How to use Vault as Boundary Credential Store to keep hosts ssh static credentials

Hi all,
I have installed both boundary and vault and I have created a kv-v2 engine in Vault with a secret for a VM

path: kv/new_secret
value="<my vm password>"

In boundary I have created the credential store for my Vault installation and a credential library with:

path: kv/data/new_secret

In boundary I have created an host-set with an host and I have associated the host-set with the same target

If I call:

boundary connect ssh -target-id=ttcp_FqTHzqYsLL -username ubuntu


    Credential Store ID:            csvlt_f1Qy8WCigt
    Credential Source ID:          clvlt_0JZT5ApRlB
    Credential Source Type:        vault
    Credential Source Name:        username
        "data": {
          "secret": "<my vm password>",
        "metadata": {
          "created_time": "2021-10-11T15:36:30.18341977Z",
          "deletion_time": "",
          "destroyed": false,
          "version": 1

ubuntu@hst_jkchiozmln's password:

My understanding was that boundary should use Vault Credentials that are hidden to the users.
Instead I see the Vault credentials but boundary does not use them
Did I something wrong?

My goal is to use the credentials stored in Vault in order to hide them from the user, when She connects to the VM through boundary

Thanks in advance for any hint


1 Like

Currently this is all we can do from my knowledge. The user has to copy and paste.

Hi, just want to confirm if there is an ongoing enhancement on this?

@mughetti and @lugtusonny - you are correct that currently static credentials are passed directly back to users to be copy and paste into sessions. This workflow is something we are investigating to improve in future Boundary offerings.

In the meantime, for best security practices we recommend using a single use password, such as Vault’s OTP secrets engine) for your Boundary credential library.