Live DemoGoldfish Vault UI -
Share this repo with your colleagues!
What is this?
Goldfish - A HashiCorp Vault UI and workflow tool. pic.twitter.com/uVWLuQEBMi— Kelsey Hightower (@kelseyhightower) August 21, 2017
Goldfish answers many auditing and administration questions that Vault API can't:
- Right now, are there any root tokens in Vault?
- Which policies, users, and tokens can access this particular secret path?
- The unseal admins are working from home, but we need a policy changed.
- How do we generate a root token only for this change, and make sure it's revoked after?
- I store my policies on a Github repo. Can I deploy all my policies in one go? See more
- If I remove this secret/policy, will anybody's workflow break?
Deploy goldfish in production in minutes!
Seriously, the instructions fit on one screen!
- Hot-loadable server settings from a provided vault endpoint
- Displaying a vault endpoint as a 'bulletin board' in homepage
- Logging in with token, userpass, github, or LDAP
- Secret Reading/editing/creating/listing
- Auth Searching/creating/listing/deleting
- Mounts Listing
- Policies Searching/Listing
- Encrypting and decrypting arbitrary strings using transit backend
See wiki for moreMajor features:
- DONE! Searching tokens by policy walkthrough
- E.g. Display all tokens that have the policy 'admins'
- DONE! Searching policy by rule walkthrough
- E.g. Display all policies that can access 'secret/data*'
- DONE! Request & approval based policy changes walkthrough
- Users can place a policy change request in vault
- Admins must then provide unseal tokens for that specific request
- Upon reaching a set number, goldfish generates a root token, performs edit, and revokes the root token
- DONE! Terraform your vault walkthrough
- Fetch a folder of policies from a commit in github
- Admins can enter their unseal tokens for approval to set vault policies according to policies found
- Change dozens of policies in one go!
- DONE! Resource dependency chain
- E.g. Will removing a particular policy affect current users?
- Will removing a mount or secret path affect current users?
You'll need go (v1.9), nodejs (v8.2), and npm (v5)
# hashicorp vault ui # clone goldfish go get github.com/caiyeon/goldfish cd $GOPATH/src/github.com/caiyeon/goldfish # running goldfish server in -dev will spin up a local vault instance for you go run server.go -dev # running goldfish frontend in dev mode will allow for hot-reload of frontend files cd frontend sudo npm install -g cross-env npm install npm run dev # a browser window/tab should open, pointing directly to goldfish
Using a VM
A vagrantfile is available as well
You'll need Vagrant and VirtualBox. On Windows, a restart after installation is needed.
# if you wish to launch goldfish in a VM: git clone https://github.com/Caiyeon/goldfish.git cd goldfish/vagrant # this will take awhile vagrant up --provision # go to localhost:8080 on your local machine and login with token 'goldfish' # changes to frontend .vue files will be hot-reloaded # to force a full reload for the frontend, ssh into the machine and run # `sudo systemctl restart goldfish_frontend.service` # to recompile and re-run the backend, ssh into the machine and run # `sudo systemctl restart goldfish.service`
You'll need Go(v1.9), Nodejs (v8.2.0), Npm (v5)
Note that using different versions (of nodeJS, especially) will cause differences in the final binary.
# download the source code go get -d github.com/caiyeon/goldfish cd $GOPATH/src/github.com/caiyeon/goldfish # resetting to a tagged version is recommended # no support will be given to arbitrary commits on the master branch git fetch --all --tags --prune git checkout tags/<version> # version could be, for example, v0.8.0 # compile the binary sh build.sh
Goldfish is in very active development.
Pull requests and feature requests are welcome. Feel free to suggest new workflows by opening issues.
- Bulma CSS
- Vue Admin
- Vault API wrapper
This server should behave as a goldfish, forgetting everything immediately after a request is completed. That, and other inside-joke reasons.
Credits for the goldfish icon goes to Laurel Chan
Official Docker Image
Currently there is a
Dockerfilein the repository but there is no official distribution of this image on Docker Hub.
We are also maintaining one under
themobilelife/goldfishbut I think it would be better if there was an official one maintained on Docker Hub.
"Error: Goldfish could not use transit key"
Hi, Tony. I upgraded from Goldfish 0.4.1 to 0.5.0 last week, and everything was working fine. This morning when I go to login, I'm getting this:
Error: 500 Goldfish could not use transit key
Is there an expiration problem or key-refresh issue that's not happening?
Thanks for all your work.
Failed to unwrap provided token
Moved up to 0.4.0 and I'm now getting this everytime I launch goldfish be it via systemd or straight command line.
