This is regarding , trying to login to EC2 instance as target, If we add credential store in boundary with vault integration where we have provided the ppk file as the secret of the ec2 instance, how can we login using the boundary commands n also using the desktop, as the both implementation has username and password being used.
There’s not currently a way I know of to use a static private key directly as a credential for connecting to Boundary targets. I believe some users have gotten SSH OTP working by using the
http_request_body attribute of the credential library, but note that if you do that you won’t see a username/password, you’ll have to copy the
key attribute out of the API response yourself and paste it as the SSH password in the session.
@omkensey Is there any restrictions that Vault secret path should contain only one pair of secrets ?
also can you provide the steps to add vault secrets and roles through commands for a connecting a ec2 target. what kind of roles are set in vault?
The Vault secret path configured for the credential source should be a single secret. Boundary Desktop will make the API call to Vault to retrieve it, and if it sees a key named
username and one named
password in the response it will display those in the connection info dialog. Whether it sees those or not, it will always display the raw API response from Vault in the dialog as well.
There’s a Learn guide for setting up Vault credential brokering, but I don’t have any specific steps to share for setting up EC2 instance access via SSH as a brokered credential.
thanks @omkensey ,also what if we want to store multiple login credentials in single secret path, rather than creating multiple secrets path for each and every resources, is that possible? and also how do we manage that a particular users can have access to only particular resources, is it done using vault or oidc integration