A HashiCorp Vault UI written with VueJS and Vault native Go API

  • By Tony Cai
  • Last update: Dec 18, 2022
  • Comments: 17

Goldfish Vault UI - Live Demo

Donation
Share this repo with your colleagues!

What is this?

Goldfish - A HashiCorp Vault UI and workflow tool. pic.twitter.com/uVWLuQEBMi

โ€” Kelsey Hightower (@kelseyhightower) August 21, 2017

Goldfish answers many auditing and administration questions that Vault API can't:

  • Right now, are there any root tokens in Vault?
  • Which policies, users, and tokens can access this particular secret path?
  • The unseal admins are working from home, but we need a policy changed.
    • How do we generate a root token only for this change, and make sure it's revoked after?
  • I store my policies on a Github repo. Can I deploy all my policies in one go? See more
  • If I remove this secret/policy, will anybody's workflow break?

Deploy goldfish in production in minutes!

Seriously, the instructions fit on one screen!

Features

  • Hot-loadable server settings from a provided vault endpoint
  • Displaying a vault endpoint as a 'bulletin board' in homepage
  • Logging in with token, userpass, github, or LDAP
  • Secret Reading/editing/creating/listing
  • Auth Searching/creating/listing/deleting
  • Mounts Listing
  • Policies Searching/Listing
  • Encrypting and decrypting arbitrary strings using transit backend

Major features: See wiki for more

  • DONE! Searching tokens by policy walkthrough
    • E.g. Display all tokens that have the policy 'admins'
  • DONE! Searching policy by rule walkthrough
    • E.g. Display all policies that can access 'secret/data*'
  • DONE! Request & approval based policy changes walkthrough
    • Users can place a policy change request in vault
    • Admins must then provide unseal tokens for that specific request
    • Upon reaching a set number, goldfish generates a root token, performs edit, and revokes the root token
  • DONE! Terraform your vault walkthrough
    • Fetch a folder of policies from a commit in github
    • Admins can enter their unseal tokens for approval to set vault policies according to policies found
    • Change dozens of policies in one go!
  • DONE! Resource dependency chain
    • E.g. Will removing a particular policy affect current users?
    • Will removing a mount or secret path affect current users?

Screenshots

Developing Goldfish

Running locally

You'll need go (v1.9), nodejs (v8.2), and npm (v5)

# hashicorp vault ui

# clone goldfish
go get github.com/caiyeon/goldfish
cd $GOPATH/src/github.com/caiyeon/goldfish

# running goldfish server in -dev will spin up a local vault instance for you
go run server.go -dev

# running goldfish frontend in dev mode will allow for hot-reload of frontend files
cd frontend
sudo npm install -g cross-env
npm install
npm run dev

# a browser window/tab should open, pointing directly to goldfish

Using a VM

A vagrantfile is available as well

You'll need Vagrant and VirtualBox. On Windows, a restart after installation is needed.

# if you wish to launch goldfish in a VM:
git clone https://github.com/Caiyeon/goldfish.git
cd goldfish/vagrant

# this will take awhile
vagrant up --provision

# go to localhost:8080 on your local machine and login with token 'goldfish'

# changes to frontend .vue files will be hot-reloaded
# to force a full reload for the frontend, ssh into the machine and run
#     `sudo systemctl restart goldfish_frontend.service`
# to recompile and re-run the backend, ssh into the machine and run
#     `sudo systemctl restart goldfish.service`

Compiling

You'll need Go(v1.9), Nodejs (v8.2.0), Npm (v5)

Note that using different versions (of nodeJS, especially) will cause differences in the final binary.

# download the source code
go get -d github.com/caiyeon/goldfish
cd $GOPATH/src/github.com/caiyeon/goldfish

# resetting to a tagged version is recommended
# no support will be given to arbitrary commits on the master branch
git fetch --all --tags --prune
git checkout tags/<version> # version could be, for example, v0.8.0

# compile the binary
sh build.sh

Development

Goldfish is in very active development.

Pull requests and feature requests are welcome. Feel free to suggest new workflows by opening issues.

Components

Frontend:

  • VueJS
  • Bulma CSS
  • Vue Admin

Backend:

Design

See: Architecture

Sponsored by

Why 'Goldfish'?

This server should behave as a goldfish, forgetting everything immediately after a request is completed. That, and other inside-joke reasons.

Credits for the goldfish icon goes to Laurel Chan

Github

https://github.com/Caiyeon/goldfish

Comments(17)

  • 1

    Official Docker Image

    Currently there is a Dockerfile in the repository but there is no official distribution of this image on Docker Hub.

    We are also maintaining one under themobilelife/goldfish but I think it would be better if there was an official one maintained on Docker Hub.

