First target website (localhost)

Hello guys, i’m new to hashicorp boundary i want to start it small so i have a localhost website and i want it to have credentials login, so when i access it from my phone it ask for it. After i set up the boundary target, host, etc. It still didn’t redirect me to the target website. Maybe this is a simple question but it makes my head spinning for hours. I appreciate if someone can explain it to me :pray:

There’s currently no Boundary mobile desktop client; if you’re logging in to the Boundary web GUI on port 9200, that’s the admin interface and doesn’t support initiating connections.

The intended use is that a Boundary admin would set up the target configuration (either through that admin GUI, or using the CLI or the API), then a user with a desktop client (either the GUI-based Boundary Desktop, or using the CLI) would connect to the target.

Thank you for the explaination for the mobile phone but i still cant get to the targeted website. Things that i have done setup is ( host catalogs, credential stores, targets, users, group, and roles) is there something missing ?

What client are you using and on what kind of local system?

Im using HCP and my local system is ubuntu and the target is ubuntu in openstack

This what the user see if they are login even tho i have 3 targets.

Can you show us the groups the user is assigned to, the roles that user and/or group is a principle of, the grants on those roles, and the IDs of the targets you created?

This is the group

For the roles i use for connect

This is what inside of roles

This is the principals inside of roles

This is what the grant

And this the targets id

I think this happens because your grants are in the global scope and your targets are in the AWS project scope.
Unless you have set the same grants at the project level, I wouldn’t expect that to work.

Yeah i have the same grant access and it didnt work. Any idea to help me with it

your grants are in the global scope and your targets are in the AWS project scope

The screenshot shows the grant-scope for the role set to the AWS project, so I think everything’s OK there. But I noticed that authorize-session permission is missing for the role.

Here’s a set of permissions I used for a demo I set up:

  • id=*;type=session;actions=list,read:self,cancel:self
  • type=target;actions=list
  • id=[target ID];actions=authorize-session
  • id=*;type=target;actions=no-op

(Note that the no-op permission I believe is not needed in Boundary >= 0.13.x. )

1 Like

Oh, I missed that. Thanks for pointing it out.

Thank you for the permission. Right now i have another problem with the worker can you help me with this ?

That looks like your worker is for some reason not able to contact the controllers. What does your worker config look like? Are you using HCP Boundary or are you running OSS Boundary yourself as the controller?

Right now im using 2 types the HCP one and the open source one. For the photo i run the OSS Boundary as the controller. The OSS Boundary is in openstack with ip 103.29.. and the target system is a ubuntu vm.
This is the worker hcl inside the ubuntu vm.

listener "tcp" {
  address = ""
  purpose = "proxy"

worker {
  public_addr = ""
  auth_storage_path = "/home/*/test/worker1"
  tags {
    world = ["hello"]
  initial_upstreams = ["103.29.*.*"]

Is it a PKI worker or a KMS worker? If it’s KMS, what KMS are you using? I see errors about worker auth that make me think maybe something’s wrong with the auth config.

I’m using PKI Worker

Did you have the worker create the token, or did you create the token in the Boundary control plane?

I think i didnt create any token because i only follow the guideline in the documentation Self-Managed Quick Start | Boundary | HashiCorp Developer and this documentation Self-Managed Worker Registration with HCP Boundary | Boundary | HashiCorp Developer

Hello sorry for replying again is there any update on my problem ?