Brokered credentials not being passed

I am trying to connect to a target without having to manually input the credentials.

This should be possible with the documentation I have seen. However, I have tried the username/password and the certificate (not at the same time), both resulting in the same outcome.

Both need the username and password to be input.

I have tried to change the target to not be tcp and to use ssh, but this will not allow the Terraform to create the target (error: unknown type). If I try manually to create a new target I only have the option of TCP.

I am using Boundary 0.12.0.

Hi @marktolley1974, if you are using credential brokering, the user still needs to provide the credentials to the target. Boundary will retrieve the credentials from Vault and provide them to the user.

If you want Boundary to inject the credentials directly to the target (skipping the user), then you can try credential injection in HCP Boundary.

So the OSS version can only do brokering where the user has to enter the credentials? What about SSH key brokering?

That is correct, with all OSS/brokering, users will have to provide the credential to the target themselves. Boundary will provide the credential from Vault so that the user does not need to store the credential long-term, and Vault can also provide dynamic, short-lived credentials for security purposes.

To clarify one aspect of this, the Boundary CLI has a concept of consuming credentials on behalf of the user. This happens when using the connect helper commands, so for example boundary connect ssh... with a brokered ssh_private_key credential, Boundary will attempt to use that credential without the user having to manually enter it.

This does not work for username_password unless you use -style sshpass and have sshpass(1) - Linux man page installed on your client machine.

Currently SSH certificates do not support brokering.

I would also like to make clear that this is purely a helper function to provide a quality of life improvement and not meant to keep the credentials away for user’s eyes. When using brokered credentials the users can use boundary connect directly which will still print the credentials or they can use the API directly to still see brokered credentials.

OK thanks, now I understand.