Basic administration tutorial errors

Hi everyone,
I created a Boundary Postgres db, 1 controller and 1 worker in my AWS account for testing purpose without any problem!
So, I followed instructions in https://learn.hashicorp.com/collections/boundary/basic-administration to test Boundary functionality!
After creating target, hosts-catalog, host-set and 1 host, I tested Boundary Desktop session connectivity with admin generated password and it works perfectly!
I have some problems instead when I try to connect with the user created following the tutorial mentioned: targets are not shown in Boundary Desktop and CLI command “boundary scope lists -scope-id=<project_id>” returns 403

This is the complete list of Boundary created resources (obtained with admin user) and finally errors displayed:

$ boundary scopes list -recursive

Scope information:
  ID:                    o_8nBVBFKtKu
    Scope ID:            global
    Version:             1
    Name:                <-- omitted -->
    Description:         <-- omitted -->
    Authorized Actions:
      no-op
      read
      update
      delete

  ID:                    o_UieGpgSxeX
    Scope ID:            global
    Version:             1
    Name:                Generated org scope
    Description:         Provides an initial org scope in Boundary
    Authorized Actions:
      no-op
      read
      update
      delete

  ID:                    p_hrfkCynu8q
    Scope ID:            o_UieGpgSxeX
    Version:             1
    Name:                Generated project scope
    Description:         Provides an initial project scope in Boundary
    Authorized Actions:
      no-op
      read
      update
      delete

  ID:                    p_nqog2SFHC9
    Scope ID:            o_8nBVBFKtKu
    Version:             1
    Name:                <-- omitted -->
    Description:         <-- omitted -->
    Authorized Actions:
      no-op
      read
      update
      delete

$ boundary accounts read -id=$ACCOUNT_ID

Account information:
  Auth Method ID:      ampw_yIsAtHy4Ly
  Created Time:        Wed, 29 Dec 2021 08:42:15 CET
  Description:         Giovanni Account
  ID:                  acctpw_8ykXgdeTMv
  Name:                giovanni
  Type:                password
  Updated Time:        Wed, 29 Dec 2021 08:42:15 CET
  Version:             1

  Scope:
    ID:                o_8nBVBFKtKu
    Name:              <-- omitted -->
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    set-password
    change-password

  Attributes:
    Login Name:        giovanni

$ boundary users read -id=$USER_ID

User information:
  Created Time:        Wed, 29 Dec 2021 08:43:02 CET
  Description:         <-- omitted -->
  ID:                  u_bkDQay01lP
  Name:                giovanni
  Updated Time:        Wed, 29 Dec 2021 08:43:51 CET
  Version:             2

  Scope:
    ID:                o_8nBVBFKtKu
    Name:              <-- omitted -->
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-accounts
    set-accounts
    remove-accounts

  Accounts:
    ID:                acctpw_8ykXgdeTMv
    Scope ID:          o_8nBVBFKtKu

$ boundary groups read -id=$GROUP_ID

Group information:
  Created Time:        Wed, 29 Dec 2021 12:38:41 CET
  Description:         <-- omitted -->
  ID:                  g_IPQY9RtN7J
  Name:                <-- omitted -->
  Updated Time:        Wed, 29 Dec 2021 12:40:32 CET
  Version:             2

  Scope:
    ID:                o_8nBVBFKtKu
    Name:              <-- omitted -->
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-members
    set-members
    remove-members

  Members:
    ID:                u_bkDQay01lP
    Scope ID:          o_8nBVBFKtKu

$ boundary roles read -id=$ROLE_ID

Role information:
  Created Time:        Wed, 29 Dec 2021 12:37:16 CET
  Description:         Role with read-only permission
  Grant Scope ID:      o_8nBVBFKtKu
  ID:                  r_tATkoQmBV6
  Name:                read-only
  Updated Time:        Wed, 29 Dec 2021 12:42:28 CET
  Version:             3

  Scope:
    ID:                o_8nBVBFKtKu
    Name:              <-- omitted -->
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             g_IPQY9RtN7J
      Type:         group
      Scope ID:     o_8nBVBFKtKu

