open-vault/website/source/docs/enterprise/ui/index.html.md

---
layout: "docs"
page_title: "UI - Vault Enterprise"
sidebar_current: "docs-vault-enterprise-ui"
description: |-
  Vault Enterprise features a user interface for interacting with Vault. Easily
  create, read, update, and delete secrets, authenticate, unseal, and more with
  the Vault Enterprise UI.
---

# Vault Enterprise UI

Vault Enterprise features a user interface for interacting with Vault. Easily
create, read, update, and delete secrets, authenticate, unseal, and more with
the Vault Enterprise UI.

To use the UI, you must have an active or trial license for Vault Enterprise or
Vault Pro. To start a trial, contact [HashiCorp sales](mailto:sales@hashicorp.com).

## Activating the Vault UI

The Vault Enterprise UI is not activated by default. To activate the UI, set the
`ui` configuration option in the Vault server configuration. Vault clients do
not need to set this option, since they will not be serving the UI.

```hcl
ui = true

listener "tcp" {
  address = "10.0.1.35:8200"
}

storage "consul" {
  # ...
}
```

For more information, please see the
[Vault configuration options](/docs/configuration/index.html).

## Accessing the Vault UI

The UI runs on the same port as the Vault listener. As such, you must configure
at least one `listener` stanza in order to access the UI.

```hcl
listener "tcp" {
  address = "10.0.1.35:8200"

  # If bound to localhost, the Vault UI is only
  # accessible from the local machine!
  # address = "127.0.0.1:8200"
}
```

In this case, the UI is accessible the following URL from any machine on the
subnet (provided no network firewalls are in place):

```text
https://10.0.1.35:8200/ui
```

It is also accessible at any DNS entry that resolves to that IP address, such as
the Consul service address (if using Consul):

```text
https://vault.service.consul:8200/ui
```

### Note on TLS

When using TLS (recommended), the certificate must be valid for all DNS entries
you will be accessing the Vault UI on, and any IP addresses on the SAN. If you
are running Vault with a self-signed certificate, any browsers that access the
Vault UI will need to have the root CA installed. Failure to do so may result in
the browser displaying a warning that the site is "untrusted". It is highly
recommended that client browsers accessing the Vault UI install the proper CA
root for validation to reduce the chance of a MITM attack.
Add UI docs (#2664) 2017-05-01 21:36:37 +00:00			`---`
			`layout: "docs"`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`page_title: "UI - Vault Enterprise"`
Add UI docs (#2664) 2017-05-01 21:36:37 +00:00			`sidebar_current: "docs-vault-enterprise-ui"`
			`description: \|-`
			`Vault Enterprise features a user interface for interacting with Vault. Easily`
			`create, read, update, and delete secrets, authenticate, unseal, and more with`
			`the Vault Enterprise UI.`
			`---`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`# Vault Enterprise UI`
Add UI docs (#2664) 2017-05-01 21:36:37 +00:00
			`Vault Enterprise features a user interface for interacting with Vault. Easily`
			`create, read, update, and delete secrets, authenticate, unseal, and more with`
			`the Vault Enterprise UI.`

			`To use the UI, you must have an active or trial license for Vault Enterprise or`
			`Vault Pro. To start a trial, contact [HashiCorp sales](mailto:sales@hashicorp.com).`

			`## Activating the Vault UI`

			`The Vault Enterprise UI is not activated by default. To activate the UI, set the`
			`ui` configuration option in the Vault server configuration. Vault clients do
			`not need to set this option, since they will not be serving the UI.`

			```hcl
			`ui = true`

			`listener "tcp" {`
			`address = "10.0.1.35:8200"`
			`}`

			`storage "consul" {`
			`# ...`
			`}`
			```

			`For more information, please see the`
			`[Vault configuration options](/docs/configuration/index.html).`

			`## Accessing the Vault UI`

			`The UI runs on the same port as the Vault listener. As such, you must configure`
			at least one `listener` stanza in order to access the UI.

			```hcl
			`listener "tcp" {`
			`address = "10.0.1.35:8200"`

			`# If bound to localhost, the Vault UI is only`
			`# accessible from the local machine!`
			`# address = "127.0.0.1:8200"`
			`}`
			```

			`In this case, the UI is accessible the following URL from any machine on the`
			`subnet (provided no network firewalls are in place):`

			```text
			`https://10.0.1.35:8200/ui`
			```

			`It is also accessible at any DNS entry that resolves to that IP address, such as`
			`the Consul service address (if using Consul):`

			```text
			`https://vault.service.consul:8200/ui`
			```

			`### Note on TLS`

			`When using TLS (recommended), the certificate must be valid for all DNS entries`
			`you will be accessing the Vault UI on, and any IP addresses on the SAN. If you`
			`are running Vault with a self-signed certificate, any browsers that access the`
			`Vault UI will need to have the root CA installed. Failure to do so may result in`
			`the browser displaying a warning that the site is "untrusted". It is highly`
			`recommended that client browsers accessing the Vault UI install the proper CA`
			`root for validation to reduce the chance of a MITM attack.`