hijak
October 21, 2020, 7:58pm
1
hi
i have deployed boundary config via terraform:
provider "boundary" {
addr = "http://10.13.37.112:9200"
auth_method_id = "ampw_3pNqmP65oW"
password_auth_method_login_name = "admin"
password_auth_method_password = "XX"
}
variable "users" {
type = set(string)
default = [
"user1",
"user2"
]
}
variable "readonly_users" {
type = set(string)
default = [
"drone"
]
}
variable "backend_server_ips" {
type = set(string)
default = [
"10.13.37.5",
"10.13.37.112"
]
}
resource "boundary_scope" "global" {
global_scope = true
description = "Global"
scope_id = "global"
}
resource "boundary_scope" "home" {
name = "home.exnet.lan"
description = "home.exnet.lan"
scope_id = boundary_scope.global.id
auto_create_admin_role = true
auto_create_default_role = true
}
## Use password auth method
resource "boundary_auth_method" "password" {
name = "Home Passwords"
scope_id = boundary_scope.home.id
type = "password"
}
resource "boundary_account" "users_acct" {
for_each = var.users
name = each.key
description = "User account for ${each.key}"
type = "password"
login_name = lower(each.key)
password = "password"
auth_method_id = boundary_auth_method.password.id
}
resource "boundary_user" "users" {
for_each = var.users
name = each.key
description = "User resource for ${each.key}"
scope_id = boundary_scope.home.id
}
resource "boundary_user" "readonly_users" {
for_each = var.readonly_users
name = each.key
description = "User resource for ${each.key}"
scope_id = boundary_scope.home.id
}
resource "boundary_group" "readonly" {
name = "read-only"
description = "Organization group for readonly users"
member_ids = [for user in boundary_user.readonly_users : user.id]
scope_id = boundary_scope.home.id
}
resource "boundary_role" "organization_readonly" {
name = "Read-only"
description = "Read-only role"
principal_ids = [boundary_group.readonly.id]
grant_strings = ["id=*;type=*;actions=read"]
scope_id = boundary_scope.home.id
}
resource "boundary_role" "organization_admin" {
name = "admin"
description = "Administrator role"
principal_ids = concat(
[for user in boundary_user.users: user.id]
)
grant_strings = ["id=*;type=*;actions=create,read,update,delete"]
scope_id = boundary_scope.home.id
}
resource "boundary_scope" "core_infra" {
name = "Core infrastrcture"
description = "Home Networking"
scope_id = boundary_scope.home.id
auto_create_admin_role = true
}
resource "boundary_host_catalog" "backend_servers" {
name = "backend_servers"
description = "Backend servers host catalog"
type = "static"
scope_id = boundary_scope.core_infra.id
}
resource "boundary_host" "backend_servers" {
for_each = var.backend_server_ips
type = "static"
name = "backend_server_service_${each.value}"
description = "Backend server host"
address = each.key
host_catalog_id = boundary_host_catalog.backend_servers.id
}
resource "boundary_host_set" "backend_servers_ssh" {
type = "static"
name = "backend_servers_ssh"
description = "Host set for backend servers"
host_catalog_id = boundary_host_catalog.backend_servers.id
host_ids = [for host in boundary_host.backend_servers : host.id]
}
# create target for accessing backend servers on port :8000
resource "boundary_target" "backend_servers_service" {
type = "tcp"
name = "Backend service"
description = "Backend service target"
scope_id = boundary_scope.core_infra.id
default_port = "8080"
host_set_ids = [
boundary_host_set.backend_servers_ssh .id
]
}
# create target for accessing backend servers on port :22
resource "boundary_target" "backend_servers_ssh" {
type = "tcp"
name = "Backend servers"
description = "Backend SSH target"
scope_id = boundary_scope.core_infra.id
default_port = "22"
host_set_ids = [
boundary_host_set.backend_servers_ssh.id
]
}```
i then authenticate with the user and password to get a token
boundary authenticate password -auth-method-id=ampw_XXX -login-name=user1
i get a token but then i face 403 when trying to do anything
$ curl -H "Authorization: Bearer $(boundary config get-token)" -H "Content-Type: application/json" https://boundary.exnet.lan/v1/targets/ttcp_XXXX -k
{"status":403, "code":"PermissionDenied", "message":"Forbidden."}
any ideas
Thanks for trying Boundary!
Does boundary targets list show the targets you’re granted access to after authenticating?
hijak
October 21, 2020, 8:25pm
3
my pleasure!