  Canonical Grants:
    id=*;type=*;actions=list,read

$ boundary targets list -scope-id $PROJECT_ID                                                                                   

Target information:
  ID:                    ttcp_sXwYN5hAk8
    Version:             2
    Type:                tcp
    Name:                <-- omitted -->
    Description:         <-- omitted -->
    Authorized Actions:
      no-op
      read
      update
      delete
      add-host-sets
      set-host-sets
      remove-host-sets
      add-host-sources
      set-host-sources
      remove-host-sources
      add-credential-libraries
      set-credential-libraries
      remove-credential-libraries
      add-credential-sources
      set-credential-sources
      remove-credential-sources
      authorize-session

When I try to get target details by Giovanni user I obtained error 403:

$ boundary authenticate password -auth-method-id ampw_yIsAtHy4Ly -login-name giovanni -password <-- omitted -->

Authentication information:
  Account ID:      acctpw_8ykXgdeTMv
  Auth Method ID:  ampw_yIsAtHy4Ly
  Expiration Time: Wed, 05 Jan 2022 18:03:38 CET
  User ID:         u_bkDQay01lP

The token was successfully stored in the chosen keyring and is not displayed here.

$ boundary scopes read -id=$ORG_ID

Error from controller when performing read on scope

Error information:
  Kind:                PermissionDenied
  Message:             Forbidden.
  Status:              403
  context:             Error from controller when performing read on scope

$ boundary scopes read -id=$PROJECT_ID

Scope information:
  Created Time:        Wed, 29 Dec 2021 08:25:42 CET
  Description:         <-- omitted -->
  ID:                  p_nqog2SFHC9
  Name:                <-- omitted -->
  Updated Time:        Wed, 29 Dec 2021 08:25:42 CET
  Version:             1

  Scope (parent):
    ID:                o_8nBVBFKtKu
    Name:              <-- omitted -->
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read

  Authorized Actions on Scope's Collections:
    sessions:
      list

$ boundary targets list -scope-id $PROJECT_ID                                                                                 

Error from controller when performing list on targets

Error information:
  Kind:                PermissionDenied
  Message:             Forbidden.
  Status:              403
  context:             Error from controller when performing list on targets 

I probably made a mistake, I just can’t find it!
Thanks in advance to those who want to help me

Try granting the list permission to your role for the project scope the target you created is in, and retry.

The role already has the permissions of list and read and is associated to user group principal, forgive me the banality but I don’t understand where I’m wrong!

$ boundary roles read -id=$ROLE_ID

Role information:
  Created Time:        Wed, 29 Dec 2021 12:37:16 CET
  Description:         Role with read-only permission
  Grant Scope ID:      o_8nBVBFKtKu
  ID:                  r_tATkoQmBV6
  Name:                read-only
  Updated Time:        Wed, 29 Dec 2021 12:42:28 CET
  Version:             3

  Scope:
    ID:                o_8nBVBFKtKu
    Name:              <-- omitted -->
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete
    add-principals
    set-principals
    remove-principals
    add-grants
    set-grants
    remove-grants

  Principals:
    ID:             g_IPQY9RtN7J
      Type:         group
      Scope ID:     o_8nBVBFKtKu

  Canonical Grants:
    id=*;type=*;actions=list,read

(sorry I’m getting back to this so late…)

OK, so previously I stood up a dev instance and followed the tutorial in a couple of variations. When using the built-in generated resources, everything works, however when following the tutorial and creating a new org/project/auth-method/account/user/group/role as specified, I get the same error you do – so I can at least verify that if you’re making a mistake somewhere, I’m probably making the same mistake in the same place

However, I’m curious if you’ve already gotten this working, and if so what extra permissions did you end up granting? Or if not working, have you gotten any further with it in the meantime?

Thanks for your time, I tried several solutions but none worked, even with full permissions “id = *;type = *;actions = *”. I also completely rebuilt the infrastructure (thanks to terraform, great tool!). In the meantime I have been busy with other activities waiting to find more time on this topic

The role shown above is at an org scope, not a project scope. This might be a typo in the guide if it is suggesting creating a role to list targets but not which scope to apply the role to.

