Vault UI

Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.

$ pgrep -f vault | xargs kill

Server configuration

To activate the UI, set the ui configuration option in the Vault server configuration.

ui = true

listener "tcp" {
  # ...
}

storage "storage" {
  # ...
}

The UI runs on the same port as the Vault listener. As such, you must configure at least one listener stanza in order to access the UI.

Example:

ui = true

listener "tcp" {
  address = "10.0.1.35:8200"

  # If bound to localhost, the Vault UI is only
  # accessible from the local machine!
  # address = "127.0.0.1:8200"
}
# ...

In this case, the UI is accessible at the following URL from any machine on the subnet (provided no network firewalls are in place): https://10.0.1.35:8200/ui

It is also accessible at any DNS entry that resolves to that IP address, such as the Consul service address (if using Consul): https://vault.service.consul:8200/ui

Start Vault UI

1. Create server configuration file named config.hcl.

   $ tee config.hcl <<EOF
   ui = true
   disable_mlock = true
   
   storage "raft" {
     path    = "./vault/data"
     node_id = "node1"
   }
   
   listener "tcp" {
     address     = "0.0.0.0:8200"
     tls_disable = "true"
   }
   
   api_addr = "http://127.0.0.1:8200"
   cluster_addr = "https://127.0.0.1:8201"
   EOF
   

   The raft storage backend requires the filesystem path ./vault/data.

   Although the listener stanza disables TLS (tls_disable = "true") for this tutorial, Vault should always be used with TLS in production to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.

2. Create the vault/data directory for the storage backend.

   $ mkdir -p vault/data
   

3. Start a Vault server with server configuration file named config.hcl.

   $ vault server -config=config.hcl
   

   Example output:

   ==> Vault server configuration:
   
   Administrative Namespace:
               Api Address: http://127.0.0.1:8200
                        Cgo: disabled
            Cluster Address: https://127.0.0.1:8201
      Environment Variables: ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_DOMAIN, AWS_DEFAULT_REGION, BOUNDARY_ADDR, COLORFGBG, COLORTERM, COMMAND_MODE, GITHUB_OAUTH_TOKEN, GITREPO, GODEBUG, GOOGLE_APPLICATION_CREDENTIALS, GOOGLE_CLOUD_PROJECT, GOPATH, HCP_CLIENT_ID, HCP_CLIENT_SECRET, HISTTIMEFORMAT, HOME, ITERM_PROFILE, ITERM_SESSION_ID, LANG, LC_TERMINAL, LC_TERMINAL_VERSION, LESS, LOGNAME, LSCOLORS, LaunchInstanceID, OLDPWD, PAGER, PATH, PWD, SECURITYSESSIONID, SHELL, SHLVL, SSH_AUTH_SOCK, STARSHIP_SESSION_KEY, STARSHIP_SHELL, TERM, TERM_PROGRAM, TERM_PROGRAM_VERSION, TERM_SESSION_ID, TMPDIR, USER, VAULT_ADDR, VAULT_LICENSE, XPC_FLAGS, XPC_SERVICE_NAME, ZSH, _, __CFBundleIdentifier, __CF_USER_TEXT_ENCODING
               Go Version: go1.21.1
               Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
                  Log Level:
                     Mlock: supported: false, enabled: false
            Recovery Mode: false
                  Storage: raft (HA available)
                  Version: Vault v1.15.0-rc1, built 2023-09-11T21:27:08Z
               Version Sha: cb153f1cb6669d171585a9b0759de745ce143954
   
   ==> Vault server started! Log data will stream in below:
   
   2023-09-15T14:59:56.268-0700 [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
   2023-09-15T14:59:56.457-0700 [INFO]  incrementing seal generation: generation=1
   2023-09-15T14:59:56.461-0700 [INFO]  core: Initializing version history cache for core
   2023-09-15T14:59:56.461-0700 [INFO]  events: Starting event system
   

4. Launch a web browser, and enter http://127.0.0.1:8200/ui in the address.

   The Vault server is uninitialized and sealed. Before continuing, the server's storage backend requires starting a cluster or joining a cluster.

5. Select Create a new Raft cluster and click Next.

   

6. Enter 5 in the Key shares and 3 in the Key threshold text fields.

   

7. Click Initialize.

8. When the unseal keys are presented, scroll down to the bottom and select Download key. Save the generated unseal keys file to your computer.

   

   The unseal process requires these keys and the access requires the root token.

9. Click Continue to Unseal to proceed.

10. Open the downloaded file.

    Example key file:

    {
      "keys": [
        "ecfb4ef59f9a2570f856c471cd3b0580e2b7d99962d5c9af7a25b80138affe935a",
        "807e9bbfb984c631becc526c621c9852f82d88b2347f7398ef7af3c1fbfbbe9fd0",
        "561a7ff6b44b88f96a2d9faca1ae514d1557008ce19283dcfe2fb746ed4f0f7d94",
        "3671e9e817177d79d3c004e0745e5f1d1a5cbfcd9fd6ad22505d4bc538176fa3f9",
        "313fffc1c848276fffe1e3fcfce4d3472d104cda466227ca155e4f693cfbaa36b9"
      ],
      "keys_base64": [
        "7PtO9Z+aJXD4VsRxzTsFgOK32Zli1cmveiW4ATiv/pNa",
        "gH6bv7mExjG+zFJsYhyYUvgtiLI0f3OY73rzwfv7vp/Q",
        "Vhp/9rRLiPlqLZ+soa5RTRVXAIzhkoPc/i+3Ru1PD32U",
        "NnHp6BcXfXnTwATgdF5fHRpcv82f1q0iUF1LxTgXb6P5",
        "MT//wchIJ2//4eP8/OTTRy0QTNpGYifKFV5PaTz7qja5"
      ],
      "root_token": "s.p3L38qZwmnHUgIHR1MBmACfd"
    }
    

11. Copy one of the keys (not keys_base64) and enter it in the Master Key Portion field. Click Unseal to proceed.

    

    The Unseal status shows 1/3 keys provided.

12. Enter another key and click Unseal.

    The Unseal status shows 2/3 keys provided.

13. Enter another key and click Unseal.

    After 3 out of 5 unseal keys are entered, Vault is unsealed and is ready to operate.

14. Copy the root_token and enter its value in the Token field. Click Sign in.

    

    The Dashboard displays basic information about the current server settings.