Skip to content

Jasonrve/vaultlens

VaultLens Logo

VaultLens

A Modern Web UI for HashiCorp Vault

License GitHub release Docker Image CI

Browse secrets. Visualize policies. Share securely. Manage Vault with confidence.

Getting Started Β· Features Β· Screenshots Β· Deployment Β· Contributing


⚠️ Beta Notice: VaultLens is currently in beta and under heavy development.

Note: VaultLens is a community-maintained project and has no affiliation with HashiCorp. It is an independent open-source tool built to enhance the Vault user experience.


What is VaultLens?

VaultLens is a powerful, open-source web UI for HashiCorp Vault that goes beyond the built-in Vault UI. It provides intuitive secret management, interactive policy visualizations, secure password sharing, automated secret rotation, backup/restore, webhook notifications, and a unified view of your Vault infrastructure β€” all from a single, lightweight application.

Why I Created VaultLens

I created VaultLens because my organization needed a modern, user-friendly interface for Vault that the native UI didn't provide. As someone who has benefited from countless open-source projects, this is my contribution back to the communityβ€”built with the hope it will help others manage Vault with greater confidence and ease.

Why VaultLens?

Native Vault UI VaultLens
Secret browsing Basic KV UI Full KV v1/v2 with metadata editing
Policy visualization Raw HCL text Interactive relationship graphs
Secret sharing Not available End-to-end encrypted sharing via link
Identity explorer Basic listing Entity ↔ Group ↔ Policy graph
Permission testing CLI only Visual permission tester with graph
Custom branding Not available Custom logo, colors, app name
Audit log viewer File-based only Searchable, filterable web UI
Secret rotation Not available Automated password rotation scheduler
Backup & restore Not available Full KV backup with scheduling
Webhooks Not available Audit-driven webhook notifications
Deployment Built into Vault Standalone β€” Docker, Compose, Helm

✨ Features

Secret Management

Browse and manage secrets across all KV v1 and v2 engines. Create, edit, merge, and delete secrets with a clean interface. View and edit version info and custom metadata.

Restricted-access partial updates: When a user can navigate to a secret path (via list permission) but lacks read permission on the secret itself, VaultLens still displays the secret's field names (keys) without exposing values. The user can then perform a Partial Update β€” modifying individual fields without ever seeing the existing values. The backend reads the current secret with the system token, merges the user's changes, and writes back using the user's own token, so Vault's ACL policies still control write access.

Interactive Visualizations

Explore your Vault's structure through interactive node graphs powered by React Flow:

  • Auth β†’ Role β†’ Policy β€” How authentication methods connect to policies
  • Policy β†’ Secret Path β€” Which policies grant access to which paths
  • Identity Chain β€” Entity β†’ Group β†’ Policy relationships

Permission Tester

Select any entity, enter a path and operation, and instantly see whether access is allowed or denied β€” with a full graph showing which policies contribute to the decision.

Identity Management

Browse entities, groups, aliases, and their policy attachments. Explore the current user's identity chain with a visual graph.

Policy Explorer

View, parse, and understand Vault ACL policies. See all path rules and their capabilities in a structured breakdown.

Auth Method Management

List, configure, and tune all auth methods. Browse roles and their associated policies directly in the UI.

Secret Auto-Rotation

Automatically rotate KV v2 secret values on a schedule using Vault's custom metadata. Set rotate-interval metadata on any secret and VaultLens handles the rest.

Backup & Restore

Create instant or scheduled full backups of all KV secrets. Restore from any saved backup with one click.

Webhook Notifications

Configure webhooks to be notified when secrets at specific paths are modified. VaultLens monitors the Vault audit log and fires HTTP POST requests with HMAC-signed payloads.

Analytics Dashboard

View Vault health, seal status, version, storage backend, token counts, entity counters, and request metrics β€” all in one place.

Audit Log Viewer

Browse Vault audit logs with full-text search, operation filtering, request/response detail inspection, and clickable resource links.

Custom Branding

Customize VaultLens with your organization's logo, primary and secondary colors, and application name.

Secure Secret Sharing

Share secrets safely with anyone β€” even people without Vault access. Secrets are encrypted in your browser using OpenPGP before leaving your machine. The server never sees the plaintext. Recipients open a link and decrypt entirely in their browser.

  • End-to-end encrypted (OpenPGP AES-256)
  • Configurable expiration (1 hour to 7 days)
  • One-time view option β€” self-destructs after first retrieval
  • No login required for recipients

πŸ“Έ Screenshots

Secret Engines & Secrets

Secrets Engines list showing KV v1/v2 and cubbyhole engines with type badges and accessor IDs.

