Vault
Vault UI
Vault features a web-based user interface (UI) that enables you to unseal, authenticate, manage policies and secrets engines.
Server configuration
To activate the UI, define the ui
stanza
option in the Vault server configuration. The UI runs on the same port as the
Vault listener. As such, you must configure at least one listener
stanza in
order to access the UI.
For example, the following configuration block enables the UI at
https://10.0.1.35:8200/ui
for any machine on the same subnet as long as there
are no network firewalls in place that explicitly block communication:
ui = true
listener "tcp" {
address = "10.0.1.35:8200"
# If bound to localhost, the Vault UI is only
# accessible from the local machine!
# address = "127.0.0.1:8200"
}
# ...
The Vault UI is also accessible at any DNS entry that resolves to the configured
IP address. For example, if you use Consul, you could configure a Consul service
address for the Vault UI as https://vault.service.consul:8200/ui
.
UI enabled in dev mode by default
When you start the Vault server in dev mode, Vault UI is automatically enabled
at http://127.0.0.1:8200/ui
and ready to use.
Policy requirements
Set UI policies before enabling the UI
You cannot make policy adjustments or overwrites to theui/mounts
and ui/resultant-acl
endpoints once you enable the Vault UI. Vault ignores policy updates that target these paths with explicit deny
capabilities.Depending on your Vault configuration, you may need to define UI policies with different ACL capabilities from the permissions provided by your Vault CLI policies.
The default
UI policy includes two paths, which cannot be modified with
additional policies once you
enable the UI:
- /sys/internal/ui/mounts -
provides a list of currently visible mounts based on the
listing_visibility
parameter.sys/internal/ui/mounts
is an unauthenticated, internal endpoint used for UI and CLI preflight checks. Requests that include anX-Vault-Token
will return all mounts the token has path capabilities on. - /sys/internal/ui/resultant-acl -
repackages authentication information used by the UI. If you do not have have
permission to call the
ui/resultant-acl
endpoint, you may receive warnings or errors in the UI.
Tutorial
Refer to the UI quick start tutorials to get familiar with Vault UI.