Boundary aws reference architecture setup - unable to authenticate error

I am able to successful setup boundary HA architecture on aws using the hashicorp github page. This deploys 2 controllers, 1 worker, 1 target on the aws ec2 instances.
When i open the browser and use the load balancer DNS with 9200, I am able to load the boundary home page as below

When I try to create a auth-methods on the controller I am getting the following error:
Error opening keyring: Specified keyring backend not available
Token must be provided via BOUNDARY_TOKEN env var or -token flag. Reading the token can also be disabled via -keyring-type=none.
Error from controller when performing create on password-type auth method

Error information:

  • Kind: Unauthenticated*
  • Message: Unauthenticated, or invalid token.*
  • Status: 401*
  • context: Error from controller when performing create on password-type auth method*

The following are the questions I have:

  • How do i add a new auth_method to boundary so that I can create a workflow?
  • How does the worker connect with the target ? Do i have to explicitly specify Keys somewhere?
  • Can I install the boundary controller on GCP and boundary worker on aws?



There’s a Boundary authentication method called the recovery method which doesn’t depend on any auth-methods being explicitly created — it uses a KMS key from a supported provider (either a supported public cloud, or Vault) to establish authentication with the controller. The details of this are set in the controller configuration. Typically this is used for creating Boundary resources with Terraform, but it’s also useful if, for example, you only have OIDC auth methods configured and your OIDC provider goes down, so you can still work with Boundary. Using the recovery method makes the user an ultimate admin, so be sure the recovery key is only accessible by the people and systems that need it.

That said, the reference architecture’s Terraform should have created an auth method along with a bunch of other resources when you applied it. Did you do the second part of the deployment that creates those resources? Without that, you have a blank Boundary install, not particularly useful.

As far as workers connecting to targets, the workers are acting as layer-4 TCP proxies. There’s no connection until the client connects to the target through the worker.

You could deploy Boundary workers in a different cloud than the controllers, as long as the following connectivity is in place:

  • workers need to be able to connect to controllers
  • users’ clients need to be able to connect to both controllers and workers
1 Like

Oh, something else I just realized – when you do the second apply, the auth method that gets created gets created in the organization scope. So if you got that far, click on “Choose a different scope” and switch to “organization” and you should see a login form there.

I have successfully setup boundary on aws and am able to use the backend_users configured .This is ORG scope.
I dont have anything in global scope and i cannot create global scope from the cli-getting permission denied erros.
Can u please guide me setup a global scope, project etc…
and also when we deploy the reference architecture, the global scope has no auth-methods.

The global scope always exists – it never needs to be created. The reference architecture doesn’t create any auth methods at global scope – you could add that to the Terraform code if you wanted, it’s just not something the code currently implements.

For a more general guide to creating things like projects and other org scopes, or creating auth methods in the global or org scopes, you probably want the Terraform Boundary provider documentation, the scope management documentation and Learn guide, and the auth method documentation.