Secret detail view β€” field names are visible but values are masked. Metadata panel shows version info, creation/update times, and editable custom metadata.


Auth Methods

Auth Methods list showing type, description, and accessor for all configured authentication methods.

Auth method detail β€” browsing roles on the Kubernetes auth method with Roles, Configuration, and Method Options tabs.


ACL Policies

ACL Policies list with all policies including vaultlens-admin, default, and root.


Identity

Entities list showing identity entities with their UUIDs.

Groups list showing identity groups with their UUIDs.

Identity Chain β€” visual graph of the current user's entity, group memberships, policies, and permitted secret paths.


Visualizations

Auth β†’ Role β†’ Policy graph: interactive React Flow diagram showing how auth methods (blue) connect through roles (orange) to policies (green).


Permission Tester

Permission Tester β€” select any entity, specify a path and operation, and get an instant visual allow/deny result. The graph shows the full policy evaluation chain.


Analytics

Vault Analytics β€” cluster health, seal status, version, storage backend, resource counts (engines, auth methods, policies, entities, groups), and internal counters.


Audit Log

Audit Log Viewer β€” searchable and filterable log with operation type badges, path links, remote address, user, entity, and expandable request/response detail panels.


Secret Auto-Rotation

Secret Auto-Rotation β€” scheduler status with last/next check times, and instructions for registering secrets via KV v2 custom metadata (rotate-interval, rotate-format).


Backup & Restore

Backup & Restore β€” backup schedule configuration with interval selector, list of saved backups with size, creation date, and one-click restore/delete actions.


Webhooks

Webhooks β€” configure HTTP endpoints to be notified when secrets at matching paths are modified, with HMAC-signed payloads.


Share a Secret

Share a Secret β€” end-to-end encrypted secret sharing with configurable expiration and one-time-view option. The decryption key is only in the share URL fragment and never sent to the server.


Branding

Branding β€” customize the application name, logo, primary color, secondary color, and background color with a live preview panel.


πŸš€ Getting Started

Docker (Fastest)

# Create persistent volumes for config and backups
docker volume create vaultlens_config
docker volume create vaultlens_backups

docker run -d \
  --name vaultlens \
  -p 3001:3001 \
  -e VAULT_ADDR=http://your-vault-server:8200 \
  -e VAULT_SYSTEM_TOKEN=your-system-token \
  -e VAULTLENS_CONFIG_STORAGE=file \
  -e VAULTLENS_CONFIG_PATH=/config \
  -e VAULTLENS_BACKUP_PATH=/backups \
  -v vaultlens_config:/config \
  -v vaultlens_backups:/backups \
  ghcr.io/Jasonrve/vaultlens:latest

Open http://localhost:3001 and log in with your Vault token.

Docker Compose

# Set required variables
export VAULT_ADDR=http://your-vault-server:8200
export VAULT_SYSTEM_TOKEN=your-system-token

docker compose up -d

The included docker-compose.yml creates two named volumes automatically:

  • vaultlens_config β€” persists branding, webhooks, and rotation config (/config)
  • vaultlens_backups β€” persists backup JSON files (/backups)

App: http://localhost:3001 Β· Vault UI: http://localhost:8200 Β· Login token: root


πŸ“¦ Deployment

VaultLens supports multiple deployment methods:

Method Best For
Docker Run Quick testing, single server
Docker Compose Small/medium deployments
Helm / Kubernetes Production K8s clusters

Configuration

Environment Variable Required Default Description
VAULT_ADDR Yes β€” HashiCorp Vault server URL
VAULT_SYSTEM_TOKEN Yes* β€” Vault token for system operations
VAULT_K8S_AUTH_ROLE Yes* β€” K8s auth role (replaces VAULT_SYSTEM_TOKEN in K8s)
PORT No 3001 Application port
NODE_ENV No production Environment mode
VAULT_SKIP_TLS_VERIFY No false Skip TLS certificate verification
CORS_ORIGIN No β€” Allowed CORS origin (only if frontend is on a different origin)
VAULTLENS_CONFIG_STORAGE No file Config backend: file or vault
VAULTLENS_CONFIG_PATH No /config Directory for config.ini and logo blobs (file mode)
VAULTLENS_BACKUP_PATH No /backups Directory for backup JSON files
VAULT_AUDIT_LOG_PATH No β€” Path to Vault audit log file (required for webhooks)
RATE_LIMIT_MAX No 500 Max API requests per window
RATE_LIMIT_WINDOW_MS No 900000 Rate limit window in ms (15 min)

*Either VAULT_SYSTEM_TOKEN or VAULT_K8S_AUTH_ROLE is required for full functionality.