Bug: 500 invalid character '<' looking for beginning of value when accepting github policy change
Vault version: 0.9.4
Goldfish version: 0.9.0
Operating system: osx
Steps to reproduce:
Expected behaviour: secrets page loaded without error
Actual behaviour: error is observed
Feature: Add option to get unwrapped token from environment or file
It would be great if Goldfish were able to get it's vault token from either a file or environment variable; in addition to the current way of retrieving it via a wrapped token or AppRole. This would enable the project to be hosted on Nomad using the built-in vault integration, which automatically generates a vault token and passes it to the container through the VAULT_TOKEN environment variable or a secret file containing the token.
error on login if it reaches a standby node
I have a vault configuration that does not use a LB in front, rather a simple rrdns to all available nodes. Using the vault_api_addr each node will also report it's real address, and I believe allow them to redirect to the appropriate active node in the event ca client resolves a standby.
On the vault client this functions perfectly: I can "vault auth" and always get an appropriate response.
On goldsifh, however, selecting the "login" link I will randomly get the following warning:
This implies I have to point at the active vault, which doesn't seem proper? Or is some way to tell goldfish it needs to be ha aware?
Add additional Dockerfiles and configs to use with docker-compose
Verified and tested locally when using
docker-compose upand Goldfish UI was accessible at http://localhost:8080.
example output of
docker-compose upwhen running the stack and accessing it via a browser.
wrapping token is not valid or does not exist
Goldfish version: v0.8.0 Vault version: v0.8.3
Lately our Goldfish container (see this comment on setup https://github.com/Caiyeon/goldfish/issues/190#issuecomment-352559276) has been giving the following message after running a few hours,
The goldfish role was setup following the guide in the wiki. The container is deployed by first getting it's wrapping token from vault with,
and then bootstrapping with the command,
Am I setting the wrapping token incorrectly? Or is there a way to find out why the token keeps expiring? I don't think this is a bug necessarily and it was happening with goldfish v0.7.4, but any guidance would be appreciated.
Goldfish fails to connect to Vault to unwrap the secret-id when the Vault Cluster is in redirect HA mode
When the vault cluster is HA and setup to redirect to the leader instead of forwarding, Goldfish fails to follow redirects and results in failing to start due to the fact that it's hitting a standby node. The vault client should follow redirects.
Vault version: 0.7.3 Goldfish version: 0.5.1
Is Goldfish Proxy-Aware?
So I'm running Goldfish in an environment where all outbound traffic has to go through a proxy, and I'm trying to use the Slack webhook. Is there any config option I can pass to Goldfish to tell it where to proxy through?
Allow CA Cert+Path and Client Cert+Key for Vault in Goldfish config file
This allows passing in options from the goldfish config through to the eventual vault client config, which allows goldfish to communicate using TLS to a vault with a custom certificate authority.
How do I run this locally to connect to my cloud Vault?
I have a Vault running on Kubernetes that I port forward to https://localhost:8200. I have the TLS cert and the token on hand. I am able to connect to this with the official Vault UI and djenriquez/vault-ui.
I would like to run Goldfish locally and connect to this, however it has not been clear to me what I'm supposed to configure before I run
npm run devto properly connect. I get 500/502 errors.
Any advice? Thank you.
Github integration not clear
I see some references to github integration - the request feature in the GUI and a few lines in the wiki, but no clear explanation of what this feature does or how it works. It sounds very exciting but I may be making undue assumptions.
Feature request: Add JWT support
Is this a front-end feature or backend? (or both?) both?
Description of feature: Add please support to enter JWT tokens to do a login
Are you able to submit a pull request for this feature? no
Feature Request: Add HSTS HTTP header for security
When Qualys does a vulnerability scan on Goldfish, one of the vulns it reports is "Strict-Transport-Security HTTP Header missing". Could this be added?
Strict-Transport-Security "max-age=63072000; includeSubdomains;"
If I read the spec right, this should work both when GoldFish is running in HTTP mode (so the header is ignored) or HTTPS (where it does what it's supposed to).
Feature Request: Image Support
Not sure if it's just a frontend ticket, but should be possible ;)
Description of feature: Would be great to upload images via goldfish, e.g. for QR code for 2NFA and save them as secret.
Are you able to submit a pull request for this feature? yes
Feature Request: Write to multiple Vault clusters
We have several Vault clusters distributed at various locations around the world. We have implemented our own solution for replicating secrets out to each cluster. This works, but it would be nice if during login, Goldfish could authenticate versus multiple clusters at once. Then when the user adds/updates a secret, it is written simultaneously to all remote clusters.