Skip to main content

OpenBao UI

OpenBao features a user interface (web interface) for interacting with OpenBao. Easily create, read, update, and delete secrets, authenticate, unseal, and more with the OpenBao UI.

Activating the OpenBao UI

The OpenBao UI is not activated by default. To activate the UI, set the ui configuration option in the OpenBao server configuration. OpenBao clients do not need to set this option, since they will not be serving the UI.

ui = true

listener "tcp" {
  # ...
}

For more information, please see the OpenBao configuration options.

Accessing the OpenBao UI

The UI runs on the same port as the OpenBao listener. As such, you must configure at least one listener stanza in order to access the UI.

listener "tcp" {
  address = "10.0.1.35:8200"

  # If bound to localhost, the OpenBao UI is only
  # accessible from the local machine!
  # address = "127.0.0.1:8200"
}

In this case, the UI is accessible at the following URL from any machine on the subnet (provided no network firewalls are in place):

https://10.0.1.35:8200/ui/

It is also accessible at any DNS entry that resolves to that IP address, such as the Consul service address (if using Consul):

https://openbao.service.consul:8200/ui/

Note on TLS

When using TLS (recommended), the certificate must be valid for all DNS entries you will be accessing the OpenBao UI on, and any IP addresses on the SAN. If you are running OpenBao with a self-signed certificate, any browsers that access the OpenBao UI will need to have the root CA installed. Failure to do so may result in the browser displaying a warning that the site is "untrusted". It is highly recommended that client browsers accessing the OpenBao UI install the proper CA root for validation to reduce the chance of a MITM attack.