Skip to content
This repository has been archived by the owner. It is now read-only.
A HashiCorp Vault UI written with VueJS and Vault native Go API
Vue Go JavaScript CSS
Branch: master
Clone or download
Latest commit 87e23e9 Sep 4, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
docker Update May 16, 2018
frontend Fixed secret key pair deletion bug. Closed #254 Mar 8, 2018
handlers Added revoke-self backend logic Feb 14, 2018
server Added revoke-self backend logic Feb 14, 2018
slack go fmt Jun 29, 2017
vendor Updated vault API to v0.9.3 Jan 31, 2018
.gitattributes Updated gitattributed Sep 18, 2017
.gitignore Create Mar 29, 2018
LICENSE Npm packages no longer updated every build Oct 10, 2017
circle.yml Updated to circleci2 Jun 2, 2018
server.go Fixed log formatting Jun 2, 2018

Goldfish Vault UI - Live Demo

Share this repo with your colleagues!

What is this?

Goldfish - A HashiCorp Vault UI and workflow tool.

— Kelsey Hightower (@kelseyhightower) August 21, 2017

Goldfish answers many auditing and administration questions that Vault API can't:

  • Right now, are there any root tokens in Vault?
  • Which policies, users, and tokens can access this particular secret path?
  • The unseal admins are working from home, but we need a policy changed.
    • How do we generate a root token only for this change, and make sure it's revoked after?
  • I store my policies on a Github repo. Can I deploy all my policies in one go? See more
  • If I remove this secret/policy, will anybody's workflow break?

Deploy goldfish in production in minutes!

Seriously, the instructions fit on one screen!


  • Hot-loadable server settings from a provided vault endpoint
  • Displaying a vault endpoint as a 'bulletin board' in homepage
  • Logging in with token, userpass, github, or LDAP
  • Secret Reading/editing/creating/listing
  • Auth Searching/creating/listing/deleting
  • Mounts Listing
  • Policies Searching/Listing
  • Encrypting and decrypting arbitrary strings using transit backend

Major features: See wiki for more

  • DONE! Searching tokens by policy walkthrough
    • E.g. Display all tokens that have the policy 'admins'
  • DONE! Searching policy by rule walkthrough
    • E.g. Display all policies that can access 'secret/data*'
  • DONE! Request & approval based policy changes walkthrough
    • Users can place a policy change request in vault
    • Admins must then provide unseal tokens for that specific request
    • Upon reaching a set number, goldfish generates a root token, performs edit, and revokes the root token
  • DONE! Terraform your vault walkthrough
    • Fetch a folder of policies from a commit in github
    • Admins can enter their unseal tokens for approval to set vault policies according to policies found
    • Change dozens of policies in one go!
  • DONE! Resource dependency chain
    • E.g. Will removing a particular policy affect current users?
    • Will removing a mount or secret path affect current users?


Developing Goldfish

Running locally

You'll need go (v1.9), nodejs (v8.2), and npm (v5)

# hashicorp vault ui

# clone goldfish
go get
cd $GOPATH/src/

# running goldfish server in -dev will spin up a local vault instance for you
go run server.go -dev

# running goldfish frontend in dev mode will allow for hot-reload of frontend files
cd frontend
sudo npm install -g cross-env
npm install
npm run dev

# a browser window/tab should open, pointing directly to goldfish

Using a VM

A vagrantfile is available as well

You'll need Vagrant and VirtualBox. On Windows, a restart after installation is needed.

# if you wish to launch goldfish in a VM:
git clone
cd goldfish/vagrant

# this will take awhile
vagrant up --provision

# go to localhost:8080 on your local machine and login with token 'goldfish'

# changes to frontend .vue files will be hot-reloaded
# to force a full reload for the frontend, ssh into the machine and run
#     `sudo systemctl restart goldfish_frontend.service`
# to recompile and re-run the backend, ssh into the machine and run
#     `sudo systemctl restart goldfish.service`


You'll need Go(v1.9), Nodejs (v8.2.0), Npm (v5)

Note that using different versions (of nodeJS, especially) will cause differences in the final binary.

# download the source code
go get -d
cd $GOPATH/src/

# resetting to a tagged version is recommended
# no support will be given to arbitrary commits on the master branch
git fetch --all --tags --prune
git checkout tags/<version> # version could be, for example, v0.8.0

# compile the binary


Goldfish is in very active development.

Pull requests and feature requests are welcome. Feel free to suggest new workflows by opening issues.



  • VueJS
  • Bulma CSS
  • Vue Admin



See: Architecture

Sponsored by

Why 'Goldfish'?

This server should behave as a goldfish, forgetting everything immediately after a request is completed. That, and other inside-joke reasons.

Credits for the goldfish icon goes to Laurel Chan

You can’t perform that action at this time.