Leveraging Boundary and Vault to use SSH signed certificates

I’ve gone through the excellent tutorial to demo Boundary.

I also see on the roadmap the following about “Just-in-time access”:

A just-in-time access posture will be enforced at multiple levels within Boundary. Upcoming releases will offer integration with Vault or your preferred secret management solution of choice to generate ephemeral credentials for Boundary sessions.

It seems that leveraging Vault’s SSH Signed Certificates (for both host key signing and client-side host verification) so that not only do I not need to push around individual SSH certificates but I can use the zero trust model that Boundary provides would be really powerful.

Am I reading your roadmap correctly in that this is just the sort of Vault integration you’re planning?

If so, is there any published timeline as to when we can take this for a spin?

Hi @pete0emerson, thanks for trying out Boundary - and glad to hear our getting started tutorial was helpful!

You are indeed reading the roadmap correctly. Our goal is for Boundary users, once authenticated, to be able to seamlessly access their targets with secrets brokered by Boundary from Vault (or a preferred secrets management solution) such that the secrets don’t need to be managed by the user. Making use of Vault’s ssh signed certificates to securely ssh to Boundary targets is a great example of a possible use-case for this scenario.

We are still actively planning and working on this capability so unfortunately we don’t yet have a precise timeline yet. That said, our public roadmap is in prioritized order so given Vault integration is at #2 you can assume it will be coming in an upcoming release sooner rather than later (following OIDC authentication, the #1 item).

2 Likes

That’s great, thanks for the confirmation. I’m thrilled about the OIDC integration; since you’ve done it well with Vault already, I’m hoping that development path is pretty straightforward to implement.

This, combined with a browser-only workflow that I’ve created a different topic for would make Boundary a slam-dunk for me, completely replacing VPN solutions and going full-on Zero Trust in a way that a small team can manage at scale. That’s pretty exciting!

1 Like

@pete0emerson glad to hear that the roadmap for these three items (OIDC, vault integration, and non-CLI client) fits your priority and thank you for the feedback!

P.s. As @malnick already noted in the browser-only workflow thread, we don’t have immediate plans to support connections through the browser client but are actively working on a desktop client for non-CLI users. For any follow-up questions on that browser-only workflow item let’s use your thread.

1 Like