Goldfish- A HashiCorp Vault UI and workflow tool.pic.twitter /uVWLuQEBMi
— Kelsey Hightower (@kelseyhightower)August 21, 2017
Goldfish answers many auditing and administration questions that Vault API can't:
- Right now, are there any root tokens in Vault?
- Which policies, users, and tokens can access this particular secret path?
- The unseal admins are working from home, but we need a policy changed.
- How do we generate a root token only for this change, and make sure it's revoked after?
- I store my policies on a Github repo. Can I deploy all my policies in one go?See more
- If I remove this secret/policy, will anybody's workflow break?
Seriously, the instructions fit on one screen!
- Hot-loadable server settings from a provided vault endpoint
- Displaying a vault endpoint as a 'bulletin board' in homepage
- Logging inwith token, userpass, github, or LDAP
- SecretReading/editing/creating/listing
- AuthSearching/creating/listing/deleting
- MountsListing
- PoliciesSearching/Listing
- Encrypting and decrypting arbitrary strings using transit backend
Major features:See wiki for more
- DONE!Searching tokens by policywalkthrough
- E.g. Display all tokens that have the policy 'admins'
- DONE!Searching policy by rulewalkthrough
- E.g. Display all policies that can access 'secret/data*'
- DONE!Request & approval based policy changeswalkthrough
- Users can place a policy change request in vault
- Admins must then provide unseal tokens for that specific request
- Upon reaching a set number, goldfish generates a root token, performs edit, and revokes the root token
- DONE!Terraform your vaultwalkthrough
- Fetch a folder of policies from a commit in github
- Admins can enter their unseal tokens for approval to set vault policies according to policies found
- Change dozens of policies in one go!
- DONE!Resource dependency chain
- E.g. Will removing a particular policy affect current users?
- Will removing a mount or secret path affect current users?
You'll need go (v1.9), nodejs (v8.2), and npm (v5)
#hashicorp vault ui
#clone goldfish
go get github /caiyeon/goldfish
cd$GOPATH/src/github /caiyeon/goldfish
#running goldfish server in -dev will spin up a local vault instance for you
go run server.go -dev
#running goldfish frontend in dev mode will allow for hot-reload of frontend files
cdfrontend
sudo npm install -g cross-env
npm install
npm run dev
#a browser window/tab should open, pointing directly to goldfishA vagrantfile is available as well
You'll needVagrantandVirtualBox.On Windows, a restart after installation is needed.
#if you wish to launch goldfish in a VM:
git clone https://github /Caiyeon/goldfish.git
cdgoldfish/vagrant
#this will take awhile
vagrant up --provision
#go to localhost:8080 on your local machine and login with token 'goldfish'
#changes to frontend.vue files will be hot-reloaded
#to force a full reload for the frontend, ssh into the machine and run
#`sudo systemctl restart goldfish_frontend.service`
#to recompile and re-run the backend, ssh into the machine and run
#`sudo systemctl restart goldfish.service`You'll need Go(v1.9), Nodejs (v8.2.0), Npm (v5)
Note that using different versions (of nodeJS, especially) will cause differences in the final binary.
#download the source code
go get -d github /caiyeon/goldfish
cd$GOPATH/src/github /caiyeon/goldfish
#resetting to a tagged version is recommended
#no support will be given to arbitrary commits on the master branch
git fetch --all --tags --prune
git checkout tags/<version>#version could be, for example, v0.8.0
#compile the binary
sh build.shGoldfish is in very active development.
Pull requests and feature requests are welcome. Feel free to suggest new workflows by opening issues.
Frontend:
- VueJS
- Bulma CSS
- Vue Admin
Backend:
- Vault APIwrapper
See:Architecture
This server should behave as a goldfish, forgetting everything immediately after a request is completed. That, and other inside-joke reasons.
Credits for the goldfish icon goes toLaurel Chan