PostgreSQL not accessible through Boundary

Boundary
1

We have setup the Boundary community edition in our Ubuntu 22.04 machine., with PostgreSQL running inside a docker container.

The issue we face are ,

  1. When we run the ”sudo boundary database init -config controller.hcl” command, we get the below error:

Unable to connect to the database at “postgresql://postgres:password@198.168.3.198:5432/boundarydb”

But the PostgreSQL is working fine when trying to connect directly, i.e. other than Boundary. For example , running command ‘psql -h 192.168.3.198 -U postgres -d boundarydb’ goes to the PostgreSQL prompt once password is entered, but not through Boundary. Are we missing something ?

  1. Also, running the below command “sudo boundary server -config boundary.hcl” gives the below error:

Database is in a bad state. Please revert the database into the last known good state. (Failed to verify kms setup: kms.(Kms).VerifyGlobalRoot: can’t find global scoped root key: integrity violation: error #2000)

But we are self-hosting Boundary and do not need to connect to any AWS KMS. We have used the controller.hcl and boundary.hcl file by following the official documentation this guide.

As I am a ‘New user’, it is not letting me upload files to this post. Request urgent assistance.

PS: The official Hashicorp documentation for Boundary community installation is not clear and misses out on important file contents such as KMS.

2

1. Issue with Boundary not being able to connect to PostgreSQL:

  • It looks like you’re using the IP address 198.168.3.198 in your Boundary connection string, but when testing with psql you use 192.168.3.198. Make sure the IP address in your controller.hcl/boundary.hcl matches the actual address where your PostgreSQL instance is running.

  • Double-check your firewall settings or Docker network configuration to ensure Boundary is allowed to access the PostgreSQL container on port 5432.

  • Make sure that the username, password, database name, and port in your connection string are correct, and that the user has the necessary permissions.

  • Try adding sslmode=disable to your connection string sometimes this helps if SSL isn’t configured in PostgreSQL.

2. Error about KMS and “Database is in a bad state”

  • Even though you’re not using AWS KMS, Boundary still requires you to define at least one KMS provider in your configuration file to manage keys (for example, for encryption).

  • You can use the built-in “aead” provider for simple test environments. Here’s an example of a minimal KMS setup you can add under kms in your controller.hcl:

    kms "aead" {
  purpose = "root"
  aead_type = "aes-gcm"
  key = "your-32-byte-hex-key-here"
}
kms "aead" {
  purpose = "worker-auth"
  aead_type = "aes-gcm"
  key = "another-32-byte-hex-key-here"
}

    You need to generate two unique 32-byte hex keys (for example, with openssl rand -hex 32) and insert them in place of your-32-byte-hex-key-here.

  • After updating the KMS section, try deleting and reinitializing the database note: this will erase everything if you already have data!

Extra tips:

  • Check the logs for both Boundary and PostgreSQL for more details about what’s going wrong.

  • If you’re still having trouble, feel free to post your (anonymized) controller.hcl file (or the relevant parts), and maybe we can spot more issues.