Vault: Show more information in the UI for authentication/access

Created on 17 Jan 2019 · 3Comments · Source: hashicorp/vault

Is your feature request related to a problem? Please describe.
The UI for backends tends to be limited. As an admin, it'd be nice to be able to do a couple of things:
1) Be able to list groups in Okta path like you can do on the clii (e.g. vault list auth/okta/groups and vault list auth/approle/role/)
2) Show policies for any given auth path (e.g. vault read auth/okta/groups/somegroup)
3) Show policies for a given Auth Token (e.g. vault read auth/token)
4) Show your OWN policy information (e.g. vault read auth/token/lookup-self)
5) Ability to lookup up a token's policies (e.g. vault read auth/token/lookup token=12341234)

Describe the solution you'd like
Several additions to the GUI making debugging user sessions and group membership easier

Describe alternatives you've considered
We can use the CLI - and it works - just would be nice if it was in the GUI

Explain any additional use-cases
Would be handy to also show the latest failed requests from the GUI vs. having to dig through external log files.

enhancement ticketed ui

Source

jasonmcintosh

Most helpful comment

I am very interested in Vault UI for AppRole management (allow creating / showing AppRole ID and secret ID and mapping policies to those AppRoles...)

Right now (CMIIW) AppRole management requires CLI to operate, which can be cumbersome at times.

ryanelian on 25 Mar 2020

👍3

All 3 comments

Hello @jasonmcintosh ! We know that the functionality of the UI with regards to auth methods is currently lacking, and we're working to bring more CRUD functionality (list, read, edit, delete, etc) for the auth methods and the secret methods that aren't currently supported to the UI.

Given that this will be a gradual rollout and still likely a ways off - have you seen the Web CLI? It's meant to provide an "escape hatch" for functionality that the UI doesn't yet support natively. Much of what you're asking for is possible in the web CLI today (though it's not as full-fledged as the CLI).

I've attached a gif of an example of what you can do (note the vault part of the command is optional):

web-cli-usage

meirish on 18 Jan 2019

I would also be interested in this, especially the listing of an auth method's groups, users, and associated policies. Prior to Vault UI being released, I used Goldfish, and we still keep an instance around for this aspect. Their "Users" page shows the result of doing list auth/ldap/groups, list auth/ldap/users, and then doing a read on each group and user.