Dynamic Discovery of AWS RDS databases using boundary host?

I have a use case wherein I need to dynamically discover the AWS rds database through boundary UI and create a session out of it.

I followed the below links with no luck.

Any guidance would be greatly appreciated.

I don’t think the AWS host discovery plugin currently supports any AWS resource type other than EC2 instances, based on the plugin doc page.

Thank you Omkensey for your response.

Is there any other way/plugin through which we can register Postgres as a host in hashicorp’s boundary?

I tried adding the AWS RDS endpoint as a static host but no luck.

Most of the online tutorials Secure Access to Hosts and Services with HashiCorp Boundary - YouTube, I followed added Postgres as localhost.

Adding it as a static endpoint should have worked, I would think. What does your target config look like and what options are you using with boundary connect?

I have uploaded relevant screenshots, I believe boundary is unable to register postgres db as host. I tested db connectivity with psql client and I am able to connect, please do let me know if I am missing something.

Thanks !




I think you need to remove the :5432 from the host’s address. Port info is set in the target properties.

Tested after removing port from host’s address but no luck.



Aha, you never added your host hst_LYIUsetNpF to your host-set hsst_xONMXxEX0z. Try this:

boundary host-sets add-hosts -id hsst_xONMXxEX0z -host hst_LYIUsetNpF

Then read your host-set again and this time you should see a Host IDs: section at the bottom. Your target should start working too.

Thanks, Omkensey!

I thought I did this step via console, but running this command has helped me to resolve the issue and I am able to connect to the RDS instance now.

Also can you please guide me on:

  1. How to enable connect button on the boundary console so that session can be made instantaneously without running the command each time.

  1. How to enable AWS IAM/SSO auth method on hasicorp’s boundary console?

Any guidance would be greatly appreciated.

On the admin GUI, there’s no Connect option – you need to use the Boundary Desktop app if you want a GUI you can connect to a target from.

For AWS auth, I think you should be able to set up OIDC auth in Boundary to AWS SSO as the IdP – I haven’t done that particular combo but Boundary supports OIDC auth and AWS SSO provides OIDC authentication.

Thanks for your quick response, it really helped me in setting up my environment.

One last question - Is there any way in boundary by which we can audit database logs on regular basis?

Boundary stores a bunch of info on connections in its own data warehouse. mgaffney has posted a bunch of info in some other threads; see for example:

Thanks, Omkensey for your responses. I am able to set up boundary along with auditing in my environment.

The last thing what I want to achieve is restrict access to targets for different users on boundary desktop. I created a role for the same but ended up with an error. It would be great if you can guide me on same.

For targets, if you’re granting access to a specific target you don’t need the type parameter.

Full documentation on grant permission formats is here; there’s an example of how I granted access to different targets to different roles in this post.