Vault-UI: v2
It has been over four months since our last post about Vault-UI and we have a bunch of exciting changes that have been implemented since then. But first, if you haven’t read the introductory post, read it here!
Since November, we have added a slew of new features and improved current functionality to help everyone manage their Vault deployments. We’ve received an enormous amount of positive feedback from the community, and honestly, we’re just happy that we can be a part of your solution!
First off: if you have a tech stack deployed somewhere and you haven’t heard of Vault then you’re definitely missing out. Vault is quickly becoming the industry standard for managing your org’s most sensitive information like credentials, TLS certs, and customer data. It’s a great tool, but as I mentioned in my initial post, it can have somewhat of a steep learning curve. This is where Vault-UI steps in, providing a open-source, community driven solution for managing your Vault deployment.
New Features
Integration of josdejong/jsoneditor
Vault’s base data structure is JSON. All secrets, configuration and state for Vault (that I’m aware of) can be defined with JSON. It only seems natural that we support this with josedejong’s JSON editor, released in 2.0.0. Now, users can modify their secrets and configuration with an awesome editor that will validate and format your JSON values.
Manage Secret Backends
Users now have the ability to add/delete secret backends. This allows adding additional generic paths such to provide better grouping or separation of concern. The example to the right will mount a generic mount on the “administration” for, you guessed it, administrative type secrets.
Mount Authentication Backends
Authentication backends can now be mounted and unmounted. We currently support configuring GitHub, AWS EC2, and Radius authentications. Note the difference from this and login methods into Vault-UI, which include Token, username/password, LDAP, and GitHub.
Policy Picker
Assigning policies to tokens and various authentication backends is made incredibly simple with the policy picker. This menu, available from all supported authentication backends, allow administrators to assign policies just by clicking them over to the selected side and saving.
Token and Role Management
Users can now view existing tokens and create/revoke raw tokens. Easy peasy.
GitHub Auth Backend Management
Organizations that utilize the GitHub authentication backend can now manage teams and users in the UI. We support full backend configuration options and user/team policy management.
GitHub authentication makes it very easy to give your team members access into Vault without having to distribute a new token every X days. As long as they’re members of your organization, you can give them the ability to login; talk about self-service. Vault-UI will give you the ability to manage these users and teams, and the policies they are assigned.
Radius Auth Backend Management
Organizations that use RADIUS to authenticate into Vault can manage it’s settings and users here. I honestly don’t know much about this one; this one came straight from a community feature request. More information can be found here: RADIUS Auth.
AWS EC2 Auth Backend Management
The AWS EC2 Authentication Backend is a powerful backend for AWS users. This allows instances to authenticate with Vault and pull secrets with Vault’s restful API. If you’re using Vault and AWS, you NEED to be using this. With AWS metadata, fetching a token for your instance is as simple as:
VAULT_TOKEN=$(curl https://$VAULT_ADDRESS/v1/auth/aws-ec2/login -d '{
"role": "'${VAULT_AWS_ROLE}'",
"pkcs7": "'$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')'",
"nonce": "nonce"
}' | jq -r .auth.client_token)MY_SECRET=curl -H "X-Vault-Token:${VAULT_TOKEN}" -X GET https://$VAULT_ADDRESS/v1/secret/my_secret | jq -r .data.value
Of course, more advanced use cases can be used to download things such as TLS certs for front-end servers, docker registry credentials, or other sensitive files for various needs. Seriously, check this feature out. You can look more into it here: AWS-EC2 Auth. Once you understand how it works, Vault-UI can help you manage your roles, policies and bounds!
Improved Secrets Wrapping
Remember those times when you need to give someone a password/token and you post it in some messaging platform and, if you can’t delete the digital trail, hope they delete it for you? It was little bit of a pain and probably not the most secure method of distribution. Luckily, Vault gives us the ability to wrap secrets such that the value wrapped can only be unwrapped once. With this, we can all have peace of mind knowing once the secret has been read, it can never be read again.
Secrets wrapping is a convenient way of distributing sensitive information and now, Vault-UI makes it even easier.
Any secret has the ability to be wrapped as shown to the right. Once a secret is wrapped, a link is provided that you can give the other party. Behind that link, Vault-UI will unwrap the secret and display it for the user. Vault-UI even gives you the ability to wrap raw data; it doesn’t have to exist as a secret, you can make it up as you go.
Navigating to the link returns this, value and all:
Recipients do not need to authenticate into Vault to unwrap this, so feel free to use this for the non-technical. Read more about secrets wrapping here: Response Wrapping.
Conclusion
The team has made some major improvements to Vault-UI. The features above are the most visible, but many others such as the backend, navigation, developing process, and overall UX have improved dramatically since our initial post. If you’re using Vault, you should give this project a try. It can found on Docker Hub and easily run with:
docker run -d \
-p 8000:8000 \
--name vault-ui \
djenriquez/vault-uiMany thanks to the community, especially our newest collaborator @msessa, who drove most of these features. Whether you’re a developer, graphic designer, technical writer, or just someone looking to learn something new, we are always looking for more contributors. Come send us a PR.
Until next time!