How do I connect to Vault in Docker running with -dev-tls?

I’m running Vault with the newish -dev-tls flag in Docker like so:

docker run -d --cap-add=IPC_LOCK --name=dev-vault \
    -e 'VAULT_DEV_ROOT_TOKEN_ID=demo-root' \
    -p 8200:8200 \
    hashicorp/vault vault server -dev-tls

It fires up fine, but I am unable to connect to it:

$ export VAULT_ADDR=https://127.0.0.1:8200
$ export VAULT_TOKEN=demo-root
$ vault secrets enable -tls-skip-verify transit
Error enabling: Post "https://127.0.0.1:8200/v1/sys/mounts/transit": EOF

It works fine if I run it inside the container:

$ docker exec -it dev-vault env VAULT_TOKEN=demo-root vault secrets enable -tls-skip-verify transit
Success! Enabled the transit secrets engine at: transit/

It also works fine if I don’t use -dev-tls. FWIW Here’s what curl shows:

$ curl -v -X POST https://127.0.0.1:8200/v1/sys/mounts/transit
*   Trying 127.0.0.1:8200...
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:8200 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:8200 

What am I missing? Is the port mapping not right somehow?

Dev mode Vault listens on 127.0.0.1 by default. Therefore when your forwarded connection arrives at the container, trying to connect to its Docker-assigned container IP, that’s not where Vault is listening, so the connection is rejected.

You can use -dev-listen-address=0.0.0.0:8200 to resolve this.

Ah-hah, thank you, that makes complete sense.