Salta ai contenuti
1337skills 1337skills - Cheat Sheet

Boundary Cheat Sheet

Overview

HashiCorp Boundary is an identity-based access management tool that provides secure remote access to hosts and critical systems across clouds, on-premises data centers, and low-trust networks. Unlike traditional VPNs, Boundary provides fine-grained, identity-based authorization, session recording, and credential injection without requiring users to have direct network access to target systems.

Boundary integrates with trusted identity providers for authentication and HashiCorp Vault for dynamic credential management. It supports TCP, SSH, RDP, HTTP, and database protocols, enabling teams to access infrastructure through a single workflow with full session auditing and just-in-time credentials that are never exposed to end users.

Installation

# macOS
brew install hashicorp/tap/boundary

# Ubuntu/Debian
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install boundary

# Docker
docker pull hashicorp/boundary

# Verify installation
boundary version

Quick Start (Dev Mode)

# Start development server (all-in-one)
boundary dev

# Dev server with specific options
boundary dev \
  -api-listen-address=0.0.0.0 \
  -cluster-listen-address=0.0.0.0 \
  -proxy-listen-address=0.0.0.0 \
  -worker-public-address=localhost

# Default dev credentials:
# Login: admin / password
# Auth Method ID: ampw_1234567890
# Org Scope ID: o_1234567890
# Project Scope ID: p_1234567890

# Authenticate
boundary authenticate password \
  -auth-method-id ampw_1234567890 \
  -login-name admin \
  -password password

Authentication

# Password authentication
boundary authenticate password \
  -addr http://localhost:9200 \
  -auth-method-id ampw_XXXXX \
  -login-name admin \
  -password password

# OIDC authentication
boundary authenticate oidc \
  -addr http://localhost:9200 \
  -auth-method-id amoidc_XXXXX

# Store token for CLI
export BOUNDARY_ADDR=http://localhost:9200
export BOUNDARY_TOKEN=$(boundary authenticate password \
  -auth-method-id ampw_XXXXX \
  -login-name admin \
  -password password \
  -format json | jq -r '.item.attributes.token')

# Check current token
boundary accounts read -id acctpw_XXXXX

Scopes (Organizations and Projects)

# List orgs
boundary scopes list -recursive

# Create an organization
boundary scopes create \
  -scope-id global \
  -name "Engineering" \
  -description "Engineering department"

# Create a project within an org
boundary scopes create \
  -scope-id o_XXXXX \
  -name "Production" \
  -description "Production infrastructure"

# List projects in an org
boundary scopes list -scope-id o_XXXXX

Targets

# List targets
boundary targets list -scope-id p_XXXXX

# Create a TCP target
boundary targets create tcp \
  -scope-id p_XXXXX \
  -name "Production Database" \
  -description "PostgreSQL production server" \
  -default-port 5432 \
  -session-max-seconds 3600 \
  -session-connection-limit -1

# Create an SSH target
boundary targets create ssh \
  -scope-id p_XXXXX \
  -name "Web Server" \
  -description "Production web server" \
  -default-port 22 \
  -session-max-seconds 7200

# Add host sets to target
boundary targets add-host-sources \
  -id ttcp_XXXXX \
  -host-source hsst_XXXXX

# Add credential sources (Vault integration)
boundary targets add-credential-sources \
  -id ttcp_XXXXX \
  -brokered-credential-source clvsclt_XXXXX

# Update target
boundary targets update tcp \
  -id ttcp_XXXXX \
  -name "Updated Target Name" \
  -default-port 5433

# Delete target
boundary targets delete -id ttcp_XXXXX

Host Catalogs and Hosts

# Create a static host catalog
boundary host-catalogs create static \
  -scope-id p_XXXXX \
  -name "Production Servers" \
  -description "Production infrastructure hosts"

# Add a host
boundary hosts create static \
  -host-catalog-id hcst_XXXXX \
  -name "web-01" \
  -description "Web server 1" \
  -address "10.0.1.10"

# Create a host set
boundary host-sets create static \
  -host-catalog-id hcst_XXXXX \
  -name "Web Servers"

# Add hosts to a host set
boundary host-sets add-hosts \
  -id hsst_XXXXX \
  -host hst_XXXXX

# Dynamic host catalog (AWS)
boundary host-catalogs create plugin \
  -scope-id p_XXXXX \
  -plugin-name aws \
  -name "AWS Production" \
  -attr region=us-east-1

