Boundary workers and targets relations configuration


As far as our company uses Hashicorp Vault and Hashicorp Consul clusters in our local network, we’d like to test (and implement) Boundary for controlling the ssh/db accesses with OIDC.
I’ve reviewed the articles and found that I am almost ready to deploy my Boundary instances.
However, I cannot understand the following.
I see that I can authenticate the users and let them connect to the targets.
But I do not see what should I do on the targets to accept the connections from Boundary workers. I mean, there’s a target I need to reach via SSH eg. But how should it authenticate the connection? What about the credentials rotation in Vault?
Can anyone share any guides/articles with me?

If I understood you correctly, you want the Boundary worker to reach a target by using an SSH bastion host. Please correct me if I got it wrong.

That’s not a use case that Boundary covers at the moment. Either the workers have direct access (e.g. local) to targets or via another worker that they can reach. If you can install a Boundary worker on the SSH bastion host, that would suffice for now (but still wouldn’t use the SSH protocol for the connection).

You can proxy/tunnel SSH connections through Boundary workers without any issues but Boundary will add its own layer of encryption and routing to them. Clients must have access to the controller’s API port and one ingress worker’s proxy port (default 9202), at a minimum.

Authentication to the targets is done via Credential Stores and Libraries or static Credentials that Boundary can broker to your client and under certain circumstances the Boundary CLI client can directly use to establish an authenticated connection to the target, e.g boundary connect ssh and boundary connect postgres.

Credential rotation via Vault is a different (but related) topic and you should refer to the relevant Vault documentation for that. I won’t link it here because it depends on the type of secret engine you’re using.

Thank you for your reply.
I do not expect Boundary to be a bastion host. I expect it to be a users/groups management service to allow or revoke the access. And the SSH access management is the 1st step for me.

But here is what I’m loosing.

If we have several users that can be authorized with Boundary, what is the mechanism of storing and removing the public keys and logins on the target server?

It looks like the actual keys and logins must be managed with any scheduled task (ansible/terraform) on the target servers and there is no “live” automation. Am I right?

So, either I need to have a single user account on the target server and allow multiple users to use it after the authorization in Boundary, or I need to have some kind of a task/script/etc to sync the actual user logins and keys from Vault.

Am I right?

Boundary doesn’t manage user credentials on targets. You can either manage them at the target level using a configuration management tool (such as Terraform/Ansible as you mentioned) or use a centralized credential/secrets manager to do that for you, like Vault (the latter would be my choice).

My recommendation would be to use Vault’s Signed SSH Certificates (note you still need to deploy the SSH CA certificate to every SSH host using an out-of-band method) and then configure Boundary to use the Vault SSH certificate credential library (requires HCP Boundary though)

Tutorial on how to get started: SSH Certificate Injection with HCP Boundary | Boundary | HashiCorp Developer

If you go the self-managed way, then you’ll need to register the static credentials on Boundary

so that the clients can get them once the session is authorized. I’m just not sure if boundary connect ssh would work with those since I don’t really use it like that (but my guess would be it does).

Thank you very much for the explanations!

1 Like