  • 2

    "Error: Goldfish could not use transit key"

    Hi, Tony. I upgraded from Goldfish 0.4.1 to 0.5.0 last week, and everything was working fine. This morning when I go to login, I'm getting this:

    Error: 500 Goldfish could not use transit key

    Is there an expiration problem or key-refresh issue that's not happening?

    Thanks for all your work.

  • 3

    Failed to unwrap provided token

    Moved up to 0.4.0 and I'm now getting this everytime I launch goldfish be it via systemd or straight command line.

    panic: Failed to unwrap provided token, revoke it if possible

goroutine 1 [running]:
main.main()
	/Users/tony/work/src/github.com/caiyeon/goldfish/server.go:77 +0x1dd

    config.hcl contents:

    listener "tcp" {
  address       = "url"
  tls_cert_file = "/etc/letsencrypt/live/cert_path/cert.pem"
  tls_key_file  = "/etc/letsencrypt/live/key_path/privkey.pem"
}
vault {
  address       = "vault_url:8200"
}
  • 4

    Bug: 500 invalid character '<' looking for beginning of value when accepting github policy change

    Bug report:

    Vault version: 0.9.4

    Goldfish version: 0.9.0

    Operating system: osx

    Steps to reproduce:

    1. Change a loaded policy in github
    2. go to requests
    3. enter commit sha
    4. accept change
    5. navigate to secrets

    Expected behaviour: secrets page loaded without error

    Actual behaviour: error is observed

  • 5

    Feature: Add option to get unwrapped token from environment or file

    It would be great if Goldfish were able to get it's vault token from either a file or environment variable; in addition to the current way of retrieving it via a wrapped token or AppRole. This would enable the project to be hosted on Nomad using the built-in vault integration, which automatically generates a vault token and passes it to the container through the VAULT_TOKEN environment variable or a secret file containing the token.

  • 6

    error on login if it reaches a standby node

    I have a vault configuration that does not use a LB in front, rather a simple rrdns to all available nodes. Using the vault_api_addr each node will also report it's real address, and I believe allow them to redirect to the appropriate active node in the event ca client resolves a standby.

    On the vault client this functions perfectly: I can "vault auth" and always get an appropriate response.

    On goldsifh, however, selecting the "login" link I will randomly get the following warning:

    Error making API request. URL: GET https://<generic.url>:8200/v1/sys/health Code: 429. Errors:

    This implies I have to point at the active vault, which doesn't seem proper? Or is some way to tell goldfish it needs to be ha aware?

  • 7

    Add additional Dockerfiles and configs to use with docker-compose

    Verified and tested locally when using docker-compose up and Goldfish UI was accessible at http://localhost:8080.

    example output of docker-compose up when running the stack and accessing it via a browser.

