That is correct, with all OSS/brokering, users will have to provide the credential to the target themselves. Boundary will provide the credential from Vault so that the user does not need to store the credential long-term, and Vault can also provide dynamic, short-lived credentials for security purposes.