I have reviewed the getting started guide for Boundary and I am still a bit confused, so I am posting my desired use case here, so I can “measure twice and cut once” in my HCP-service-building.
We are engineering a system by which different environments have access granted by virtue of presentation of a certificate signed by a HCP-signed CA root cert. The desired workflow is as follows:
User signs in to some…thing (Boundary I think?) with SSO/Conditional Access
User has access to some project by virtue of group membership
User requests a time-bound certificate to a specific host within the project, that is signed by the user’s private key and a HCP CA root certificate trusted in advance by the host
User presents that certificate to authenticate to the host in question via SSH, does work
I know I can accomplish this broadly using Vault and Vault alone, and have done so. But I am now attempting to size up the UX design challenge, to streamline the process of requesting the creation of the time-bound signed certificate and (without much fuss) connecting the engineer in question to the desired environment.
Is Boundary the required tool for this workflow? I see that Boundary explicitly is designed to work with credential injection - but this is not exactly what I am hoping to use, and so I’m looking for confirmation before doing any serious building/research/development. If Boundary is not what I need, what should I do?
Let me start by saying that I’m not in any way affiliated with Hashicorp or an HCP Boundary user. My organization does use Boundary OSS though, for database access management.
What you have described has probably been one of the first-ever use-cases of Boundary as can be inferred from the following paragraph (quoted from the public announcement of the 0.1 OSS release):
Our vision for Boundary open source is to enable this ephemeral model of access in which users can authenticate to Boundary — using their identity of choice — then are authorized to perform actions on dynamics sets of targets. Then be granted just-in-time access to connect to those targets via credentials provided by Vault or credential management solution of choice.
Of course, back then, they were talking about SSH auth with username and password or username and private key. Today, with HCP Boundary it’s possible to leverage SSH signed certificates. Check out this somewhat similar discussion
A few comments about your post though:
Not sure what you mean by “signed by the user’s private key” (see Client SSH Authentication). When you mention, HCP CA certificate, I’m assuming you’re talking about an HCP-Vault-generated CA certificate.
As it’s probably already clear at this point, yes, if your requirements are only the ones you described above.
If you’re not going to use credential injection, how would the client automatically present the signed certificate to the server?
Thanks for writing back. I’m doing a lot of inferring, but not seeing my use case addressed directly in language I understand clearly, so hence the confusion.
As I understand it, when I am working directly with vault to generate the time-bound certificate that is trusted by the environment in question, vault’s ca cert is signing the resulting certificate with both my private key and the trusted CA cert. Sorry if that’s not correct. But the idea is that Vault is generating the time-bound certificate that I’m about to use to authenticate, and I need some front end to help me manage that process with and for the user.
So I think this is the source of the misunderstanding - when I see the words “credential injection,” I think of HCP actively injecting the relevant credential - be it a password or a certificate - into the host that is being accessed.
That’s not the authentication workflow we are interested in. We want to generate a signed certificate that will be valid for a short period of time that does not require a connection to the host being connected to. Does that process fall under the correct definition of credential injection?
If not, is Boundary the required tool for the user to to drive that process? That’s the source of the confusion that I’m trying to clear up.
Thank you again for writing in and I will look at the thread you linked.