Browse secrets. Visualize policies. Share securely. Manage Vault with confidence.
Getting Started Β· Features Β· Screenshots Β· Deployment Β· Contributing
β οΈ Beta Notice: VaultLens is currently in beta and under heavy development.
Note: VaultLens is a community-maintained project and has no affiliation with HashiCorp. It is an independent open-source tool built to enhance the Vault user experience.
VaultLens is a powerful, open-source web UI for HashiCorp Vault that goes beyond the built-in Vault UI. It provides intuitive secret management, interactive policy visualizations, secure password sharing, automated secret rotation, backup/restore, webhook notifications, and a unified view of your Vault infrastructure β all from a single, lightweight application.
I created VaultLens because my organization needed a modern, user-friendly interface for Vault that the native UI didn't provide. As someone who has benefited from countless open-source projects, this is my contribution back to the communityβbuilt with the hope it will help others manage Vault with greater confidence and ease.
| Native Vault UI | VaultLens | |
|---|---|---|
| Secret browsing | Basic KV UI | Full KV v1/v2 with metadata editing |
| Policy visualization | Raw HCL text | Interactive relationship graphs |
| Secret sharing | Not available | End-to-end encrypted sharing via link |
| Identity explorer | Basic listing | Entity β Group β Policy graph |
| Permission testing | CLI only | Visual permission tester with graph |
| Custom branding | Not available | Custom logo, colors, app name |
| Audit log viewer | File-based only | Searchable, filterable web UI |
| Secret rotation | Not available | Automated password rotation scheduler |
| Backup & restore | Not available | Full KV backup with scheduling |
| Webhooks | Not available | Audit-driven webhook notifications |
| Deployment | Built into Vault | Standalone β Docker, Compose, Helm |
Browse and manage secrets across all KV v1 and v2 engines. Create, edit, merge, and delete secrets with a clean interface. View and edit version info and custom metadata.
Restricted-access partial updates: When a user can navigate to a secret path (via list permission) but lacks read permission on the secret itself, VaultLens still displays the secret's field names (keys) without exposing values. The user can then perform a Partial Update β modifying individual fields without ever seeing the existing values. The backend reads the current secret with the system token, merges the user's changes, and writes back using the user's own token, so Vault's ACL policies still control write access.
Explore your Vault's structure through interactive node graphs powered by React Flow:
- Auth β Role β Policy β How authentication methods connect to policies
- Policy β Secret Path β Which policies grant access to which paths
- Identity Chain β Entity β Group β Policy relationships
Select any entity, enter a path and operation, and instantly see whether access is allowed or denied β with a full graph showing which policies contribute to the decision.
Browse entities, groups, aliases, and their policy attachments. Explore the current user's identity chain with a visual graph.
View, parse, and understand Vault ACL policies. See all path rules and their capabilities in a structured breakdown.
List, configure, and tune all auth methods. Browse roles and their associated policies directly in the UI.
Automatically rotate KV v2 secret values on a schedule using Vault's custom metadata. Set rotate-interval metadata on any secret and VaultLens handles the rest.
Create instant or scheduled full backups of all KV secrets. Restore from any saved backup with one click.
Configure webhooks to be notified when secrets at specific paths are modified. VaultLens monitors the Vault audit log and fires HTTP POST requests with HMAC-signed payloads.
View Vault health, seal status, version, storage backend, token counts, entity counters, and request metrics β all in one place.
Browse Vault audit logs with full-text search, operation filtering, request/response detail inspection, and clickable resource links.
Customize VaultLens with your organization's logo, primary and secondary colors, and application name.
Share secrets safely with anyone β even people without Vault access. Secrets are encrypted in your browser using OpenPGP before leaving your machine. The server never sees the plaintext. Recipients open a link and decrypt entirely in their browser.
- End-to-end encrypted (OpenPGP AES-256)
- Configurable expiration (1 hour to 7 days)
- One-time view option β self-destructs after first retrieval
- No login required for recipients
Secrets Engines list showing KV v1/v2 and cubbyhole engines with type badges and accessor IDs.
