Vault
Vault UI
Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.
When you operate Vault in development mode the UI is automatically enabled. When Vault is running outside of development mode, the UI is not activated by default.
Server configuration
To activate the UI when Vault is not running in development mode, set the ui
configuration option in the Vault server configuration.
ui = true
listener "tcp" {
# ...
}
storage "storage" {
# ...
}
The UI runs on the same port as the Vault listener. As such, you must configure
at least one listener
stanza to access the UI.
Example:
ui = true
listener "tcp" {
address = "10.0.1.35:8200"
# If bound to localhost, the Vault UI is only
# accessible from the local machine!
# address = "127.0.0.1:8200"
}
# ...
In this example, the UI is available at https://10.0.1.35:8200/ui
. In large
environments, you will need to ensure proper communication between subnets,
and no firewall rules or network access control rules are blocking port 8200
.
It is also accessible at any DNS entry that resolves to that IP address, such as
the Consul service address (if using Consul):
https://vault.service.consul:8200/ui
Lab setup
In this tutorial, you will start Vault in development mode. Refer to the Vault configuration documentation for more information on all Vault configuration options.
Open a terminal and start a Vault dev server with the literal string
root
as the root token value, and enable TLS.$ vault server -dev -dev-root-token-id root -dev-tls
The dev server listens on the loopback interface at 127.0.0.1 on TCP port 8200 with TLS enabled. At runtime, the dev server also automatically unseals, and prints the unseal key and initial root token values to the standard output.
Root tokens
The dev mode server starts with an initial root token value set. Root token use should be extremely guarded in production environments because it provides full access to the Vault server.
You can supply the root token value to start Vault in dev mode for convenience and to keep the steps here focused on the learning goals of this tutorial.
Launch a web browser, and enter
https://127.0.0.1:8200/ui
in the address bar.Enter
root
in the Token field and click Sign in.
Explore the Vault UI
Review the Vault dashboard.
The Vault Dashboard is the first page seen when logging into a Vault server. It provides useful information about the server (or cluster) such as enabled secrets engines, and Configuration details about the server.
Review the Vault navigation sidebar.
The primary navigation for the Vault UI is on the left side of the screen. This sidebar provides access to common Vault plugins such as Secrets Engines and auth methods using the Access menu.
Vault UI Session timeout
If there are no API requests (other than health and seal-status which don’t count) for 3 min the user will be logged out next time the token expiration time is passed. If requests are made in that time, the UI will automatically refresh the token.
In the next tutorial, you will begin to configure Vault using the UI.