• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Integrations
  • Try Cloud(opens in new tab)
  • Sign up
CLI Quick Start

Skip to main content
13 tutorials
  • What is Vault
  • Install Vault
  • Starting the Server
  • Your First Secret
  • Secrets Engines
  • Dynamic Secrets
  • Built-in Help
  • Authentication
  • Policies
  • Deploy Vault
  • Using the HTTP APIs with Authentication
  • Web UI
  • Next Steps

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Tutorials
  4. CLI Quick Start
  5. Web UI

Web UI

  • 4min

  • VaultVault

Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.

Press Ctrl+C to terminate the dev server that is running at http://127.0.0.1:8200 (if any) before proceeding.

Server Configuration

NOTE: When you operate Vault in development mode the UI is automatically enabled, but when Vault is running outside of development mode, the UI is not activated by default.

To activate the UI, set the ui configuration option in the Vault server configuration.

ui = true

listener "tcp" {
  # ...
}

storage "storage" {
  # ...
}

The UI runs on the same port as the Vault listener. As such, you must configure at least one listener stanza in order to access the UI.

Example:

ui = true

listener "tcp" {
  address = "10.0.1.35:8200"

  # If bound to localhost, the Vault UI is only
  # accessible from the local machine!
  # address = "127.0.0.1:8200"
}
# ...

In this case, the UI is accessible at the following URL from any machine on the subnet (provided no network firewalls are in place): https://10.0.1.35:8200/ui

It is also accessible at any DNS entry that resolves to that IP address, such as the Consul service address (if using Consul): https://vault.service.consul:8200/ui

NOTE: When you start the Vault server in dev mode, Vault UI is automatically enabled and ready to use.

Start Web UI

  1. Create server configuration file named config.hcl.

    $ tee config.hcl <<EOF
    ui = true
    disable_mlock = true
    
    storage "raft" {
      path    = "./vault/data"
      node_id = "node1"
    }
    
    listener "tcp" {
      address     = "0.0.0.0:8200"
      tls_disable = "true"
    }
    
    api_addr = "http://127.0.0.1:8200"
    cluster_addr = "https://127.0.0.1:8201"
    EOF
    

    The raft storage backend requires the filesystem path ./vault/data.

    Although the listener stanza disables TLS (tls_disable = "true") for this tutorial, Vault should always be used with TLS in production to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.

  2. Create the vault/data directory for the storage backend.

    $ mkdir -p vault/data
    
  3. Start a Vault server with server configuration file named config.hcl.

    $ vault server -config=config.hcl
    

    Example output:

    WARNING! mlock is not supported on this system! An mlockall(2)-like syscall to
    prevent memory from being swapped to disk is not supported on this system. For
    better security, only run Vault on systems where this call is supported. If
    you are running Vault in a Docker container, provide the IPC_LOCK cap to the
    container.
    ==> Vault server configuration:
    
                 Api Address: http://127.0.0.1:8200
                         Cgo: disabled
             Cluster Address: https://127.0.0.1:8201
                  Go Version: go1.14.7
                  Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
                   Log Level: info
                       Mlock: supported: false, enabled: false
               Recovery Mode: false
                     Storage: raft (HA available)
                     Version: Vault v1.5.3
                 Version Sha: 9fcd81405feb320390b9d71e15a691c3bc1daeef
    
    ==> Vault server started! Log data will stream in below:
    
    2020-09-20T19:55:29.519-0700 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
    
  4. Launch a web browser, and enter http://127.0.0.1:8200/ui in the address.

    The Vault server is uninitialized and sealed. Before continuing, the server's storage backend requires starting a cluster or joining a cluster.

  5. Select Create a new Raft cluster and click Next.

    Launch UI

  6. Enter 5 in the Key shares and 3 in the Key threshold text fields.

    Initialize

  7. Click Initialize.

  8. When the unseal keys are presented, scroll down to the bottom and select Download key. Save the generated unseal keys file to your computer.

    Initialize Download Keys

    The unseal process requires these keys and the access requires the root token.

  9. Click Continue to Unseal to proceed.

  10. Open the downloaded file.

    Example key file:

    {
      "keys": [
        "ecfb4ef59f9a2570f856c471cd3b0580e2b7d99962d5c9af7a25b80138affe935a",
        "807e9bbfb984c631becc526c621c9852f82d88b2347f7398ef7af3c1fbfbbe9fd0",
        "561a7ff6b44b88f96a2d9faca1ae514d1557008ce19283dcfe2fb746ed4f0f7d94",
        "3671e9e817177d79d3c004e0745e5f1d1a5cbfcd9fd6ad22505d4bc538176fa3f9",
        "313fffc1c848276fffe1e3fcfce4d3472d104cda466227ca155e4f693cfbaa36b9"
      ],
      "keys_base64": [
        "7PtO9Z+aJXD4VsRxzTsFgOK32Zli1cmveiW4ATiv/pNa",
        "gH6bv7mExjG+zFJsYhyYUvgtiLI0f3OY73rzwfv7vp/Q",
        "Vhp/9rRLiPlqLZ+soa5RTRVXAIzhkoPc/i+3Ru1PD32U",
        "NnHp6BcXfXnTwATgdF5fHRpcv82f1q0iUF1LxTgXb6P5",
        "MT//wchIJ2//4eP8/OTTRy0QTNpGYifKFV5PaTz7qja5"
      ],
      "root_token": "s.p3L38qZwmnHUgIHR1MBmACfd"
    }
    
  11. Copy one of the keys (not keys_base64) and enter it in the Master Key Portion field. Click Unseal to proceed.

    Unseal

    The Unseal status shows 1/3 keys provided.

  12. Enter another key and click Unseal.

    The Unseal status shows 2/3 keys provided.

  13. Enter another key and click Unseal.

    After 3 out of 5 unseal keys are entered, Vault is unsealed and is ready to operate.

  14. Copy the root_token and enter its value in the Token field. Click Sign in.

    Sign in

Web UI Wizard

Vault UI has a built-in tutorial to navigate you through the common steps to operate various Vault features.

Web UI Wizard

For now, click Dismiss to close it out. You can restart the guide later.

Web UI Wizard

 Previous
 Next

This tutorial also appears in:

  •  
    8 tutorials
    Getting Started with Vault UI
    Manage Vault environment as well as your secrets using Vault UI.
    • Vault

On this page

  1. Web UI
  2. Server Configuration
  3. Start Web UI
  4. Web UI Wizard
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)