21:23 $ curl -H "Authorization: Bearer $(boundary config get-token)" -H "Content-Type: application/json" https://boundary.exnet.lan/v1/targets?scope_id=o_7Ywy6XUxt6 -k | jq
{
Thanks, it looks like you’re using curl here. Can you use the CLI to verify that you can list targets first, that way we rule out any typo’s of constructions issues with the curl command.
hijak
October 21, 2020, 8:55pm
5
21:51 $ boundary targets list -scope-id=o_7Ywy6XUxt6 -addr=https://XXX -tls-insecure
Error from controller when performing list on targets:
Error information:
Code: InvalidArgument
Message: Improperly formatted identifier.
Status: 400
Field-specific Errors:
Name: -scope-id
Error: This field is required to have a properly formatted project scope id.
i was using the -output-curl-string client option to generate the curl line
malnick
October 22, 2020, 12:11am
6
Thanks @hijak - the error message here is poor, but here’s the real issue: you’re using an organization scope o_ and targets are only ever part of a project scope, p_.
Can you do a boundary scopes list -scope-id o_7Ywy6XUxt6, then use the returned project scope for this list command instead.
We’re doing a big revamp on our error handling, feel free to open a GitHub issue related to this error message as well.
hijak
October 22, 2020, 6:19am
7
no luck
$ boundary scopes list -scope-id o_7Ywy6XUxt6 -addr=https://boundary.exnet.lan -tls-insecure
Scope information:
ID: p_4304XC6WGh
Version: 1
Name: Core infrastrcture
Description: Home Networking
$ boundary targets list -scope-id=p_4304XC6WGh -addr=https://boundary.exnet.lan -tls-insecure
Error from controller when performing list on targets:
Error information:
Code:
Message: Forbidden
Status: 403
i have made sure i reauthed before trying
jeff
October 22, 2020, 12:03pm
8
Can you send the output of a read on your various roles? It seems you simply don’t have permission.
hijak
October 22, 2020, 12:09pm
9
im able to read the roles
$ boundary roles read -id=r_i36TutoC0r -addr=https://boundary.exnet.lan -tls-insecure
Role information:
Created Time: Wed, 21 Oct 2020 20:38:19 BST
Description: Role created for administration of scope o_7Ywy6XUxt6 by user u_yAvnfAXovH at its creation time
Grant Scope ID: o_7Ywy6XUxt6
ID: r_i36TutoC0r
Name: Administration
Updated Time: Wed, 21 Oct 2020 20:45:49 BST
Version: 2
Scope:
ID: o_7Ywy6XUxt6
Name: home.exnet.lan
Parent Scope ID: global
Type: org
Principals:
ID: u_DZjHc40rFS
Type: user
Scope ID: o_7Ywy6XUxt6
ID: u_yAvnfAXovH
Type: user
Scope ID: global
Canonical Grants:
id=*;type=*;actions=*
$ boundary roles read -id=r_PpHjulVpTZ -addr=https://boundary.exnet.lan -tls-insecure
Role information:
Created Time: Wed, 21 Oct 2020 20:38:20 BST
Description: Administrator role
Grant Scope ID: o_7Ywy6XUxt6
ID: r_PpHjulVpTZ
Name: admin
Updated Time: Wed, 21 Oct 2020 20:38:23 BST
Version: 3
Scope:
ID: o_7Ywy6XUxt6
Name: home.exnet.lan
Parent Scope ID: global
Type: org
Principals:
ID: u_qlloF3AOSB
Type: user
Scope ID: o_7Ywy6XUxt6
ID: u_DZjHc40rFS
Type: user
Scope ID: o_7Ywy6XUxt6
Canonical Grants:
id=*;type=*;actions=create,delete,read,update
i am u_DZjHc40rFS
malnick
October 22, 2020, 1:43pm
10
Ah, you’re missing list from your actions allowed on your role. That would prevent you from listing targets. Can you add that to the role grants?
hijak
October 22, 2020, 3:05pm
11
i added this and even tried it with a wildcard still didnt work
$ boundary roles read -id=r_i36TutoC0r -addr=https://boundary.exnet.lan -tls-insecure
Role information:
Scope:
Principals:
Canonical Grants:;type= ;actions=create,delete,list,read,update
jeff
October 22, 2020, 3:14pm
12
That role is in scope o_7Ywy6XUxt6 with grants also scoped there (Grant Scope ID: o_7Ywy6XUxt6). You either need to change the grant scope ID for that role to p_4304XC6WGh or you need to create a role in that project scope. It’s just a scope mismatch!
hijak
October 22, 2020, 3:23pm
13
AH yes! thank you jeff!!
i updated the scope id on the role to the project now i can list targets!!!
boundary roles update -grant-scope-id=p_4304XC6WGh -id=r_i36TutoC0r -addr=https://boundary.exnet.lan -tls-insecure
1 Like
hijak
October 22, 2020, 3:33pm
14
is this something missing from my terraform config?
jeff
October 22, 2020, 6:57pm
15
Yes, probably you need to either adjust one of your roles or add a new role.
