Tunnel between localhost and target host can be used to access MySQL with any users


I use Boundary and Vault to allow clients to access MySQL database with the help of Boundary Desktop. This MySQL database and boundary-worker are in the same subnet

When clients press ‘Connect’, they are provided with temporary credentials and Proxy URL (TCP). Suppose that a client has been provided with the following access details:

  • username: ‘v-token-read-XXXXXXXXXXXXXX’
  • password: 1234567
  • Proxy URL (TCP):

Now imagine that this client knows that there’s another user in MySQL, for example, ‘prod_applications_user_with_write_permissions’@‘192.168.50.%’ and has the needed password.

The problem is that the client can access MySQL using any of two users:

mysql -h -P 1234567 -u v-token-read-XXXXXXXXXXXXXX -p and mysql -h -P 1234567 -u prod_applications_user_with_write_permissions -p

How can I secure that this client can access DB only with ‘v-token-read-XXXXXXXXXXXXXX’ username and not with ‘prod_applications_user_with_write_permissions’?

Thanks in advance for your suggestions.

That’s exactly what credential injection with HCP Boundary accomplishes – the user will never see credentials or be prompted for them, nor will they be able to read them out of the traffic between the client and worker. They’ll just have an authenticated session to begin using.

Currently as a first step, we do credential injection for static SSH private keys only, but the Boundary team is actively discussing future injection features.