2017-05-01 21:36:37 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
|
page_title: UI - Configuration
|
2017-05-01 21:36:37 +00:00
|
|
|
description: |-
|
2018-05-17 15:48:10 +00:00
|
|
|
Vault features a user interface (web interface) for interacting with Vault.
|
|
|
|
|
Easily create, read, update, and delete secrets, authenticate, unseal, and
|
|
|
|
|
more with the Vault UI.
|
2017-05-01 21:36:37 +00:00
|
|
|
---
|
|
|
|
|
|
2018-05-17 15:48:10 +00:00
|
|
|
# Vault UI
|
2017-05-01 21:36:37 +00:00
|
|
|
|
2018-05-17 15:48:10 +00:00
|
|
|
Vault features a user interface (web interface) for interacting with Vault.
|
|
|
|
|
Easily create, read, update, and delete secrets, authenticate, unseal, and
|
|
|
|
|
more with the Vault UI.
|
2017-05-01 21:36:37 +00:00
|
|
|
|
2018-05-17 15:48:10 +00:00
|
|
|
-> The UI requires **Vault 0.10 or higher** or Vault Enterprise.
|
2017-05-01 21:36:37 +00:00
|
|
|
|
|
|
|
|
## Activating the Vault UI
|
|
|
|
|
|
2018-05-17 15:48:10 +00:00
|
|
|
The Vault UI is not activated by default. To activate the UI, set the `ui`
|
|
|
|
|
configuration option in the Vault server configuration. Vault clients do not
|
|
|
|
|
need to set this option, since they will not be serving the UI.
|
2017-05-01 21:36:37 +00:00
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
ui = true
|
|
|
|
|
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
# ...
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
For more information, please see the
|
2020-01-22 20:05:41 +00:00
|
|
|
[Vault configuration options](/docs/configuration).
|
2017-05-01 21:36:37 +00:00
|
|
|
|
|
|
|
|
## Accessing the Vault UI
|
|
|
|
|
|
|
|
|
|
The UI runs on the same port as the Vault listener. As such, you must configure
|
|
|
|
|
at least one `listener` stanza in order to access the UI.
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
listener "tcp" {
|
|
|
|
|
address = "10.0.1.35:8200"
|
|
|
|
|
|
|
|
|
|
# If bound to localhost, the Vault UI is only
|
|
|
|
|
# accessible from the local machine!
|
|
|
|
|
# address = "127.0.0.1:8200"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2020-03-06 16:26:18 +00:00
|
|
|
In this case, the UI is accessible at the following URL from any machine on the
|
2017-05-01 21:36:37 +00:00
|
|
|
subnet (provided no network firewalls are in place):
|
|
|
|
|
|
|
|
|
|
```text
|
2018-12-05 18:25:16 +00:00
|
|
|
https://10.0.1.35:8200/ui/
|
2017-05-01 21:36:37 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
It is also accessible at any DNS entry that resolves to that IP address, such as
|
|
|
|
|
the Consul service address (if using Consul):
|
|
|
|
|
|
|
|
|
|
```text
|
2018-12-05 18:25:16 +00:00
|
|
|
https://vault.service.consul:8200/ui/
|
2017-05-01 21:36:37 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Note on TLS
|
|
|
|
|
|
|
|
|
|
When using TLS (recommended), the certificate must be valid for all DNS entries
|
|
|
|
|
you will be accessing the Vault UI on, and any IP addresses on the SAN. If you
|
|
|
|
|
are running Vault with a self-signed certificate, any browsers that access the
|
|
|
|
|
Vault UI will need to have the root CA installed. Failure to do so may result in
|
|
|
|
|
the browser displaying a warning that the site is "untrusted". It is highly
|
|
|
|
|
recommended that client browsers accessing the Vault UI install the proper CA
|
|
|
|
|
root for validation to reduce the chance of a MITM attack.
|
