Error Opening KeyRing - Boundary Dev

Boundary
1

I am running boundary dev and able to connect to admin console.

When following the instructions as per:

I am seeing the following error, also it seems I am only able to read the target info if I pass the token, none of this is stated on the documentation I reference above.

The three questions I have:
1- Why am I getting the keyring error ?
2 -Are users supposed to authenticate and then use that token generated with any command ?
3 - How do I solve the authenticity of host “permission denied”

Here is the error:

[centos@ip-x-x-x-x ~]$ boundary authenticate password -auth-method-id=ampw_1234567890 -login-name=admin -password=password
Error opening keyring: Specified keyring backend not available
Token must be provided via BOUNDARY_TOKEN env var or -token flag. Reading the token can also be disabled via -keyring-type=none.

Authentication information:
Account ID: apw_t6RGd0eW7f
Auth Method ID: ampw_1234567890
Expiration Time: Tue, 03 Nov 2020 16:48:39 UTC
Token: at_EVdwM0ecJC_s1CbmNAzUWy3wLcc8LzBDWAzBB6m38o9ZUf5Xu4BJjeaqZhe2ppUzx9jdhQrr9votoQxYBprxog3Fju6K5DXLfgo7XPwjwGNY3DpUvb4KawxHsfVtdygrYCw9aW7ArQpEFVvPTxHJfYKTTYsJ
User ID: u_1234567890

Error opening “pass” keyring: Specified keyring backend not available
The token printed above must be manually passed in via the BOUNDARY_TOKEN env var or -token flag. Storing the token can also be disabled via -keyring-type=none.

[centos@ip-x-x-x-x ~] boundary targets read -id ttcp_1234567890
Error opening keyring: Specified keyring backend not available
Token must be provided via BOUNDARY_TOKEN env var or -token flag. Reading the token can also be disabled via -keyring-type=none.
Error from controller when performing read on target:
Error information:
Code: Unauthenticated
Message: Unauthenticated, or invalid token.
Status: 401

[centos@ip-x-x-x-x ~]$ boundary targets read -id ttcp_1234567890 -token at_EVdwM0ecJC_s1CbmNAzUWy3wLcc8LzBDWAzBB6m38o9ZUf5Xu4BJjeaqZhe2ppUzx9jdhQrr9votoQxYBprxog3Fju6K5DXLfgo7XPwjwGNY3DpUvb4KawxHsfVtdygrYCw9aW7ArQpEFVvPTxHJfYKTTYsJ

Target information:
Created Time: Tue, 27 Oct 2020 16:33:07 UTC
Description: Provides an initial target in Boundary
ID: ttcp_1234567890
Name: Generated target
Session Connection Limit: 1
Session Max Seconds: 28800
Type: tcp
Updated Time: Tue, 27 Oct 2020 16:33:07 UTC
Version: 1

Scope:
ID: p_1234567890
Name: Generated project scope
Parent Scope ID: o_1234567890
Type: project

Host Sets:
Host Catalog ID: hcst_1234567890
ID: hsst_1234567890

Attributes:
Default Port: 22

[centos@ip-x-x-x-x ~]$ boundary connect ssh -target-id ttcp_1234567890 -token at_n9AZwwR8hl_s1AbzxpgYojnJFRkvS2MPVY71cPgnzPZovm1EVpJrkT8aL5X1rpZruk4KY8PeVBoXXsxuRBZQKqECRm3VyQMY5eEVt3umanRb7CZBxt66mrgCvGnG9n

The authenticity of host ‘hst_1234567890 ([127.0.0.1]:38721)’ can’t be established.
ECDSA key fingerprint is SHA256:F5sFSVf/nYallw/ehdJ/J34X3uHmz9o2BgIg2oBM8Zk.
ECDSA key fingerprint is MD5:ba:b2:42:f4:d7:c3:6c:dd:26:47:74:a3:87:22:5a:54.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘hst_1234567890’ (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

2

@ac0093

If you are running Boundary v0.1.1, try the following:

$ boundary authenticate password -auth-method-id=ampw_1234567890 \
      -login-name=admin -password=password \
      -keyring-type=none -format=json | jq -r ".token" > boundary_token.txt


$ export BOUNDARY_TOKEN=$(cat boundary_token.txt)

(Note: For v0.1.0, it’s -token-name instead of -keyring-type.)

