Establishing a connection to a target via the Boundary HTTP API


I’m trying to create a shell script that has only one parameter, a target ID.

This is for creating a new Kubernetes connection via boundary connect kube. The script has all the “magic” inside and the result should be that it configures the kubectl context and creates a new boundary proxy connection ready to use.

I can fetch the ca_crt and the service_account_token from the POST v1/target/{id}/authorize-session API call. From that I get the session_id among other response fields but I don’t know how to create the actual listening connection with a proxy port from here.

I can run and it works.

boundary connect -listen-port=44444 -target-id ttcp_xxx

It opens a new listening connection but I’d like to get the CA and token from that session first to build the kube context and then start the proxy connection to be able to connect to it with that credentials using the HTTP API.

Is there a way to do that?

PS: I read this How to Connect to Kubernetes Clusters Using Boundary post and it was very helpful but I don’t want to manually configure or use the Desktop App to connect to a k8s cluster.


In case anyone ever wonders about the same question, it’s possible to establish a session in two steps:

  1. You can authorize the session and get the credentials your client will need to authenticate (this is just an example for db creds but should be similar for kubernetes):
$ OUTPUT=$(boundary targets authorize-session -id ttcp_DB********w5 -format json)
$ echo $OUTPUT | jq -r '.item.credentials[].secret.decoded'
  "password": "REDACTED",
  "username": "v-token-to-target-nfZzom*************9528811"

From the same output you need to get the authorization_token:

$ AUTHZ_TOKEN=$(echo $OUTPUT | jq -r '.item.authorization_token')
  1. You can then establish the connection using the above token:
$ LISTEN_PORT=<choose yours>
$ boundary connect -listen-port $LISTEN_PORT -authz-token $AUTHZ_TOKEN