Cloud Canary Token Management β Deploy, monitor, and rotate deceptive credentials across AWS and GCP to detect unauthorized access.
Warning
Alpha Version β Coalmine is in early development. Basic functionality is the current priority, and the application should not be considered fully security tested for production use.
| Functional | Development (Unstable) | To Do |
|---|---|---|
| AWS IAM User Canaries | GCP Service Account Canaries | Azure Support |
| AWS S3 Bucket Canaries | GCP Bucket Canaries | SIEM Integration |
| CloudTrail Monitoring | GCP Audit Log Monitoring | |
| PostgreSQL State Backend | Automatic Rotation | |
| REST API (API Key + Session Auth) | ||
| WebUI Dashboard | ||
| Email & Webhook Alerts | ||
| Credential & Account Management | ||
| RBAC (Casbin) |
Coalmine automatically deploys and monitors "canary tokens" β decoy credentials and resources that trigger alerts when accessed by attackers.
Supported Providers:
- AWS: IAM Users, S3 Buckets
- GCP: Service Accounts, Cloud Storage Buckets
- Multi-Cloud Support β AWS and GCP from a single interface
- Credential & Account Model β Manage cloud credentials and accounts through CLI, API, or YAML sync
- Automatic Rotation β Credentials rotate on configurable intervals
- Centralized Monitoring β CloudTrail and GCP Audit Log integration
- Flexible Alerting β Email, Webhook, and Syslog notifications
- Infrastructure as Code β OpenTofu-managed resources
- REST API β Programmatic access with API key or session authentication
- WebUI β Browser-based dashboard at
/ui - RBAC β Role-based access control via Casbin
- CLI β Grouped subcommand structure (
coalmine <resource> <action>)
- Docker & Docker Compose
- AWS credentials (for AWS canaries)
- GCP credentials (for GCP canaries)
git clone https://github.com/yourorg/coalmine.git
cd coalmine
cp .env.example .env
# Edit .env with your database and cloud credentialsdocker compose up -dThis starts the API, Celery worker, Redis, and PostgreSQL. The WebUI is available at http://localhost:8000/ui.
# Add an AWS credential
docker compose exec app coalmine credentials add my-aws-cred AWS \
--secrets '{"access_key_id": "...", "secret_access_key": "...", "region": "us-east-1"}'
# Add an account under that credential
docker compose exec app coalmine accounts add prod-east --credential my-aws-cred \
--account-id 111111111111
# Or sync credentials and accounts from YAML config
docker compose exec app coalmine credentials sync --dry-run# Create CloudTrail logging destination
docker compose exec app coalmine logs create my-trail AWS_CLOUDTRAIL \
--account <ACCOUNT_ID>
# List logging resources
docker compose exec app coalmine logs list# Create an AWS IAM User canary
docker compose exec app coalmine canary create my-canary AWS_IAM_USER \
--account <ACCOUNT_ID> --logging-id <LOGGING_ID>
# List canaries
docker compose exec app coalmine canary list# Trigger a test alert
docker compose exec app coalmine canary trigger my-canary
# Wait for monitoring cycle (~1 min) then check alerts
docker compose exec app coalmine alerts listβββββββββββββββ βββββββββββββββ βββββββββββββββ
β CLI β β REST API β β WebUI β
β (coalmine) β β (FastAPI) β β (React) β
ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ
β β β
ββββββββββ¬βββββββββ΄βββββββββ¬βββββββββ
β β
β ββββββββΌβββββββ
β βAuth / RBAC β
β β (Casbin) β
β ββββββββ¬βββββββ
β β
ββββββββΌββββββββββββββββββΌβββββββ
β Celery Workers β
β (Canary Β· Monitoring Β· Logs) β
ββββββββββββββββ¬βββββββββββββββββ
β
βββββββββββββββββββΌββββββββββββββββββ
β β β
βββββββΌββββββ ββββββββΌβββββββ ββββββββΌβββββββ
β OpenTofu β β Monitors β βNotificationsβ
β Templates β β(CloudTrail/ β β(Email/Hook/ β
β β β Audit Logs) β β Syslog) β
βββββββ¬ββββββ ββββββββ¬βββββββ βββββββββββββββ
β β
βββββββΌββββββ ββββββββΌβββββββ
β AWS / GCP β β Alerts β
β(Resources)β β (DB) β
βββββββββββββ βββββββββββββββ
βββββββββββββββββββ
β PostgreSQL β
β (Inventory) β
ββββββββββ¬βββββββββ
β
ββββββββββΌβββββββββ
β Celery Beat β
β (Scheduler) β
βββββββββββββββββββ
