here would give you the equivalent or needed permissions to access Organization Audit Log, suggest you give it a try if you have a GitHub App already installed and configured

#7

Hi @byrneh,
Hope you are good!

We are using GitHub App to make GraphQL queries and it works fine. But only for Audit Logs, we are facing the below mentioned error even though all the permissions are set to “Read and Write”:

{"level":"error","error":"GraphQL Server Error: logserviceapp does not have permission to retrieve auditLog information.","time":"2021-01-08T09:31:08+05:30","message":"Github GraphQL query failed, retrying in 6m0s"}

Please help in knowing if anything else is required or if this is not supported currently.
Thanks in advance.

#8

@shashwat-appdirect, yes it looks like it is not supported as looking through the allowed scopes of GitHub Apps.it does not seem to offer the equivalent of admin:org permission which is needed.

Also worth noting and I am reliably informed the new Rest API Audit Log function will be offering the most complete audit log event data view going forward, expect enhancements during 2021 also.so keel a look out on announcements related to this also.