Boundary integration with vault

This is regarding , trying to login to EC2 instance as target, If we add credential store in boundary with vault integration where we have provided the ppk file as the secret of the ec2 instance, how can we login using the boundary commands n also using the desktop, as the both implementation has username and password being used.

There’s not currently a way I know of to use a static private key directly as a credential for connecting to Boundary targets. I believe some users have gotten SSH OTP working by using the http_request_body attribute of the credential library, but note that if you do that you won’t see a username/password, you’ll have to copy the key attribute out of the API response yourself and paste it as the SSH password in the session.

@omkensey Is there any restrictions that Vault secret path should contain only one pair of secrets ?
also can you provide the steps to add vault secrets and roles through commands for a connecting a ec2 target. what kind of roles are set in vault?

The Vault secret path configured for the credential source should be a single secret. Boundary Desktop will make the API call to Vault to retrieve it, and if it sees a key named username and one named password in the response it will display those in the connection info dialog. Whether it sees those or not, it will always display the raw API response from Vault in the dialog as well.

There’s a Learn guide for setting up Vault credential brokering, but I don’t have any specific steps to share for setting up EC2 instance access via SSH as a brokered credential.

thanks @omkensey ,also what if we want to store multiple login credentials in single secret path, rather than creating multiple secrets path for each and every resources, is that possible? and also how do we manage that a particular users can have access to only particular resources, is it done using vault or oidc integration

In a single secret you can only store one login credential configuration – so if it’s a Vault dynamic secret, it would be one dynamic secret config in Vault that could generate multiple secrets; if it’s a K/V secret in Vault it would be one K/V secret per username/password combo. If you create multiple Vault K/V secrets you can use them to store multiple credentials, one each, but you would need a separate Boundary credential library for each K/V secret.

Another thing you can look at is a static credential store – that’s new in version 0.9.0. You still need one credential per username/password but Vault isn’t involved, the credential is stored and updated directly as a native Boundary resource.

Resource access is done via roles and groups. You can create managed groups that define their membership by a filter that works on the claims from an OIDC auth method – users who match the filter when they log in are members of the managed group, users who don’t, aren’t. The filters can be pretty flexible, but commonly OIDC group membership claims are used to define the membership of the Boundary managed group as well.

Also keep in mind that brokered credentials return what Vault returns. If you keep multiple credentials at the same path somewhere in the data map then you’ll see all of those when brokered.

yaa, thats right ,so is there a way where we can get the credentials according to username , like fetching credentials for that username only from a path where we have multiple credentials

You can create a custom Vault API call with the path, http_method and http_request_body attributes of the Vault credential library, but (as far as I know) you can’t use any kind of variables or templating in them, so there’s no way to have one library serve different credentials to different users.

1 Like