Commands follow the pattern: coalmine <resource> <action> [options]
| Command | Description |
|---|---|
canary create <name> <type> |
Create a new canary |
canary list |
List all canaries |
canary delete <name_or_id> |
Delete a canary |
canary creds <name> |
Get canary credentials |
canary trigger <name_or_id> |
Test canary detection |
| Command | Description |
|---|---|
credentials list |
List all credentials |
credentials add <name> <provider> |
Add a credential |
credentials update <name_or_id> |
Update a credential |
credentials remove <name_or_id> |
Remove a credential |
credentials validate <name_or_id> |
Validate credential health |
credentials sync [--dry-run] |
Sync from YAML config |
| Command | Description |
|---|---|
accounts list [--credential <name>] |
List all accounts |
accounts add <name> |
Add an account |
accounts update <name_or_id> |
Update an account |
accounts enable <name_or_id> |
Enable an account |
accounts disable <name_or_id> |
Disable an account |
accounts remove <name_or_id> |
Remove an account |
accounts validate <name_or_id> |
Validate account health |
| Command | Description |
|---|---|
logs create <name> <type> |
Create logging resource |
logs list |
List logging resources |
logs scan --account <id> |
Scan existing CloudTrails |
| Command | Description |
|---|---|
alerts list [--canary <name>] |
View security alerts |
| Command | Description |
|---|---|
auth key list |
List API keys |
auth key add <name> |
Add an API key |
auth session list |
List active sessions |
| Command | Description |
|---|---|
user list |
List all users |
user roles |
List available roles |
| Command | Description |
|---|---|
task list |
View recent async tasks |
task status <task_id> |
Check task result |
docker compose exec app coalmine --help
docker compose exec app coalmine canary --helpThe API runs at http://localhost:8000 and requires authentication via API key header or session cookie.
api_keys:
- key: "your-api-key-here"
name: "admin"
permissions: ["read", "write"]
scopes: ["all"]# List canaries
curl -H "X-API-Key: your-api-key" http://localhost:8000/api/v1/canaries
# Create a canary
curl -X POST -H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"name": "api-canary", "resource_type": "AWS_IAM_USER", "account_id": "...", "logging_id": "..."}' \
http://localhost:8000/api/v1/canariesInteractive API docs are available at http://localhost:8000/docs (Swagger UI).
All configuration lives in the config/ directory. See config/README.md for details.
credentials:
my-aws-cred:
provider: AWS
auth_type: STATIC
secrets:
access_key_id: ${AWS_ACCESS_KEY_ID}
secret_access_key: ${AWS_SECRET_ACCESS_KEY}
region: ${AWS_DEFAULT_REGION:-us-east-1}
accounts:
- name: prod-east
account_id: "111111111111"Sync with: docker compose exec app coalmine credentials sync
outputs:
email_admin:
type: "email"
enabled: true
smtp_host: "smtp.example.com"
smtp_port: 587
to_addrs: ["security@example.com"]
webhook_siem:
type: "webhook"
enabled: true
url: "https://siem.example.com/webhook"| Type | Provider | Description |
|---|---|---|
AWS_IAM_USER |
AWS | IAM user with access keys |
AWS_BUCKET |
AWS | S3 bucket with logging |
GCP_SERVICE_ACCOUNT |
GCP | Service account with keys |
GCP_BUCKET |
GCP | Cloud Storage bucket |
# Run all tests
docker compose run --rm app pytest -v
# Run unit tests only
docker compose run --rm app pytest tests/unit/ -v
# Run integration tests
docker compose run --rm app pytest tests/integration/ -v
# View worker logs
docker compose logs -f worker
# Rebuild after code changes
docker compose build && docker compose up -d- Never commit credentials β Use
.envfiles or secrets managers - Rotate admin credentials β The cloud credentials used to manage canaries
- Network isolation β Run Coalmine in a secure network segment
- Principle of least privilege β Canary credentials should have minimal permissions
- API key security β Store API keys securely, rotate regularly
Apache License 2.0 β See LICENSE file for details.
See CONTRIBUTING.md for contribution guidelines.