Hi!
I’m trying to setup Boundary on a Sandbox environment without success.
I create a new instance that contains the Controller and the Worker.
The Controller:
disable_mlock = true
controller {
name = "controller"
description = "An example controller"
database {
url = "postgresql://xxxxx@10.38.128.211:5432/boundary"
}
}
listener "tcp" {
address = "10.132.15.238"
purpose = "api"
tls_disable = true
}
listener "tcp" {
address = "10.132.15.238"
purpose = "cluster"
tls_disable = true
}
kms "gcpckms" {
purpose = "root"
credentials = "/etc/boundary_sa.json"
project = "xxxx"
region = "global"
key_ring = "boundary"
crypto_key = "boundary_root"
}
kms "gcpckms" {
purpose = "worker-auth"
credentials = "/etc/boundary_sa.json"
project = "xxxx"
region = "global"
key_ring = "boundary"
crypto_key = "boundary_worker-auth"
}
kms "gcpckms" {
purpose = "recovery"
credentials = "/etc/boundary_sa.json"
project = "xxxx"
region = "global"
key_ring = "boundary"
crypto_key = "boundary_recovery"
}
The worker:
listener "tcp" {
purpose = "proxy"
address = "10.132.15.238"
tls_disable = true
}
worker {
name = "worker"
controllers = [
"10.132.15.238:9202"
]
public_addr = "xxxxxx"
}
kms "gcpckms" {
purpose = "worker-auth"
credentials = "/etc/boundary_sa.json"
project = "xxxxxx"
region = "global"
key_ring = "boundary"
crypto_key = "boundary_worker-auth"
}
When I use authenticate password
it works, I can get the token:
boundary authenticate password -auth-method-id ampw_PTfZnspUF6 -login-name xxxxx -password foofoofoo -addr "http://xxxxxxx:9200"
Authentication information:
Account ID: apw_LREU3vpFg5
Auth Method ID: ampw_PTfZnspUF6
Expiration Time: Tue, 23 Feb 2021 12:03:47 CET
Token: xxxxxxxxxx
User ID: u_tYviXjsQOX
But then, when I try to connect through ssh, I’m getting that error:
boundary connect ssh -target-id ttcp_O9q4eP6Q9z -addr=http://xxxxxxx:9200
Error from controller when performing authorize-session against target:
Error information:
Kind: FailedPrecondition
Message: No workers are available to handle this session, or all have been filtered.
Status: 400
Not sure how to debug this error, I followed the documentation I think the user has the permissions to be able to use the host.
This is the Terraform configuration:
provider "boundary" {
addr = "http://xxxxxxxx:9200"
auth_method_id = "ampw_xxxxx"
password_auth_method_login_name = "admin"
password_auth_method_password = "xxxxxxx"
}
resource "boundary_scope" "org" {
scope_id = "global"
name = "xxxx"
description = "Organization scope"
auto_create_admin_role = true
auto_create_default_role = false
}
resource "boundary_scope" "sandbox" {
name = "sandbox"
description = "Sandbox environment"
scope_id = boundary_scope.org.id
auto_create_admin_role = true
auto_create_default_role = false
}
output "sandbox_scope_id" {
value = boundary_scope.sandbox.id
}
resource "boundary_auth_method" "password" {
name = "my_password_auth_method"
description = "Password auth method"
type = "password"
scope_id = boundary_scope.org.id
}
resource "boundary_account" "some_user" {
name = "some user"
description = "User account for my user"
type = "password"
login_name = "xxxxxx"
password = "foofoofoo"
auth_method_id = boundary_auth_method.password.id
}
output "auth_method_id" {
value = boundary_auth_method.password.id
}
resource "boundary_user" "some_user" {
name = "some user"
description = "Admin user"
account_ids = [boundary_account.some_user.id]
scope_id = boundary_scope.org.id
}
resource "boundary_role" "global_anon_listing" {
scope_id = "global"
grant_strings = [
"id=*;type=auth-method;actions=list,authenticate",
"type=scope;actions=list",
"id={{account.id}};actions=read,change-password"
]
principal_ids = ["u_anon"]
}
resource "boundary_role" "org_anon_listing" {
scope_id = boundary_scope.org.id
grant_strings = [
"id=*;type=auth-method;actions=list,authenticate",
"type=scope;actions=list",
"id={{account.id}};actions=read,change-password"
]
principal_ids = ["u_anon"]
}
resource "boundary_role" "org_admin" {
scope_id = "global"
grant_scope_id = boundary_scope.org.id
grant_strings = [
"id=*;type=*;actions=*"
]
principal_ids = [boundary_user.some_user.id]
}
resource "boundary_role" "sandbox_admin" {
scope_id = boundary_scope.org.id
grant_scope_id = boundary_scope.sandbox.id
grant_strings = [
"id=*;type=*;actions=*"
]
principal_ids = [boundary_user.some_user.id]
}
variable "node_ips" {
type = set(string)
default = [
"10.132.15.199",
]
}
resource "boundary_host_catalog" "sandbox" {
name = "xxxx Catalog"
type = "static"
scope_id = boundary_scope.sandbox.id
}
resource "boundary_host" "sandbox" {
for_each = var.node_ips
type = "static"
name = "xxxx Server ${each.value}"
address = each.key
host_catalog_id = boundary_host_catalog.sandbox.id
}
resource "boundary_host_set" "sandbox_ssh" {
type = "static"
name = "xxxx SSH Servers"
host_catalog_id = boundary_host_catalog.sandbox.id
host_ids = [for host in boundary_host.sandbox : host.id]
}
resource "boundary_target" "ssh_sandbox" {
type = "tcp"
name = "xxxx SSH"
scope_id = boundary_scope.sandbox.id
default_port = "22"
host_set_ids = [
boundary_host_set.sandbox_ssh.id
]
}
output "target_id" {
value = boundary_target.ssh_sandbox.id
}
I’m a bit stuck.
Also, there is an issue while setting up the TLS, but I think that should work without having TLS done.
Is there some tutorial or a how-to setup the TLS on Boundary?
Any help will be appreciated, thanks!