HashiDays One conference. Three cities. Find a city near you
Vault
Vault CLI

Vault UI

  • 3min
  • |
  • Vault

Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.

When you operate Vault in development mode the UI is automatically enabled. When Vault is running outside of development mode, the UI is not activated by default.

Server configuration

To activate the UI when Vault is not running in development mode, set the ui configuration option in the Vault server configuration.

ui = truelistener "tcp" {  # ...}storage "storage" {  # ...}

The UI runs on the same port as the Vault listener. As such, you must configure at least one listener stanza to access the UI.

Example:

ui = truelistener "tcp" {  address = "10.0.1.35:8200"  # If bound to localhost, the Vault UI is only  # accessible from the local machine!  # address = "127.0.0.1:8200"}# ...

In this example, the UI is available at https://10.0.1.35:8200/ui. In large environments, you will need to ensure proper communication between subnets, and no firewall rules or network access control rules are blocking port 8200.

It is also accessible at any DNS entry that resolves to that IP address, such as the Consul service address (if using Consul): https://vault.service.consul:8200/ui

Lab setup

In this tutorial, you will start Vault in development mode. Refer to the Vault configuration documentation for more information on all Vault configuration options.

  1. Open a terminal and start a Vault dev server with the literal string root as the root token value, and enable TLS.

    $ vault server -dev -dev-root-token-id root -dev-tls

    The dev server listens on the loopback interface at 127.0.0.1 on TCP port 8200 with TLS enabled. At runtime, the dev server also automatically unseals, and prints the unseal key and initial root token values to the standard output.

    Root tokens

    The dev mode server starts with an initial root token value set. Root token use should be extremely guarded in production environments because it provides full access to the Vault server.

    You can supply the root token value to start Vault in dev mode for convenience and to keep the steps here focused on the learning goals of this tutorial.

  2. Launch a web browser, and enter https://127.0.0.1:8200/ui in the address bar.

  3. Enter root in the Token field and click Sign in. Sign in

Explore the Vault UI

  1. Review the Vault dashboard. Dashboard

    The Vault Dashboard is the first page seen when logging into a Vault server. It provides useful information about the server (or cluster) such as enabled secrets engines, and Configuration details about the server.

  2. Review the Vault navigation sidebar. Dashboard

    The primary navigation for the Vault UI is on the left side of the screen. This sidebar provides access to common Vault plugins such as Secrets Engines and auth methods using the Access menu.

    Vault UI Session timeout

    If there are no API requests (other than health and seal-status which don’t count) for 3 min the user will be logged out next time the token expiration time is passed. If requests are made in that time, the UI will automatically refresh the token.

    In the next tutorial, you will begin to configure Vault using the UI.

Previous

Using the HTTP APIs with authentication

 Next

Next steps

This tutorial also appears in:

  • 8 tutorials
    Vault UI
    Manage Vault environment as well as your secrets using Vault UI.
    • Vault