How to use Vault as Boundary Credential Store to keep hosts ssh static credentials

Hi all,
I have installed both boundary and vault and I have created a kv-v2 engine in Vault with a secret for a VM

path: kv/new_secret
key="secret"
value="<my vm password>"

In boundary I have created the credential store for my Vault installation and a credential library with:

path: kv/data/new_secret
HTTP_METHOD=GET

In boundary I have created an host-set with an host and I have associated the host-set with the same target

If I call:

boundary connect ssh -target-id=ttcp_FqTHzqYsLL -username ubuntu

output:

Credentials:
    Credential Store ID:            csvlt_f1Qy8WCigt
    Credential Source ID:          clvlt_0JZT5ApRlB
    Credential Source Type:        vault
    Credential Source Name:        username
    Secret:
      {
        "data": {
          "secret": "<my vm password>",
        },
        "metadata": {
          "created_time": "2021-10-11T15:36:30.18341977Z",
          "deletion_time": "",
          "destroyed": false,
          "version": 1
        }
      }

ubuntu@hst_jkchiozmln's password:

My understanding was that boundary should use Vault Credentials that are hidden to the users.
Instead I see the Vault credentials but boundary does not use them
Did I something wrong?

My goal is to use the credentials stored in Vault in order to hide them from the user, when She connects to the VM through boundary

Thanks in advance for any hint

Marco

1 Like