Configuring Boundary Role for Specific Kubernetes Credential Library Access


I’m facing an issue with role configuration, specifically for restricting user access to a certain Kubernetes credential library. Despite configuring the role users are encountering a “not authorized” message. I’m seeking insights or advice on how to effectively resolve this issue.

Context and Setup:

  1. Credential Libraries:
  • I have several credential libraries in Boundary that request tokens from Kubernetes through Vault
  • My goal is to configure access so that users can use one specific credential library for authentication in Boundary Desktop.
  1. Role Configuration:
  • I created a role aimed at granting access to this specific Kubernetes credential library.
  • The grant format used is id=LIBRARY_ID;type=*;actions=*, substituting LIBRARY_ID with the actual ID of the library.
  • Despite this configuration, users assigned to this role receive a “not authorized” error when trying to access the library. When using grants id=* ; type=* ; actions=*, all libraries are visible in the Boundary desktop app but that`s not the intention here.
  1. Additional Setup Details:
  • The credential library and role are within the same scope.
  • The role’s principal_ids correctly list the users/groups intended for access.
  • No other conflicting permissions are apparent in the role setup.
  1. Are there any specific considerations in Boundary’s permission model when configuring access to a specific Kubernetes credential library?
  2. Could this issue be related to the version of Boundary I’m using? 0.12.1
  3. Is there an alternative or more effective method to restrict users to a specific credential library when authenticating with boundary desktop, especially for Kubernetes token authentication?

Thanks for your help.