What is this?
Goldfish answers many auditing and administration questions that Vault API can't:
- Right now, are there any root tokens in Vault?
- Which policies, users, and tokens can access this particular secret path?
- The unseal admins are working from home, but we need a policy changed.
- How do we generate a root token only for this change, and make sure it's revoked after?
- I store my policies on a Github repo. Can I deploy all my policies in one go? See more
- If I remove this secret/policy, will anybody's workflow break?
Seriously, the instructions fit on one screen!
- [x] Hot-loadable server settings from a provided vault endpoint
- [x] Displaying a vault endpoint as a 'bulletin board' in homepage
- [x] Logging in with token, userpass, github, or LDAP
- [x] Secret Reading/editing/creating/listing
- [x] Auth Searching/creating/listing/deleting
- [x] Mounts Listing
- [x] Policies Searching/Listing
- [x] Encrypting and decrypting arbitrary strings using transit backend
- [x] DONE! Searching tokens by policy walkthrough
- E.g. Display all tokens that have the policy 'admins'
- [x] DONE! Searching policy by rule walkthrough
- E.g. Display all policies that can access 'secret/data*'
- [x] DONE! Request & approval based policy changes walkthrough
- Users can place a policy change request in vault
- Admins must then provide unseal tokens for that specific request
- Upon reaching a set number, goldfish generates a root token, performs edit, and revokes the root token
- [x] DONE! Terraform your vault walkthrough
- Fetch a folder of policies from a commit in github
- Admins can enter their unseal tokens for approval to set vault policies according to policies found
- Change dozens of policies in one go!
- [x] DONE! Resource dependency chain
- E.g. Will removing a particular policy affect current users?
- Will removing a mount or secret path affect current users?
You'll need go (v1.9), nodejs (v8.2), and npm (v5)
go get github.com/caiyeon/goldfish
running goldfish server in -dev will spin up a local vault instance for you
go run server.go -dev
running goldfish frontend in dev mode will allow for hot-reload of frontend files
sudo npm install -g cross-env
npm run dev
a browser window/tab should open, pointing directly to goldfish
Using a VM
A vagrantfile is available as well
You'll need Vagrant and VirtualBox. On Windows, a restart after installation is needed.
if you wish to launch goldfish in a VM:
git clone https://github.com/Caiyeon/goldfish.git
this will take awhile
vagrant up --provision
go to localhost:8080 on your local machine and login with token 'goldfish'
changes to frontend .vue files will be hot-reloaded
to force a full reload for the frontend, ssh into the machine and run
sudo systemctl restart goldfish_frontend.service
to recompile and re-run the backend, ssh into the machine and run
sudo systemctl restart goldfish.service
You'll need Go(v1.9), Nodejs (v8.2.0), Npm (v5)
Note that using different versions (of nodeJS, especially) will cause differences in the final binary.
download the source code
go get -d github.com/caiyeon/goldfish
resetting to a tagged version is recommended
no support will be given to arbitrary commits on the master branch
git fetch --all --tags --prune
git checkout tags/ # version could be, for example, v0.8.0
compile the binary
Goldfish is in very active development.
Pull requests and feature requests are welcome. Feel free to suggest new workflows by opening issues.
* Bulma CSS
* Vue Admin
* Vault API wrapper
This server should behave as a goldfish, forgetting everything immediately after a request is completed. That, and other inside-joke reasons.
Credits for the goldfish icon goes to Laurel Chan