    docker-compose up                                                                                                                                [69/1915]
Creating docker_vault_1
Creating docker_goldfish_1
Creating docker_goldfish-frontend_1
Attaching to docker_vault_1, docker_goldfish_1, docker_goldfish-frontend_1
vault_1              | ==> Vault server configuration:
vault_1              |
vault_1              |                      Cgo: disabled
vault_1              |          Cluster Address: https://0.0.0.0:8201
vault_1              |               Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")
vault_1              |                Log Level: info
vault_1              |                    Mlock: supported: true, enabled: false
vault_1              |         Redirect Address: http://0.0.0.0:8200
vault_1              |                  Storage: inmem
vault_1              |                  Version: Vault v0.7.3
vault_1              |              Version Sha: 0b20ae0b9b7a748d607082b1add3663a28e31b68
vault_1              |
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
vault_1              | 2017/06/23 05:58:21.553980 [INFO ] core: security barrier not initialized
100    18    0     0  100    18      0   3735 --:--:-- --:--:-- --:--:--  4500
vault_1              | 2017/06/23 05:58:21.554365 [INFO ] core: security barrier initialized: shares=1 threshold=1
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
vault_1              | 2017/06/23 05:58:21.554507 [INFO ] core: post-unseal setup starting
vault_1              | 2017/06/23 05:58:21.565039 [INFO ] core: loaded wrapping token key
vault_1              | 2017/06/23 05:58:21.568078 [INFO ] core: successfully mounted backend: type=generic path=secret/
vault_1              | 2017/06/23 05:58:21.568096 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
vault_1              | 2017/06/23 05:58:21.568180 [INFO ] core: successfully mounted backend: type=system path=sys/
vault_1              | 2017/06/23 05:58:21.568359 [INFO ] rollback: starting rollback manager
vault_1              | 2017/06/23 05:58:21.569132 [INFO ] expiration: restoring leases
vault_1              | 2017/06/23 05:58:21.571304 [INFO ] core: post-unseal setup complete
vault_1              | 2017/06/23 05:58:21.571476 [INFO ] core: root token generated
vault_1              | 2017/06/23 05:58:21.571483 [INFO ] core: pre-seal teardown starting
vault_1              | 2017/06/23 05:58:21.571499 [INFO ] core: cluster listeners not running
100    18    0     0  100    18      0   6893 --:--:-- --:--:-- --:--:-- 18000
vault_1              | 2017/06/23 05:58:21.571517 [INFO ] rollback: stopping rollback manager
vault_1              | 2017/06/23 05:58:21.571561 [INFO ] core: pre-seal teardown complete
vault_1              | 2017/06/23 05:58:21.571637 [INFO ] core: vault is unsealed
vault_1              | 2017/06/23 05:58:21.571666 [INFO ] core: post-unseal setup starting
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
vault_1              | 2017/06/23 05:58:21.571720 [INFO ] core: loaded wrapping token key
vault_1              | 2017/06/23 05:58:21.571853 [INFO ] core: successfully mounted backend: type=generic path=secret/
100   225    0     0  100   225      0   152k --:--:-- --:--:-- --:--:--  219k
vault_1              | ==> WARNING: Dev mode is enabled!
vault_1              |
vault_1              | In this mode, Vault is completely in-memory and unsealed.
vault_1              | Vault is configured to only have a single unseal key. The root
vault_1              | token has already been authenticated with the CLI, so you can
vault_1              | immediately begin using the Vault CLI.
vault_1              |
vault_1              | The only step you need to take is to set the following
vault_1              | environment variables:
vault_1              |
vault_1              |     export VAULT_ADDR='http://0.0.0.0:8200'
vault_1              |
vault_1              | The unseal key and root token are reproduced below in case you
vault_1              | want to seal/unseal the Vault or play with authentication.
vault_1              |
vault_1              | Unseal Key: LSSPrCHY/ixySakn7Kp5SbAt0c3g+4PCzTE7AWK+0kM=
vault_1              | Root Token: goldfish
vault_1              |
vault_1              | ==> Vault server started! Log data will stream in below:
vault_1              |
vault_1              | 2017/06/23 05:58:21.571928 [INFO ] core: successfully mounted backend: type=system path=sys/
vault_1              | 2017/06/23 05:58:21.571945 [INFO ] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
vault_1              | 2017/06/23 05:58:21.572092 [INFO ] rollback: starting rollback manager
vault_1              | 2017/06/23 05:58:21.572412 [INFO ] expiration: restoring leases
vault_1              | 2017/06/23 05:58:21.572769 [INFO ] core: post-unseal setup complete
vault_1              | 2017/06/23 05:58:22.127321 [INFO ] core: successful mount: path=transit/ type=transit
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
vault_1              | 2017/06/23 05:58:22.133197 [INFO ] core: enabled credential backend: path=approle/ type=approle
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
100   122    0     0  100   122      0  38006 --:--:-- --:--:-- --:--:-- 61000
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
100    22    0     0  100    22      0  13025 --:--:-- --:--:-- --:--:-- 22000
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
100   178    0     0  100   178      0  73130 --:--:-- --:--:-- --:--:--  173k
goldfish_1           |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
goldfish_1           |                                  Dload  Upload   Total   Spent    Left  Speed
100   228  100   228    0     0  46644      0 --:--:-- --:--:-- --:--:-- 57000
goldfish_1           | 2017/06/23 05:58:22 [INFO ]: Server token accessor: e0eb5905-f25b-2ba0-ce21-1803211bf28d
goldfish_1           | 2017/06/23 05:58:22 Goldfish config reloaded
goldfish_1           | Goldfish version: v0.4.0
goldfish_1           | Goldfish successfully bootstrapped to vault
goldfish_1           |
goldfish_1           |   .
goldfish_1           |   ...             ...
goldfish_1           |   .........       ......
goldfish_1           |    ...........   ..........
goldfish_1           |      .......... ...............
goldfish_1           |      .............................
goldfish_1           |       .............................
goldfish_1           |          ...........................
goldfish_1           |         ...........................
goldfish_1           |         ..........................
goldfish_1           |         ...... ..................
goldfish_1           |       ......    ...............
goldfish_1           |      ..        ..      ....
goldfish_1           |     .                 ..
goldfish_1           |
goldfish_1           |
goldfish_1           | โ‡› http server started on [::]:8000
goldfish-frontend_1  | 172.19.0.1 - - [23/Jun/2017:06:00:52 +0000] "GET /api/login/csrf HTTP/1.1" 200 20 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" "-"
goldfish_1           | {"time":"2017-06-23T06:00:52.377168792Z","remote_ip":"172.19.0.1","host":"localhost","method":"GET","uri":"/api/login/csrf","status":200, "latency":84,"latency_human":"84.699ยตs","bytes_in":0,"bytes_out":20}
goldfish_1           | {"time":"2017-06-23T06:00:52.379753509Z","remote_ip":"172.19.0.1","host":"localhost","method":"GET","uri":"/api/health","status":200, "latency":2783,"latency_human":"2.783979ms","bytes_in":0,"bytes_out":225}
goldfish-frontend_1  | 172.19.0.1 - - [23/Jun/2017:06:00:52 +0000] "GET /api/health HTTP/1.1" 200 225 "http://localhost:8080/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4" "-"
  • 8