Secret detail view β field names are visible but values are masked. Metadata panel shows version info, creation/update times, and editable custom metadata.
Auth Methods list showing type, description, and accessor for all configured authentication methods.
Auth method detail β browsing roles on the Kubernetes auth method with Roles, Configuration, and Method Options tabs.
ACL Policies list with all policies including vaultlens-admin, default, and root.
Entities list showing identity entities with their UUIDs.
Groups list showing identity groups with their UUIDs.
Identity Chain β visual graph of the current user's entity, group memberships, policies, and permitted secret paths.
Auth β Role β Policy graph: interactive React Flow diagram showing how auth methods (blue) connect through roles (orange) to policies (green).
Permission Tester β select any entity, specify a path and operation, and get an instant visual allow/deny result. The graph shows the full policy evaluation chain.
Vault Analytics β cluster health, seal status, version, storage backend, resource counts (engines, auth methods, policies, entities, groups), and internal counters.
Audit Log Viewer β searchable and filterable log with operation type badges, path links, remote address, user, entity, and expandable request/response detail panels.
Secret Auto-Rotation β scheduler status with last/next check times, and instructions for registering secrets via KV v2 custom metadata (rotate-interval, rotate-format).
Backup & Restore β backup schedule configuration with interval selector, list of saved backups with size, creation date, and one-click restore/delete actions.
Webhooks β configure HTTP endpoints to be notified when secrets at matching paths are modified, with HMAC-signed payloads.
Share a Secret β end-to-end encrypted secret sharing with configurable expiration and one-time-view option. The decryption key is only in the share URL fragment and never sent to the server.
Branding β customize the application name, logo, primary color, secondary color, and background color with a live preview panel.
# Create persistent volumes for config and backups
docker volume create vaultlens_config
docker volume create vaultlens_backups
docker run -d \
--name vaultlens \
-p 3001:3001 \
-e VAULT_ADDR=http://your-vault-server:8200 \
-e VAULT_SYSTEM_TOKEN=your-system-token \
-e VAULTLENS_CONFIG_STORAGE=file \
-e VAULTLENS_CONFIG_PATH=/config \
-e VAULTLENS_BACKUP_PATH=/backups \
-v vaultlens_config:/config \
-v vaultlens_backups:/backups \
ghcr.io/Jasonrve/vaultlens:latestOpen http://localhost:3001 and log in with your Vault token.
# Set required variables
export VAULT_ADDR=http://your-vault-server:8200
export VAULT_SYSTEM_TOKEN=your-system-token
docker compose up -dThe included docker-compose.yml creates two named volumes automatically:
vaultlens_configβ persists branding, webhooks, and rotation config (/config)vaultlens_backupsβ persists backup JSON files (/backups)
App: http://localhost:3001 Β· Vault UI: http://localhost:8200 Β· Login token: root
VaultLens supports multiple deployment methods:
| Method | Best For |
|---|---|
| Docker Run | Quick testing, single server |
| Docker Compose | Small/medium deployments |
| Helm / Kubernetes | Production K8s clusters |
| Environment Variable | Required | Default | Description |
|---|---|---|---|
VAULT_ADDR |
Yes | β | HashiCorp Vault server URL |
VAULT_SYSTEM_TOKEN |
Yes* | β | Vault token for system operations |
VAULT_K8S_AUTH_ROLE |
Yes* | β | K8s auth role (replaces VAULT_SYSTEM_TOKEN in K8s) |
PORT |
No | 3001 |
Application port |
NODE_ENV |
No | production |
Environment mode |
VAULT_SKIP_TLS_VERIFY |
No | false |
Skip TLS certificate verification |
CORS_ORIGIN |
No | β | Allowed CORS origin (only if frontend is on a different origin) |
VAULTLENS_CONFIG_STORAGE |
No | file |
Config backend: file or vault |
VAULTLENS_CONFIG_PATH |
No | /config |
Directory for config.ini and logo blobs (file mode) |
VAULTLENS_BACKUP_PATH |
No | /backups |
Directory for backup JSON files |
VAULT_AUDIT_LOG_PATH |
No | β | Path to Vault audit log file (required for webhooks) |
RATE_LIMIT_MAX |
No | 500 |
Max API requests per window |
RATE_LIMIT_WINDOW_MS |
No | 900000 |
Rate limit window in ms (15 min) |
*Either VAULT_SYSTEM_TOKEN or VAULT_K8S_AUTH_ROLE is required for full functionality.