# List hosts
boundary hosts list -host-catalog-id hcst_XXXXX

Connecting to Targets

# Connect to a TCP target (creates a local proxy)
boundary connect -target-id ttcp_XXXXX

# Connect with automatic local port
boundary connect -target-id ttcp_XXXXX -listen-port 5432

# Connect by target name
boundary connect -target-name "Production Database" -scope-id p_XXXXX

# SSH connect helper
boundary connect ssh -target-id tssh_XXXXX -- -l ubuntu

# HTTP connect helper
boundary connect http -target-id ttcp_XXXXX -scheme https

# PostgreSQL connect helper
boundary connect postgres -target-id ttcp_XXXXX -dbname mydb

# RDP connect helper
boundary connect rdp -target-id ttcp_XXXXX

# Authorize a session (get connection details)
boundary targets authorize-session -id ttcp_XXXXX

Roles and Permissions

# Create a role
boundary roles create \
  -scope-id o_XXXXX \
  -name "Database Admins" \
  -description "DBA team access"

# Add grants to a role
boundary roles add-grants \
  -id r_XXXXX \
  -grant "ids=ttcp_XXXXX;actions=authorize-session"

# Add principals (users/groups) to a role
boundary roles add-principals \
  -id r_XXXXX \
  -principal u_XXXXX

# Common grant strings
# Read all targets: "ids=*;type=target;actions=list,read"
# Connect to specific target: "ids=ttcp_XXXXX;actions=authorize-session"
# Admin all: "ids=*;type=*;actions=*"

# List roles
boundary roles list -scope-id o_XXXXX

# Read role details
boundary roles read -id r_XXXXX

Sessions

# List active sessions
boundary sessions list -scope-id p_XXXXX

# Read session details
boundary sessions read -id s_XXXXX

# Cancel a session
boundary sessions cancel -id s_XXXXX

Credential Stores (Vault Integration)

# Create a Vault credential store
boundary credential-stores create vault \
  -scope-id p_XXXXX \
  -name "Production Vault" \
  -vault-address "https://vault.example.com" \
  -vault-token "s.XXXXXX"

# Create a credential library
boundary credential-libraries create vault-generic \
  -credential-store-id csvlt_XXXXX \
  -name "DB Credentials" \
  -vault-path "database/creds/readonly" \
  -credential-type username_password

# Create a static credential store
boundary credential-stores create static \
  -scope-id p_XXXXX \
  -name "Static Credentials"

# Add static credentials
boundary credentials create username-password \
  -credential-store-id csst_XXXXX \
  -name "SSH Key" \
  -username "ubuntu" \
  -password "password123"

Advanced Usage

Workers (Multi-Hop)

# worker.hcl
listener "tcp" {
  address = "0.0.0.0:9202"
  purpose = "proxy"
}

worker {
  public_addr = "worker.example.com"
  auth_storage_path = "/boundary/worker"
  tags {
    region = ["us-east-1"]
    type   = ["production"]
  }
}
# Start a worker
boundary server -config worker.hcl

Session Recording

# Create a storage bucket for recordings
boundary storage-buckets create \
  -scope-id global \
  -name "Session Recordings" \
  -plugin-name aws \
  -bucket-name my-boundary-recordings \
  -attr region=us-east-1 \
  -worker-filter '"production" in "/tags/type"'

# Enable recording on a target
boundary targets update ssh \
  -id tssh_XXXXX \
  -storage-bucket-id sb_XXXXX \
  -enable-session-recording true

Configuration

# controller.hcl
listener "tcp" {
  address = "0.0.0.0:9200"
  purpose = "api"
  tls_disable = false
  tls_cert_file = "/etc/boundary/tls/cert.pem"
  tls_key_file = "/etc/boundary/tls/key.pem"
}

listener "tcp" {
  address = "0.0.0.0:9201"
  purpose = "cluster"
}

controller {
  name = "controller-01"
  database {
    url = "postgresql://boundary:password@db:5432/boundary"
  }
}

kms "aead" {
  purpose   = "root"
  aead_type = "aes-gcm"
  key       = "base64-encoded-32-byte-key"
  key_id    = "global_root"
}

kms "aead" {
  purpose   = "worker-auth"
  aead_type = "aes-gcm"
  key       = "base64-encoded-32-byte-key"
  key_id    = "global_worker-auth"
}
# Initialize the database
boundary database init -config controller.hcl

# Start the controller
boundary server -config controller.hcl

# Environment variables
export BOUNDARY_ADDR="https://boundary.example.com"
export BOUNDARY_TOKEN="at_xxxx"
export BOUNDARY_TLS_INSECURE=false

Troubleshooting

IssueSolution
Cannot connect to targetVerify worker is running and can reach the target host
Authentication failedCheck auth method ID and credentials; verify OIDC config
Permission deniedReview role grants; ensure principal is assigned to role
Session disconnectsIncrease session-max-seconds on the target
Worker not registeringCheck cluster listener; verify KMS keys match controller
Database init failsEnsure PostgreSQL is accessible; check connection string
Vault credentials not workingVerify Vault token permissions and path configuration
TLS errorsCheck certificate validity; ensure CA is trusted by clients