pkg.gl

Right now, are there any root tokens in Vault?
Which policies, users, and tokens can access this particular secret path?
The unseal admins are working from home, but we need a policy changed.
- How do we generate a root token only for this change, and make sure it's revoked after?
I store my policies on a Github repo. Can I deploy all my policies in one go? See more
If I remove this secret/policy, will anybody's workflow break?

Deploy goldfish in production in minutes!

Seriously, the instructions fit on one screen!

Features

Hot-loadable server settings from a provided vault endpoint
Displaying a vault endpoint as a 'bulletin board' in homepage
Logging in with token, userpass, github, or LDAP
Secret Reading/editing/creating/listing
Auth Searching/creating/listing/deleting
Mounts Listing
Policies Searching/Listing
Encrypting and decrypting arbitrary strings using transit backend

Major features: See wiki for more

DONE! Searching tokens by policy walkthrough
- E.g. Display all tokens that have the policy 'admins'
DONE! Searching policy by rule walkthrough
- E.g. Display all policies that can access 'secret/data*'
DONE! Request & approval based policy changes walkthrough
- Users can place a policy change request in vault
- Admins must then provide unseal tokens for that specific request
- Upon reaching a set number, goldfish generates a root token, performs edit, and revokes the root token
DONE! Terraform your vault walkthrough
- Fetch a folder of policies from a commit in github
- Admins can enter their unseal tokens for approval to set vault policies according to policies found
- Change dozens of policies in one go!
DONE! Resource dependency chain
- E.g. Will removing a particular policy affect current users?
- Will removing a mount or secret path affect current users?
Certificate management panel
- If vault is a certificate authority, there should be a user-friendly panel of details and statistics
Moving root tokens away from the human eye
- More root operations like mount tuning should also be done via request & approval basis, like policy changes
Database management panel
- Vault 0.7.3 allows for multiple db connections per backend, but lacks a management system

Screenshots

Developing Goldfish

Running locally

You'll need go (v1.8), nodejs (v6), and npm (v5)

# hashicorp vault ui

# clone goldfish
go get github.com/caiyeon/goldfish
cd $GOPATH/src/github.com/caiyeon/goldfish

# running goldfish server in -dev will spin up a local vault instance for you
go run server.go -dev

# running goldfish frontend in dev mode will allow for hot-reload of frontend files
cd frontend
sudo npm install -g cross-env
npm install
npm run dev

# a browser window/tab should open, pointing directly to goldfish

Using a VM

A vagrantfile is available as well

You'll need Vagrant and VirtualBox. On Windows, a restart after installation is needed.

# if you wish to launch goldfish in a VM:
git clone https://github.com/Caiyeon/goldfish.git
cd goldfish/vagrant

# this will take awhile
vagrant up --provision

# open up localhost:8001 in chrome on your local machine. You can login with token 'goldfish'

Development

Goldfish is in very active development:

Pull requests and feature requests are welcome. Feel free to suggest new workflows by opening issues.

Components

Frontend:

VueJS
Bulma CSS
Vue Admin

Backend:

Vault API wrapper

Design

See: Architecture

Why 'Goldfish'?

This server should behave as a goldfish, forgetting everything immediately after a request is completed. That, and other inside-joke reasons.

Credits for the goldfish icon goes to Laurel Chan