Dynamic Discovery of AWS RDS databases using boundary host?

I have a use case wherein I need to dynamically discover the AWS rds database through boundary UI and create a session out of it.

I followed the below links with no luck.

Any guidance would be greatly appreciated.

I don’t think the AWS host discovery plugin currently supports any AWS resource type other than EC2 instances, based on the plugin doc page.

Thank you Omkensey for your response.

Is there any other way/plugin through which we can register Postgres as a host in hashicorp’s boundary?

I tried adding the AWS RDS endpoint as a static host but no luck.

Most of the online tutorials Secure Access to Hosts and Services with HashiCorp Boundary - YouTube, I followed added Postgres as localhost.

Adding it as a static endpoint should have worked, I would think. What does your target config look like and what options are you using with boundary connect?

I have uploaded relevant screenshots, I believe boundary is unable to register postgres db as host. I tested db connectivity with psql client and I am able to connect, please do let me know if I am missing something.

Thanks !

I think you need to remove the :5432 from the host’s address. Port info is set in the target properties.

Tested after removing port from host’s address but no luck.

Aha, you never added your host hst_LYIUsetNpF to your host-set hsst_xONMXxEX0z. Try this:

boundary host-sets add-hosts -id hsst_xONMXxEX0z -host hst_LYIUsetNpF

Then read your host-set again and this time you should see a Host IDs: section at the bottom. Your target should start working too.

Thanks, Omkensey!

I thought I did this step via console, but running this command has helped me to resolve the issue and I am able to connect to the RDS instance now.

Also can you please guide me on:

  1. How to enable connect button on the boundary console so that session can be made instantaneously without running the command each time.

  1. How to enable AWS IAM/SSO auth method on hasicorp’s boundary console?

Any guidance would be greatly appreciated.

On the admin GUI, there’s no Connect option – you need to use the Boundary Desktop app if you want a GUI you can connect to a target from.

For AWS auth, I think you should be able to set up OIDC auth in Boundary to AWS SSO as the IdP – I haven’t done that particular combo but Boundary supports OIDC auth and AWS SSO provides OIDC authentication.

Thanks for your quick response, it really helped me in setting up my environment.

One last question - Is there any way in boundary by which we can audit database logs on regular basis?

Boundary stores a bunch of info on connections in its own data warehouse. mgaffney has posted a bunch of info in some other threads; see for example:

Thanks, Omkensey for your responses. I am able to set up boundary along with auditing in my environment.

The last thing what I want to achieve is restrict access to targets for different users on boundary desktop. I created a role for the same but ended up with an error. It would be great if you can guide me on same.

For targets, if you’re granting access to a specific target you don’t need the type parameter.

Full documentation on grant permission formats is here; there’s an example of how I granted access to different targets to different roles in this post.

Hi Omkensey,

Hope you are doing well.

For auditing purpose I need to track dynamic user that vault generates for DB access with that of boundary user. I checked vault logs but no luck, is there any other way ?

There isn’t anything you can key definitively off of like a unique transaction ID so far as I know, but if you turn on audit logging in Vault, and you have time synced between the two hosts, you might be able to correlate the Boundary log entries with the Vault audit log entries.

Through boundary desktop I am able to generate dynamic credentials for remote db, however when I am trying to connect using those credentials I am getting error as below, please do let me know if I am missing anything.

That’s a connection error – it looks like it’s not able to connect to Postgres at all, it’s not even getting to the authentication part.

  • Check where Postgres is listening – make sure that address and port matches the Boundary target address and port
    • You should be able to connect directly to Postgres from the worker system – if you can’t, proxying won’t work)
  • Make sure the Boundary client is listening on the port you’re trying to connect on (I noticed in the screenshots above that the Boundary proxy port is 58308 and pg_cli is trying to connect on 51210, but I assume those are screenshots from different attempts so that’s why they don’t match).

Sorry for the wrong screenshot.

What I want to ask is how can we connect to target db after getting proxy address and credentials from the boundary desktop app (apart from boundary CLI)?

If I attempt to connect through pgcli from my local windows desktop using proxy address and credentials, it throws an error as connection refused.

I followed youtube video at 18:00 where the same error was shown.