VaultLens uses two auto-created Vault policies to separate concerns between user-initiated operations and background services. VaultLens automatically creates both policies on startup if they don't already exist.
Purpose: UI access control flag for administrative features. Does NOT grant broad Vault access.
Assign to: Human administrators and users who need access to VaultLens admin features (backup, branding, webhooks, rotation scheduler, analytics, audit logs).
Purpose: Full permissions for VaultLens background services. Do NOT assign to human users.
Used by: VaultLens system token (AppRole or Kubernetes auth) for background operations only.
Background services that use this token:
- π Secret rotation scheduler β Reads and rotates KV v2 secrets based on
rotate-intervalmetadata - ποΈ Audit log watcher β Monitors Vault audit log, fires webhook HTTP callbacks
- πΎ Backup scheduler β Creates and manages full KV secret backups
- π Shared secrets β Encrypts secrets in the cubbyhole for password sharing
- β‘ Policy initialization β Auto-creates
vaultlens-adminandvaultlens-systempolicies on startup - π Audit device registration β Auto-registers socket audit device for webhooks
helm install vaultlens ./charts/vaultlens \
--set config.vaultAddr=http://vault:8200 \
--set kubernetesAuth.enabled=true \
--set kubernetesAuth.role=vaultlens \
--set backup.persistence.enabled=true \
--set configStorage.persistence.enabled=trueFor stateless multi-replica deployments, set configStorage.backend=vault to store configuration in Vault KV instead of a PVC.
See charts/vaultlens/values.yaml for all configurable parameters.
VaultLens is designed with security as a first-class concern:
- Token isolation β User tokens enforce Vault ACL; the system token is never exposed to the frontend
- HTTP-only cookies β Vault tokens stored in secure, HTTP-only, SameSite=lax cookies
- CSRF protection β Double-submit cookie pattern on all state-changing routes
- End-to-end encryption β Shared secrets encrypted client-side with OpenPGP; server never sees plaintext
- URL fragment key transport β Decryption keys live in
#fragment, never sent to the server - SSRF protection β Webhook URLs validated against internal/cloud metadata address blocklist
- Security headers β Helmet.js provides CSP, HSTS, X-Frame-Options, Referrer-Policy
- Rate limiting β Global rate limiter + stricter limit on public sharing endpoint
- Input validation β Secret data, auth configs, webhook URLs, backup filenames, rotation intervals
- Non-root container β Runs as UID 1001
For the full security model and audit history, see docs/security.md and docs/SECURITY_AUDIT.md.
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Browser (React SPA) β
β React 19 Β· TypeScript Β· TailwindCSS Β· Zustand β
β React Query Β· React Flow Β· OpenPGP.js β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Node.js / Express API β
β 14 route modules Β· Helmet Β· CSRF Β· Rate Limit β
β Background: Rotation Β· Backup Β· Audit Watcher β
β Config Storage: file (INI) or Vault KV β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β HashiCorp Vault β
β KV v1/v2 Β· ACL Policies Β· Auth Methods β
β Identity (Entities/Groups) Β· Audit Log β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
VaultLens runs as a single unified process β the Express server serves both the API and the built React SPA. No separate frontend server is needed.
For detailed architecture documentation, see docs/architecture.md.
We welcome contributions! Please read our Contributing Guide to get started.
VaultLens is licensed under the GNU General Public License v3.0.
This means you are free to use, modify, and distribute this software, but any derivative works must also be released under the GPLv3.
















