Boundary connect ssh target type, injected credentials are not supported

Hey guys !
We are trying to connect to SSH targets using boundary v0.11. We have been following this tutorial ( and also deployed everything through terraform. The credentials are stored in vault and boundary is supposed to depict them from there.
First of all, differently from the tutorial, it seems like boundary target supports only type tcp instead of http (as described here Terraform Registry)
Secondly, when trying to use “injected_application_credential_source_ids”, boundary fails applying with “message”:"Unable to set credential sources in target: tcp.VetCredentialSources: tcp.Target only supports credential purpose: “brokered”.

The issue we have here is that credentials are not injected into the session (because tcp target type doesn’t support them) and therefore we cannot authenticate to SSH target. Is there a workaround for this ? Thanks !

This is the error we see when connecting through CLI:Credentials:
Credential Source Description: Vault credential library!
Credential Source ID: clvlt_YVal4rDiIh
Credential Source Name: vault-cred-library
Credential Store ID: csvlt_todvFosaV0
Credential Store Type: vault

sandbox@ Permission denied (publickey).

Hi @isanstrazimiri,
Thank you for trying Boundary and welcome to the discuss forum!

Boundary currently has support for two targets types, tcp and ssh. A tcp target can be used for a variety of use cases as long as the underlying protocol is tcp. The error message you are getting is as expected as tcp targets only support brokered credentials (ones returned to the user for them to take action with).

In order for credential injection to work you will need to create an ssh target and then you should be able to add the same credentials you previously created as injected_application_credential_source_ids. This can be done via Terraform or the Boundary CLI as outlined under this section of the tutorial SSH Credential Injection with HCP Boundary | Boundary | HashiCorp Developer

1 Like

Hi @isanstrazimiri, to add onto @louisruch’s post - credential injection is only available when using HCP Boundary and any self-managed workers you are running should be using the HCP worker binary. Can you confirm both of these are true for your environment?

Hi @PPacent & @louisruch.
Thanks for the input. I can confirm that once switching to HCP Boundary the issue was resolved.

1 Like