HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.11.x. View latest version.

Vault UI

Vault features a user interface (web interface) for interacting with Vault. Easily create, read, update, and delete secrets, authenticate, unseal, and more with the Vault UI.

The UI requires Vault 0.10 or higher or Vault Enterprise.

Activating the Vault UI

The Vault UI is not activated by default. To activate the UI, set the ui configuration option in the Vault server configuration. Vault clients do not need to set this option, since they will not be serving the UI.

ui = true

listener "tcp" {
  # ...
}

For more information, please see the Vault configuration options.

Accessing the Vault UI

The UI runs on the same port as the Vault listener. As such, you must configure at least one listener stanza in order to access the UI.

listener "tcp" {
  address = "10.0.1.35:8200"

  # If bound to localhost, the Vault UI is only
  # accessible from the local machine!
  # address = "127.0.0.1:8200"
}

In this case, the UI is accessible at the following URL from any machine on the subnet (provided no network firewalls are in place):

https://10.0.1.35:8200/ui/

It is also accessible at any DNS entry that resolves to that IP address, such as the Consul service address (if using Consul):

https://vault.service.consul:8200/ui/

Note on TLS

When using TLS (recommended), the certificate must be valid for all DNS entries you will be accessing the Vault UI on, and any IP addresses on the SAN. If you are running Vault with a self-signed certificate, any browsers that access the Vault UI will need to have the root CA installed. Failure to do so may result in the browser displaying a warning that the site is "untrusted". It is highly recommended that client browsers accessing the Vault UI install the proper CA root for validation to reduce the chance of a MITM attack.

GUI token auto-renewal and timeout behavior

The Vault GUI does not provide a configurable session timeout. Instead, the GUI uses a built-in timeout based on the time-to-live (TTL) or lease duration configured for your authentication method type.

The Vault GUI automatically renews your token at half of its TTL or lease duration during active use. Vault starts measuring inactivity after your last request to the Vault API. After three minutes of inactivity the GUI stops automatically renewing your token and lets the token expire when it reaches the configured TTL or lease duration. Auto-renewal resumes as soon as you make another request to the Vault API.

For example, assume your token TTL is 10 minutes. If you become inactive at minute 1:

  • The Vault GUI stops renewing your token at minute 4.
  • Your token expires at minute 10.

The session times out once the token expires and you cannot interact with the GUI until you re-authenticate.

If you make another request to the API, such as navigating to a new page before minute 4, the GUI resumes auto-renewal and resets the 3-minute inactivity timer.

Completing a form does not always trigger API calls. If you spend a long time filling out a form, the GUI may stop renewing your token even though you are technically interacting with the GUI.

Vault does not provide explicit user-configurable session timeouts. If you feel configurable timeouts would benefit your organization, contact your account team.

Edit this page on GitHub