    wrapping token is not valid or does not exist

    Goldfish version: v0.8.0 Vault version: v0.8.3

    Lately our Goldfish container (see this comment on setup https://github.com/Caiyeon/goldfish/issues/190#issuecomment-352559276) has been giving the following message after running a few hours,

    12/1/2017 5:19:53 AMURL: PUT https://vault.ourdomain.com:8200/v1/sys/wrapping/unwrap
12/1/2017 5:19:53 AMCode: 400. Errors:
12/1/2017 5:19:53 AM
12/1/2017 5:19:53 AM* wrapping token is not valid or does not exist
12/1/2017 5:19:58 AM2017/12/01 13:19:58 [ERROR]: Bootstrapping goldfish Failed to unwrap provided token, revoke it if possible
12/1/2017 5:19:58 AMReason:Error making API request.

    The goldfish role was setup following the guide in the wiki. The container is deployed by first getting it's wrapping token from vault with,

    export GOLDFISH_TOKEN=`vault write -f -format=json -wrap-ttl=5m auth/approle/role/goldfish/secret-id | jq -r .wrap_info.token`

    and then bootstrapping with the command,

    goldfish -config=/app/config.hcl -token=${GOLDFISH_TOKEN}

    Am I setting the wrapping token incorrectly? Or is there a way to find out why the token keeps expiring? I don't think this is a bug necessarily and it was happening with goldfish v0.7.4, but any guidance would be appreciated.

  • 9

    Goldfish fails to connect to Vault to unwrap the secret-id when the Vault Cluster is in redirect HA mode

    When the vault cluster is HA and setup to redirect to the leader instead of forwarding, Goldfish fails to follow redirects and results in failing to start due to the fact that it's hitting a standby node. The vault client should follow redirects.

    Vault version: 0.7.3 Goldfish version: 0.5.1

  • 10

    Is Goldfish Proxy-Aware?

    Hey everyone,

    So I'm running Goldfish in an environment where all outbound traffic has to go through a proxy, and I'm trying to use the Slack webhook. Is there any config option I can pass to Goldfish to tell it where to proxy through?

  • 11

    Allow CA Cert+Path and Client Cert+Key for Vault in Goldfish config file

    This allows passing in options from the goldfish config through to the eventual vault client config, which allows goldfish to communicate using TLS to a vault with a custom certificate authority.

  • 12

    How do I run this locally to connect to my cloud Vault?

    I have a Vault running on Kubernetes that I port forward to https://localhost:8200. I have the TLS cert and the token on hand. I am able to connect to this with the official Vault UI and djenriquez/vault-ui.

    I would like to run Goldfish locally and connect to this, however it has not been clear to me what I'm supposed to configure before I run npm run dev to properly connect. I get 500/502 errors.

    Any advice? Thank you.

  • 13

    Github integration not clear

    I see some references to github integration - the request feature in the GUI and a few lines in the wiki, but no clear explanation of what this feature does or how it works. It sounds very exciting but I may be making undue assumptions.

  • 14

    Feature request: Add JWT support

    Feature request:

    Is this a front-end feature or backend? (or both?) both?

    Description of feature: Add please support to enter JWT tokens to do a login

    Are you able to submit a pull request for this feature? no

  • 15

    Feature Request: Add HSTS HTTP header for security

    When Qualys does a vulnerability scan on Goldfish, one of the vulns it reports is "Strict-Transport-Security HTTP Header missing". Could this be added?

    Strict-Transport-Security "max-age=63072000; includeSubdomains;"

    If I read the spec right, this should work both when GoldFish is running in HTTP mode (so the header is ignored) or HTTPS (where it does what it's supposed to).

    Thanks!

  • 16

    Feature Request: Image Support

    Feature request:

    Not sure if it's just a frontend ticket, but should be possible ;)

    Description of feature: Would be great to upload images via goldfish, e.g. for QR code for 2NFA and save them as secret.

    Are you able to submit a pull request for this feature? yes

  • 17

    Feature Request: Write to multiple Vault clusters

    We have several Vault clusters distributed at various locations around the world. We have implemented our own solution for replicating secrets out to each cluster. This works, but it would be nice if during login, Goldfish could authenticate versus multiple clusters at once. Then when the user adds/updates a secret, it is written simultaneously to all remote clusters.

Popular Tag

Related