Vault UI
Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.
Warning
Press Ctrl+C to terminate the development server that is running at
http://127.0.0.1:8200
(if any) before proceeding.
Or, run the following command:
$ pgrep -f vault | xargs kill
Server configuration
Note
When you operate Vault in development mode the UI is automatically enabled, but when Vault is running outside of development mode, the UI is not activated by default.
To activate the UI, set the ui
configuration option in the Vault
server configuration.
ui = true listener "tcp" { # ...} storage "storage" { # ...}
The UI runs on the same port as the Vault listener. As such, you must configure
at least one listener
stanza in order to access the UI.
Example:
ui = true listener "tcp" { address = "10.0.1.35:8200" # If bound to localhost, the Vault UI is only # accessible from the local machine! # address = "127.0.0.1:8200"}# ...
In this case, the UI is accessible at the following URL from any machine on the
subnet (provided no network firewalls are in place): https://10.0.1.35:8200/ui
It is also accessible at any DNS entry that resolves to that IP address, such as
the Consul service address (if using Consul):
https://vault.service.consul:8200/ui
Note
When you start the Vault server in dev mode, Vault UI is automatically enabled and ready to use.
Start Vault UI
Create server configuration file named
config.hcl
.$ tee config.hcl <<EOFui = truedisable_mlock = true storage "raft" { path = "./vault/data" node_id = "node1"} listener "tcp" { address = "0.0.0.0:8200" tls_disable = "true"} api_addr = "http://127.0.0.1:8200"cluster_addr = "https://127.0.0.1:8201"EOF
The
raft
storage backend requires the filesystem path./vault/data
.Although the listener stanza disables TLS (
tls_disable = "true"
) for this tutorial, Vault should always be used with TLS in production to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.Create the
vault/data
directory for the storage backend.$ mkdir -p vault/data
Start a Vault server with server configuration file named
config.hcl
.$ vault server -config=config.hcl
Example output:
==> Vault server configuration:Administrative Namespace: Api Address: http://127.0.0.1:8200 Cgo: disabled Cluster Address: https://127.0.0.1:8201 Environment Variables: ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, AUTH0_DOMAIN, AWS_DEFAULT_REGION, BOUNDARY_ADDR, COLORFGBG, COLORTERM, COMMAND_MODE, GITHUB_OAUTH_TOKEN, GITREPO, GODEBUG, GOOGLE_APPLICATION_CREDENTIALS, GOOGLE_CLOUD_PROJECT, GOPATH, HCP_CLIENT_ID, HCP_CLIENT_SECRET, HISTTIMEFORMAT, HOME, ITERM_PROFILE, ITERM_SESSION_ID, LANG, LC_TERMINAL, LC_TERMINAL_VERSION, LESS, LOGNAME, LSCOLORS, LaunchInstanceID, OLDPWD, PAGER, PATH, PWD, SECURITYSESSIONID, SHELL, SHLVL, SSH_AUTH_SOCK, STARSHIP_SESSION_KEY, STARSHIP_SHELL, TERM, TERM_PROGRAM, TERM_PROGRAM_VERSION, TERM_SESSION_ID, TMPDIR, USER, VAULT_ADDR, VAULT_LICENSE, XPC_FLAGS, XPC_SERVICE_NAME, ZSH, _, __CFBundleIdentifier, __CF_USER_TEXT_ENCODING Go Version: go1.21.1 Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: Mlock: supported: false, enabled: false Recovery Mode: false Storage: raft (HA available) Version: Vault v1.15.0-rc1, built 2023-09-11T21:27:08Z Version Sha: cb153f1cb6669d171585a9b0759de745ce143954==> Vault server started! Log data will stream in below:2023-09-15T14:59:56.268-0700 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""2023-09-15T14:59:56.457-0700 [INFO] incrementing seal generation: generation=12023-09-15T14:59:56.461-0700 [INFO] core: Initializing version history cache for core2023-09-15T14:59:56.461-0700 [INFO] events: Starting event system
Launch a web browser, and enter
http://127.0.0.1:8200/ui
in the address.The Vault server is uninitialized and sealed. Before continuing, the server's storage backend requires starting a cluster or joining a cluster.
Select Create a new Raft cluster and click Next.
Enter
5
in the Key shares and3
in the Key threshold text fields.Click Initialize.
When the unseal keys are presented, scroll down to the bottom and select Download key. Save the generated unseal keys file to your computer.
The unseal process requires these keys and the access requires the root token.
Click Continue to Unseal to proceed.
Open the downloaded file.
Example key file:
{ "keys": [ "ecfb4ef59f9a2570f856c471cd3b0580e2b7d99962d5c9af7a25b80138affe935a", "807e9bbfb984c631becc526c621c9852f82d88b2347f7398ef7af3c1fbfbbe9fd0", "561a7ff6b44b88f96a2d9faca1ae514d1557008ce19283dcfe2fb746ed4f0f7d94", "3671e9e817177d79d3c004e0745e5f1d1a5cbfcd9fd6ad22505d4bc538176fa3f9", "313fffc1c848276fffe1e3fcfce4d3472d104cda466227ca155e4f693cfbaa36b9" ], "keys_base64": [ "7PtO9Z+aJXD4VsRxzTsFgOK32Zli1cmveiW4ATiv/pNa", "gH6bv7mExjG+zFJsYhyYUvgtiLI0f3OY73rzwfv7vp/Q", "Vhp/9rRLiPlqLZ+soa5RTRVXAIzhkoPc/i+3Ru1PD32U", "NnHp6BcXfXnTwATgdF5fHRpcv82f1q0iUF1LxTgXb6P5", "MT//wchIJ2//4eP8/OTTRy0QTNpGYifKFV5PaTz7qja5" ], "root_token": "s.p3L38qZwmnHUgIHR1MBmACfd"}
Copy one of the
keys
(notkeys_base64
) and enter it in the Master Key Portion field. Click Unseal to proceed.The Unseal status shows
1/3 keys provided
.Enter another key and click Unseal.
The Unseal status shows
2/3 keys provided
.Enter another key and click Unseal.
After 3 out of 5 unseal keys are entered, Vault is unsealed and is ready to operate.
Copy the
root_token
and enter its value in the Token field. Click Sign in.The Dashboard displays basic information about the current server settings.