Web UI

4min
Vault

Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.

Press Ctrl+C to terminate the dev server that is running at http://127.0.0.1:8200 (if any) before proceeding.

Server Configuration

NOTE: When you operate Vault in development mode the UI is automatically enabled, but when Vault is running outside of development mode, the UI is not activated by default.

To activate the UI, set the ui configuration option in the Vault server configuration.

ui = true

listener "tcp" {
  # ...
}

storage "storage" {
  # ...
}

The UI runs on the same port as the Vault listener. As such, you must configure at least one listener stanza in order to access the UI.

Example:

ui = true

listener "tcp" {
  address = "10.0.1.35:8200"

  # If bound to localhost, the Vault UI is only
  # accessible from the local machine!
  # address = "127.0.0.1:8200"
}
# ...

In this case, the UI is accessible at the following URL from any machine on the subnet (provided no network firewalls are in place): https://10.0.1.35:8200/ui

It is also accessible at any DNS entry that resolves to that IP address, such as the Consul service address (if using Consul): https://vault.service.consul:8200/ui

NOTE: When you start the Vault server in dev mode, Vault UI is automatically enabled and ready to use.

Start Web UI

Create server configuration file named config.hcl.
```
$ tee config.hcl <<EOF
ui = true
disable_mlock = true

storage "raft" {
  path    = "./vault/data"
  node_id = "node1"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = "true"
}

api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
EOF
```
The raft storage backend requires the filesystem path ./vault/data.
Although the listener stanza disables TLS (tls_disable = "true") for this tutorial, Vault should always be used with TLS in production to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.
Create the vault/data directory for the storage backend.
```
$ mkdir -p vault/data
```

Start a Vault server with server configuration file named config.hcl.

$ vault server -config=config.hcl

Example output:

WARNING! mlock is not supported on this system! An mlockall(2)-like syscall to
prevent memory from being swapped to disk is not supported on this system. For
better security, only run Vault on systems where this call is supported. If
you are running Vault in a Docker container, provide the IPC_LOCK cap to the
container.
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.14.7
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: raft (HA available)
                 Version: Vault v1.5.3
             Version Sha: 9fcd81405feb320390b9d71e15a691c3bc1daeef

==> Vault server started! Log data will stream in below:

2020-09-20T19:55:29.519-0700 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=

Launch a web browser, and enter http://127.0.0.1:8200/ui in the address.
The Vault server is uninitialized and sealed. Before continuing, the server's storage backend requires starting a cluster or joining a cluster.
Select Create a new Raft cluster and click Next.
Enter 5 in the Key shares and 3 in the Key threshold text fields.
Click Initialize.
When the unseal keys are presented, scroll down to the bottom and select Download key. Save the generated unseal keys file to your computer.
The unseal process requires these keys and the access requires the root token.
Click Continue to Unseal to proceed.

Open the downloaded file.

Example key file:

{
  "keys": [
    "ecfb4ef59f9a2570f856c471cd3b0580e2b7d99962d5c9af7a25b80138affe935a",
    "807e9bbfb984c631becc526c621c9852f82d88b2347f7398ef7af3c1fbfbbe9fd0",
    "561a7ff6b44b88f96a2d9faca1ae514d1557008ce19283dcfe2fb746ed4f0f7d94",
    "3671e9e817177d79d3c004e0745e5f1d1a5cbfcd9fd6ad22505d4bc538176fa3f9",
    "313fffc1c848276fffe1e3fcfce4d3472d104cda466227ca155e4f693cfbaa36b9"
  ],
  "keys_base64": [
    "7PtO9Z+aJXD4VsRxzTsFgOK32Zli1cmveiW4ATiv/pNa",
    "gH6bv7mExjG+zFJsYhyYUvgtiLI0f3OY73rzwfv7vp/Q",
    "Vhp/9rRLiPlqLZ+soa5RTRVXAIzhkoPc/i+3Ru1PD32U",
    "NnHp6BcXfXnTwATgdF5fHRpcv82f1q0iUF1LxTgXb6P5",
    "MT//wchIJ2//4eP8/OTTRy0QTNpGYifKFV5PaTz7qja5"
  ],
  "root_token": "s.p3L38qZwmnHUgIHR1MBmACfd"
}

Copy one of the keys (not keys_base64) and enter it in the Master Key Portion field. Click Unseal to proceed.
The Unseal status shows 1/3 keys provided.
Enter another key and click Unseal.
The Unseal status shows 2/3 keys provided.
Enter another key and click Unseal.
After 3 out of 5 unseal keys are entered, Vault is unsealed and is ready to operate.
Copy the root_token and enter its value in the Token field. Click Sign in.

Web UI Wizard

Vault UI has a built-in tutorial to navigate you through the common steps to operate various Vault features.

Web UI Wizard

For now, click Dismiss to close it out. You can restart the guide later.

Web UI Wizard

8 tutorials

Getting Started with Vault UI
Manage Vault environment as well as your secrets using Vault UI.
- Vault

Server Configuration

Start Web UI

Web UI Wizard

This tutorial also appears in: