Purpose of the -exec flag?

I’m reading the Hashicorp Learn Tutorial of Boundary, but I don’t seem to get the example given for the exec flag:

cURL can be used to do an authenticated download of hashicorp.com

First, update the default TCP target ( ttcp_1234567890 ) port from 22 to 443 using the boundary targets update command.

Now, execute the cURL command using the -exec flag.
boundary connect -exec curl -target-id ttcp_1234567890 -- -vvsL --output /dev/null hashicorp.com

The first step can be omitted. This is because the second step just does a curl to hashicorp.com through the client machine (without using the connection at all…).

What is -exec supposed to do? It seems like it’s supposed to run a command after making the connection before closing said connection. It doesn’t appear to pass any variables (such as the localhost address) to said command, so it seems like it almost requires the -listen-port flag to be effective at all.

This seems to be an omission in the learn guide (and I’ll make a ticket internally to get it fixed – apologies!), but boundary connect -exec (or any of the helper subcommands that perform an exec for you) will interpolate a few variables in the arguments passed to the process. Given:

boundary connect -exec nc -- {{boundary.ip}} {{boundary.port}}

Connect will execute nc and pass two arguments to it – the IP address connect is listening on and the port it’s listening on. (The other current variable is {{boundary.addr}} which is simply the IP and port in ip:port form.)

These are also put into the environment of the running process in BOUNDARY_PROXIED_PORT/IP/ADDR.

Hopefully that helps. You can do some fun things with boundary connect -exec. For instance, you can use it as an SSH ProxyCommand so that your SSH sessions seamlessly use Boundary to make the connection to a remote host.

1 Like

Thanks for trying out Boundary @BrandonALXEllisSS.

I wanted to follow up on this thread because as you pointed out, the example in the learn guide does not use the local proxy. You can do so with the curl example by leveraging -- --proxy {{boundary.ip}}:{{boundary.port}}, however, the easiest way to do this on the CLI is with boundary connect http which uses curl under the hood and does all the work to handle TLS and pointing to the proxy for you.

I’ve submitted a PR to the learn guide to update this example to simply use boundary connect http, so be on the lookout for that.

Thanks again and let us know if you have any other questions!