VaultLens Policies

VaultLens uses two auto-created Vault policies to separate concerns between user-initiated operations and background services. VaultLens automatically creates both policies on startup if they don't already exist.

vaultlens-admin β€” Admin UI Access

Purpose: UI access control flag for administrative features. Does NOT grant broad Vault access.

Assign to: Human administrators and users who need access to VaultLens admin features (backup, branding, webhooks, rotation scheduler, analytics, audit logs).


vaultlens-system β€” System Token (Background Services)

Purpose: Full permissions for VaultLens background services. Do NOT assign to human users.

Used by: VaultLens system token (AppRole or Kubernetes auth) for background operations only.

Background services that use this token:

  • πŸ”„ Secret rotation scheduler β€” Reads and rotates KV v2 secrets based on rotate-interval metadata
  • πŸ‘οΈ Audit log watcher β€” Monitors Vault audit log, fires webhook HTTP callbacks
  • πŸ’Ύ Backup scheduler β€” Creates and manages full KV secret backups
  • πŸ”— Shared secrets β€” Encrypts secrets in the cubbyhole for password sharing
  • ⚑ Policy initialization β€” Auto-creates vaultlens-admin and vaultlens-system policies on startup
  • πŸ”Š Audit device registration β€” Auto-registers socket audit device for webhooks

Kubernetes / Helm

helm install vaultlens ./charts/vaultlens \
  --set config.vaultAddr=http://vault:8200 \
  --set kubernetesAuth.enabled=true \
  --set kubernetesAuth.role=vaultlens \
  --set backup.persistence.enabled=true \
  --set configStorage.persistence.enabled=true

For stateless multi-replica deployments, set configStorage.backend=vault to store configuration in Vault KV instead of a PVC.

See charts/vaultlens/values.yaml for all configurable parameters.


πŸ”’ Security

VaultLens is designed with security as a first-class concern:

  • Token isolation β€” User tokens enforce Vault ACL; the system token is never exposed to the frontend
  • HTTP-only cookies β€” Vault tokens stored in secure, HTTP-only, SameSite=lax cookies
  • CSRF protection β€” Double-submit cookie pattern on all state-changing routes
  • End-to-end encryption β€” Shared secrets encrypted client-side with OpenPGP; server never sees plaintext
  • URL fragment key transport β€” Decryption keys live in #fragment, never sent to the server
  • SSRF protection β€” Webhook URLs validated against internal/cloud metadata address blocklist
  • Security headers β€” Helmet.js provides CSP, HSTS, X-Frame-Options, Referrer-Policy
  • Rate limiting β€” Global rate limiter + stricter limit on public sharing endpoint
  • Input validation β€” Secret data, auth configs, webhook URLs, backup filenames, rotation intervals
  • Non-root container β€” Runs as UID 1001

For the full security model and audit history, see docs/security.md and docs/SECURITY_AUDIT.md.


πŸ— Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚              Browser (React SPA)                 β”‚
β”‚  React 19 Β· TypeScript Β· TailwindCSS Β· Zustand   β”‚
β”‚  React Query Β· React Flow Β· OpenPGP.js           β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚              Node.js / Express API               β”‚
β”‚  14 route modules Β· Helmet Β· CSRF Β· Rate Limit   β”‚
β”‚  Background: Rotation Β· Backup Β· Audit Watcher   β”‚
β”‚  Config Storage: file (INI) or Vault KV          β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚              HashiCorp Vault                      β”‚
β”‚  KV v1/v2 Β· ACL Policies Β· Auth Methods          β”‚
β”‚  Identity (Entities/Groups) Β· Audit Log          β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

VaultLens runs as a single unified process β€” the Express server serves both the API and the built React SPA. No separate frontend server is needed.

For detailed architecture documentation, see docs/architecture.md.


🀝 Contributing

We welcome contributions! Please read our Contributing Guide to get started.


πŸ“„ License

VaultLens is licensed under the GNU General Public License v3.0.

This means you are free to use, modify, and distribute this software, but any derivative works must also be released under the GPLv3.


Built with ❀️ for the HashiCorp Vault community

About

Open-source HashiCorp Vault UI for secret browsing, policy visualization, secure secret sharing, rotation, backups, webhooks, and analytics

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors