Authenticate users without giving them an ssh key for servers via boundary

My current setup

  • I have hosted boundary in dev mode on an instance in AWS which can be reached publicly.
  • All the firewall rules are in place.
  • I am also able to authenticate to boundary via the public Boundary API URL from my laptop.
  • Once authenticated I can connect to my target easily only when I have the right SSH key.


Is there a way where I don’t have to give the users (people who want to access the target) the host’s ssh_key/password ?

Hello and thanks for your interest in Boundary! Boundary engineer here. This is a great suggestion. Right now we support a TCP target type, which you can use SSH with: Connect to Your First Target | Boundary - HashiCorp Learn. This means providing a key or password for now. We’re looking into ways to improve the workflow for SSH. Stay tuned!

@randallmorey does that mean that boundary will provide a way to auth SSH connections without providing a 2nd set of credentials?

From my perspective, the point of using boundary would be to avoid sharing SSH keys or credentials with users, but as of now, boundary doesn’t do that. So is this planned for the future?

Hi @rolandjitsu, Boundary product manager here. Thanks for your interest! This suggestion is something we’re working on within the Boundary team and is called out in our Boundary public roadmap under “just-in-time access”: Roadmap | Boundary by HashiCorp. While we don’t yet have a timeline for this ability, this is something we are actively working on. There’s two parts of your ask that we plan to implement:

  1. Boundary needs to be able to manage target credentials and/or broker them from a secure secrets management solution.
  2. Boundary workers needs to be able to inject the credential into a session so that they’re not passed back to the user.

Stay tuned!

1 Like

@PPacent thanks for the quick response! That’s great! Looking forward to the release of these 2 features!

Hey guys, thanks for this info!

I’ve been searching through the docs for anything related to this functionality but found no mention.

Thanks for all of the hard work, I’ll keep an eye on the release notes for these features