How to use Vault as Boundary Credential Store to keep hosts ssh static credentials

Hi all,
I have installed both boundary and vault and I have created a kv-v2 engine in Vault with a secret for a VM

path: kv/new_secret
value="<my vm password>"

In boundary I have created the credential store for my Vault installation and a credential library with:

path: kv/data/new_secret

In boundary I have created an host-set with an host and I have associated the host-set with the same target

If I call:

boundary connect ssh -target-id=ttcp_FqTHzqYsLL -username ubuntu


    Credential Store ID:            csvlt_f1Qy8WCigt
    Credential Source ID:          clvlt_0JZT5ApRlB
    Credential Source Type:        vault
    Credential Source Name:        username
        "data": {
          "secret": "<my vm password>",
        "metadata": {
          "created_time": "2021-10-11T15:36:30.18341977Z",
          "deletion_time": "",
          "destroyed": false,
          "version": 1

ubuntu@hst_jkchiozmln's password:

My understanding was that boundary should use Vault Credentials that are hidden to the users.
Instead I see the Vault credentials but boundary does not use them
Did I something wrong?

My goal is to use the credentials stored in Vault in order to hide them from the user, when She connects to the VM through boundary

Thanks in advance for any hint


1 Like

Currently this is all we can do from my knowledge. The user has to copy and paste.