Boundary http path policy

is there currently a way to define what url path on the boundary controller an authentication token can use? Similar to policies for Consul or Vault, or is this something that might come in the future?

It’s not done by the request path per se, but yes, you can control what Boundary resources a given user can see or use (and what specific actions they can take with them) using Roles:

  • Specifically, you can add a user to a group and add that group (or a user, but groups are easier to work with as you need to update who has access to what) as a principal to a set of roles that carry the grants necessary to do what you want to allow them to do.
  • If you’re using OIDC auth you can set up a managed group where the assignment of the user to the group is automated based on their OIDC claim keys and values.

The “user” perspective of Boundary using roles and grants for accessing resources is quite well explained in the documentation.

I was thinking about the configuration of Boundary itself through this Http api. And here are two aspects I can’t really figure out how it is supposed to be done

  • Is there an equivalent to x-consul-token for Boundary which I can send to authenticate to Boundary Controller and assign some policies to it, that grants only access to a specific url path. For example listing Targets
  • I am using the Vault transit engine as KMS for Boundary. How can I programmatically authenticate with Boundary in this setup? Using username/password seems to be not an ideal solution in this case

Vault policies use path as a proxy for resources and actions on those resources, owing to the K/V roots of the system (same for Consul). Boundary, developed later, has a more explicitly resource-oriented API…so there isn’t a way to do anything via path, but all of the same things you could do in path ACLs in Consul/Vault (that is, identify a resource and an action on it) are simply done directly in Boundary.

So you can’t use Boundary tokens to grant access to a specific URL, but you can use Boundary tokens to grant access to those same resources, e.g. your token could be tied to a user that is a member of a role that is granted list access. (Remember about listing visibility though; you can only list what you have some other action on.)

As for KMS, we don’t allow direct authentication with KMS for Boundary, outside of the recovery workflow using the recovery KMS.