Refer to the Authenticate with Boundary section in the Start a Development Environment tutorial.

3

Hi yhakuna!!

I try your may but not work

first the message for install jq, i installed but now other error.

4

Ah… I totally forgot that jq is not installed by default…my bad. :pleading_face:

What error did you get after installing jq and tried the command again?

5

Thanks I was able to move forward with the command you suggested.

My last standing issue is the permission denied error I described on my comment above when attempting to do a boundary connect, even after using the commands you provided.

6

Captura de Tela 2020-10-27 às 22.50.13
Captura de Tela 2020-10-27 às 22.50.131280×800 374 KB

See the screen

7

Hi there @ac0093 - Boundary will try to store the token for you with the operating system’s keyring. This changes depending on the operating system you use. The list of supported keyrings can be found in our help menu for boundary authenticate password -h:

  -keyring-type=<string>
      The type of keyring to use. Defaults to "auto" which will use the
      Windows credential manager, OSX keychain, or cross-platform password
      store depending on platform. Set to "none" to disable keyring
      functionality. Available types, depending on platform, are: "wincred",
      "keychain", "pass", and "secret-service". The default is auto. This can
      also be specified via the BOUNDARY_KEYRING_TYPE environment variable.

If you’re seeing this error, it means your operating system does not have a supported keyrings. You have two choices here:

  1. Install a supported keyring per the above list of mentioned keyrings
  2. Copy the token returned from the authenticate command and set it with the BOUNDARY_TOKEN env var or pass it on the CLI with the -token flag.

Let us know if you have any other questions, and thanks for trying Boundary!

8

Hi @luidigsc

The output looks correct. You now have to copy the generated token value and set it as BOUNDARY_TOKEN environment variable. (Or you can use -token flag with every boundary command.)

For a quick try, I created a Katacoda scenario --> https://www.katacoda.com/hashicorp/scenarios/boundary-intro

I just created this pretty quick, so it’s not pretty. I’ll create a cleaner version later, and attach it to the Boundary Learn. But, this walks you through the commands. Check the boundary help and try different commands to explore how it works. Hope this helps.

9

Hi @ac0093

I could not reproduce this, but from your output, I can see that the very last command (which failed) passes incomplete token value.

It says:

boundary connect ssh -target-id ttcp_1234567890 -token at_n9AZwwR8hl_s1AbzxpgYojnJFRkvS2MPVY71cPgnzPZovm1EVpJrkT8aL5X1rpZruk4KY8PeVBoXXsxuRBZQKqECRm3VyQMY5eEVt3umanRb7CZBxt66mrgCvGnG9n

But it should’ve been:

boundary connect ssh -target-id ttcp_1234567890 -token at_EVdwM0ecJC_s1CbmNAzUWy3wLcc8LzBDWAzBB6m38o9ZUf5Xu4BJjeaqZhe2ppUzx9jdhQrr9votoQxYBprxog3Fju6K5DXLfgo7XPwjwGNY3DpUvb4KawxHsfVtdygrYCw9aW7ArQpEFVvPTxHJfYKTTYsJ

Isn’t it? The last boundary connect command, you’re using a different token. But I don’t know if you still get the same issue using BOUNDARY_TOKEN env var intead…

10

thank’s for help

could have other scenarios?

11

I can work on it…maybe over the weekend.

12

hi.!

how i can start boundary in Production Installation, i need install in a project that have 5 machines EC2 and 2 databases RDS, with 7 users accessing SSH, ambient is AWS

you could help me.

13

The best way is to use Terraform. You can find a sample Terraform files created by HashiCorp here.

Also, I see a community member posted one.

You can leverage those sample configurations as a starting point to create customized Terraform configurations.