Unable to connect to instance though SSH

Hi!

I’m trying to setup Boundary on a Sandbox environment without success.

I create a new instance that contains the Controller and the Worker.

The Controller:

disable_mlock = true

controller {
  name = "controller"
  description = "An example controller"
  database {
    url = "postgresql://xxxxx@10.38.128.211:5432/boundary"
  }
}

listener "tcp" {
  address = "10.132.15.238"
  purpose = "api"

  tls_disable = true
}

listener "tcp" {
  address = "10.132.15.238"
  purpose = "cluster"
  tls_disable = true
}

kms "gcpckms" {
  purpose     = "root"
  credentials = "/etc/boundary_sa.json"
  project     = "xxxx"
  region      = "global"
  key_ring    = "boundary"
  crypto_key  = "boundary_root"
}

kms "gcpckms" {
  purpose     = "worker-auth"
  credentials = "/etc/boundary_sa.json"
  project     = "xxxx"
  region      = "global"
  key_ring    = "boundary"
  crypto_key  = "boundary_worker-auth"
}

kms "gcpckms" {
  purpose   = "recovery"
  credentials = "/etc/boundary_sa.json"
  project     = "xxxx"
  region      = "global"
  key_ring    = "boundary"
  crypto_key  = "boundary_recovery"
}

The worker:

listener "tcp" {
    purpose = "proxy"
    address = "10.132.15.238"
    tls_disable = true
}

worker {
  name = "worker"

  controllers = [
    "10.132.15.238:9202"
  ]

  public_addr = "xxxxxx"
}

kms "gcpckms" {
  purpose     = "worker-auth"
  credentials = "/etc/boundary_sa.json"
  project     = "xxxxxx"
  region      = "global"
  key_ring    = "boundary"
  crypto_key  = "boundary_worker-auth"
}

When I use authenticate password it works, I can get the token:

boundary authenticate password -auth-method-id ampw_PTfZnspUF6 -login-name xxxxx -password foofoofoo -addr "http://xxxxxxx:9200"

Authentication information:
  Account ID:      apw_LREU3vpFg5
  Auth Method ID:  ampw_PTfZnspUF6
  Expiration Time: Tue, 23 Feb 2021 12:03:47 CET
  Token:           xxxxxxxxxx
  User ID:         u_tYviXjsQOX

But then, when I try to connect through ssh, I’m getting that error:

boundary connect ssh -target-id ttcp_O9q4eP6Q9z -addr=http://xxxxxxx:9200
Error from controller when performing authorize-session against target:
Error information:
  Kind:                FailedPrecondition
  Message:             No workers are available to handle this session, or all have been filtered.
  Status:              400

Not sure how to debug this error, I followed the documentation I think the user has the permissions to be able to use the host.

This is the Terraform configuration:

provider "boundary" {
  addr                            = "http://xxxxxxxx:9200"
  auth_method_id                  = "ampw_xxxxx"
  password_auth_method_login_name = "admin"
  password_auth_method_password   = "xxxxxxx"
}

resource "boundary_scope" "org" {
  scope_id    = "global"
  name        = "xxxx"
  description = "Organization scope"

  auto_create_admin_role   = true
  auto_create_default_role = false
}

resource "boundary_scope" "sandbox" {
  name                     = "sandbox"
  description              = "Sandbox environment"
  scope_id                 = boundary_scope.org.id
  auto_create_admin_role   = true
  auto_create_default_role = false
}

output "sandbox_scope_id" {
  value = boundary_scope.sandbox.id
}

resource "boundary_auth_method" "password" {
  name        = "my_password_auth_method"
  description = "Password auth method"
  type        = "password"
  scope_id    = boundary_scope.org.id
}

resource "boundary_account" "some_user" {
  name           = "some user"
  description    = "User account for my user"
  type           = "password"
  login_name     = "xxxxxx"
  password       = "foofoofoo"
  auth_method_id = boundary_auth_method.password.id
}

output "auth_method_id" {
  value = boundary_auth_method.password.id
}

resource "boundary_user" "some_user" {
  name        = "some user"
  description = "Admin user"
  account_ids = [boundary_account.some_user.id]
  scope_id    = boundary_scope.org.id
}

resource "boundary_role" "global_anon_listing" {
  scope_id = "global"
  grant_strings = [
    "id=*;type=auth-method;actions=list,authenticate",
    "type=scope;actions=list",
    "id={{account.id}};actions=read,change-password"
  ]
  principal_ids = ["u_anon"]
}

resource "boundary_role" "org_anon_listing" {
  scope_id = boundary_scope.org.id
  grant_strings = [
    "id=*;type=auth-method;actions=list,authenticate",
    "type=scope;actions=list",
    "id={{account.id}};actions=read,change-password"
  ]
  principal_ids = ["u_anon"]
}

resource "boundary_role" "org_admin" {
  scope_id       = "global"
  grant_scope_id = boundary_scope.org.id
  grant_strings = [
    "id=*;type=*;actions=*"
  ]
  principal_ids = [boundary_user.some_user.id]
}

resource "boundary_role" "sandbox_admin" {
  scope_id       = boundary_scope.org.id
  grant_scope_id = boundary_scope.sandbox.id
  grant_strings = [
    "id=*;type=*;actions=*"
  ]
  principal_ids = [boundary_user.some_user.id]
}

variable "node_ips" {
  type = set(string)
  default = [
    "10.132.15.199",
  ]
}

resource "boundary_host_catalog" "sandbox" {
  name     = "xxxx Catalog"
  type     = "static"
  scope_id = boundary_scope.sandbox.id
}

resource "boundary_host" "sandbox" {
  for_each        = var.node_ips
  type            = "static"
  name            = "xxxx Server ${each.value}"
  address         = each.key
  host_catalog_id = boundary_host_catalog.sandbox.id
}

resource "boundary_host_set" "sandbox_ssh" {
  type            = "static"
  name            = "xxxx SSH Servers"
  host_catalog_id = boundary_host_catalog.sandbox.id
  host_ids        = [for host in boundary_host.sandbox : host.id]
}

resource "boundary_target" "ssh_sandbox" {
  type         = "tcp"
  name         = "xxxx SSH"
  scope_id     = boundary_scope.sandbox.id
  default_port = "22"

  host_set_ids = [
    boundary_host_set.sandbox_ssh.id
  ]
}

output "target_id" {
  value = boundary_target.ssh_sandbox.id
}

I’m a bit stuck.

Also, there is an issue while setting up the TLS, but I think that should work without having TLS done.

Is there some tutorial or a how-to setup the TLS on Boundary?

Any help will be appreciated, thanks!

Ok I found the issue:

controllers = [
    "10.132.15.238:9202"
  ]

The worker had the :9202 :stuck_out_tongue:

1 Like

I am getting the exact same issue, what port did you change the listener to?