mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-07 15:17:03 +02:00
8f6e95f1a3
* seo updates for config docs * fix content errors * Make KMS title consistent with other stanza titles
76 lines
2.1 KiB
Plaintext
76 lines
2.1 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: GUI - Configuration
|
|
description: >-
|
|
Configure the web interface (GUI) for Vault.
|
|
---
|
|
|
|
# Vault GUI configuration
|
|
|
|
Vault features a user interface (web interface) for interacting with Vault.
|
|
Easily create, read, update, and delete secrets, authenticate, unseal, and
|
|
more with the Vault GUI.
|
|
|
|
## Activating the Vault GUI
|
|
|
|
The Vault GUI is not activated by default. To activate the UI, set the `ui`
|
|
configuration option in the Vault server configuration. Vault clients do not
|
|
need to set this option, since they will not be serving the UI.
|
|
|
|
```hcl
|
|
ui = true
|
|
|
|
listener "tcp" {
|
|
# ...
|
|
}
|
|
```
|
|
|
|
For more information, please see the
|
|
[Vault configuration options](/vault/docs/configuration).
|
|
|
|
## Accessing the Vault GUI
|
|
|
|
The UI runs on the same port as the Vault listener. As such, you must configure
|
|
at least one `listener` stanza in order to access the UI.
|
|
|
|
```hcl
|
|
listener "tcp" {
|
|
address = "10.0.1.35:8200"
|
|
|
|
# If bound to localhost, the Vault GUI is only
|
|
# accessible from the local machine!
|
|
# address = "127.0.0.1:8200"
|
|
}
|
|
```
|
|
|
|
In this case, the UI is accessible at the following URL from any machine on the
|
|
subnet (provided no network firewalls are in place):
|
|
|
|
```text
|
|
https://10.0.1.35:8200/ui/
|
|
```
|
|
|
|
It is also accessible at any DNS entry that resolves to that IP address, such as
|
|
the Consul service address (if using Consul):
|
|
|
|
```text
|
|
https://vault.service.consul:8200/ui/
|
|
```
|
|
|
|
### Note on TLS
|
|
|
|
When using TLS (recommended), the certificate must be valid for all DNS entries
|
|
you will be accessing the Vault GUI on, and any IP addresses on the SAN. If you
|
|
are running Vault with a self-signed certificate, any browsers that access the
|
|
Vault GUI will need to have the root CA installed. Failure to do so may result in
|
|
the browser displaying a warning that the site is "untrusted". It is highly
|
|
recommended that client browsers accessing the Vault GUI install the proper CA
|
|
root for validation to reduce the chance of a MITM attack.
|
|
|
|
|
|
## CLI emulation in the Vault GUI
|
|
|
|
The Vault GUI includes an interactive Web REPL to interact with Vault's API much
|
|
like the Vault CLI. For more on that, see the
|
|
[Web REPL documentation](/vault/docs/commands/web).
|