Hello everyone

I’ve exaclty the same problem as @giocolas, I follow all basic administration guide Manage Roles and Permissions | Boundary - HashiCorp Learn, and user tester01 is unable to read current org scope, but I can read the project. However, the user cannot read read any target on this project

$ boundary authenticate password -login-name="tester01" -password="supersecure" -auth-method-id="ampw_xwWWCmGnKw" -keyring-type=none
export BOUNDARY_TOKEN="..."

$ boundary scopes list -recursive

Scope information:
  ID:                    o_ACV06jdjl2
    Scope ID:            global
    Version:             1
    Name:                IT_Support
    Description:         IT Support Team
    Authorized Actions:
      no-op

  ID:                    o_oeWpYAn00X
    Scope ID:            global
    Version:             1
    Name:                Generated org scope
    Description:         Provides an initial org scope in Boundary
    Authorized Actions:
      no-op

  ID:                    p_sEx7Cl5Wo6
    Scope ID:            o_oeWpYAn00X
    Version:             1
    Name:                Generated project scope
    Description:         Provides an initial project scope in Boundary
    Authorized Actions:
      no-op

  ID:                    p_uwyPWxF1zI
    Scope ID:            o_ACV06jdjl2
    Version:             1
    Name:                QA_Tests
    Description:         Manage QA machines
    Authorized Actions:
      no-op
      read
      update
      delete


$ boundary scopes read -id="o_ACV06jdjl2"
Error from controller when performing read on scope

Error information:
  Kind:                PermissionDenied
  Message:             Forbidden.
  Status:              403
  context:             Error from controller when performing read on scope


$ boundary scopes read -id="p_uwyPWxF1zI"

Scope information:
  Created Time:        Thu, 10 Mar 2022 11:19:58 CET
  Description:         Manage QA machines
  ID:                  p_uwyPWxF1zI
  Name:                QA_Tests
  Updated Time:        Thu, 10 Mar 2022 11:19:58 CET
  Version:             1

  Scope (parent):
    ID:                o_ACV06jdjl2
    Name:              IT_Support
    Parent Scope ID:   global
    Type:              org

  Authorized Actions:
    no-op
    read
    update
    delete

  Authorized Actions on Scope's Collections:
    sessions:
      list
    targets:
      list

$ boundary targets list -recursive
No targets found

If I try with an admin token on “Generated global scope initial password auth method”

$ boundary targets list -recursive

Target information:
  ID:                    ttcp_lkjcqLcPw9
    Scope ID:            p_sEx7Cl5Wo6
    Version:             2
    Type:                tcp
    Name:                Generated target
    Description:         Provides an initial target in Boundary
    Authorized Actions:
      no-op
      read
      update
      delete
      add-host-sets
      set-host-sets
      remove-host-sets
      add-host-sources
      set-host-sources
      remove-host-sources
      add-credential-libraries
      set-credential-libraries
      remove-credential-libraries
      add-credential-sources
      set-credential-sources
      remove-credential-sources
      authorize-session

  ID:                    ttcp_wjxjejBJvC
    Scope ID:            p_uwyPWxF1zI
    Version:             2
    Type:                tcp
    Name:                tests
    Description:         Test target
    Authorized Actions:
      no-op
      read
      update
      delete
      add-host-sets
      set-host-sets
      remove-host-sets
      add-host-sources
      set-host-sources
      remove-host-sources
      add-credential-libraries
      set-credential-libraries
      remove-credential-libraries
      add-credential-sources
      set-credential-sources
      remove-credential-sources
      authorize-session

And if I try to read target with tester01 I’ve got a 403 …

$ boundary targets read -id="ttcp_wjxjejBJvC"
Error from controller when performing read on target

Error information:
  Kind:                PermissionDenied
  Message:             Forbidden.
  Status:              403
  context:             Error from controller when performing read on target

User tester01 has grant id=*;type=*;actions=* on current role

I do not understand where to give correct permission to give access to target

Thanks for your help