Broker static credentials to your first target
A credential store is a Boundary resource used to store, retrieve, and sometimes generate credentials. Credential stores are scoped under projects and observe the principle of least privilege to limit access. Credential stores may contain credential libraries.
In this tutorial, you will create credentials of type username_password
and add them to a static credential store using Boundary. These concepts are foundational to learning about credential injection with HCP Boundary later on.
Prerequisites
- Access to an HCP Boundary instance.
- Boundary is installed.
- Completed the previous quick start tutorials.
- A publicly accessible Ubuntu instance.
- A ssh key-pair for authenticating to the Ubuntu instance.
Note
Ubuntu is used in this tutorial for demonstration purposes only. You can follow this guide to create a publicly accessible EC2 instance to use for this tutorial.
Lab setup
In the previous tutorial, the following Boundary resources were defined:
- A project
- A target of type TCP with an assigned address
The ubuntu
host was created with an address assigned directly to the target.
This allowed for boundary connect ssh
to run the connection through Boundary
with user-supplied SSH credentials.
Several environment variables were created to support the tutorial. These environment variables are used throughout the Getting Started series.
Check the environment variable values defined in the previous tutorial
for $UBUNTU_USER
, $UBUNTU_KEY
,$PROJECT_ID
, and $TARGET_ID
are available.
If any of these values are not defined, ensure that you have completed the Connect to Your First Target tutorial.
If these values were defined in an unavailable shell session, list the IDs for the resources and export them as environment variables.
For example, to find the TARGET_ID
:
Then, export the environment variable.
Repeat this process for the other undefined variables.
Note
The use of environment variables is not required to use HCP Boundary. Environment variables are used throughout the tutorial for ease of following along and copying the required commands.
Set up a new user on the target
In the previous tutorial, boundary connect ssh
was used with a
user-supplied private key to proxy an SSH session through Boundary.
To demonstrate credential brokering, you will first configure your Ubuntu instance with a new user.
Execute the
boundary connect ssh
command to log in the Ubuntu instance.Your system prompt will be replaced with a prompt similar to
ubuntu@ip-172-32-88-177:~
.Note
The prompt within this section is shown as
$
but the commands are intended to be executed within this interactive shell on the Ubuntu machine.While logged in, create a new user account.
Define a password of
passw0rd1234
for the newssh-user
.Verify the new user was defined correctly by checking the
/etc/passwd
file contents.Log out of the ubuntu machine using
exit
.On your host machine, export the
ssh-user
password as theSSH_USER_PASS
environment variable. This value will be passed to Boundary when creating the new credential.Note
If you used a unique password for the
ssh-user
, replacepassw0rd1234
in theSSH_USER_PASS
environment variable.
Create a static credential
Log into your HCP Boundary instance. Enter the password you created when deploying the HCP Boundary instance at the
Please enter the password (it will be hidden):
prompt.Create a new static credential store that will contain the new ssh-user login credentials.
Example output:
Copy the ID of the new static credential store and export it as the
CRED_STORE_ID
environment variable.Define a new
username_password
credential within the static credential store.Note
Passwords can only be passed to the
-password
option using theenv://
orfile://
syntax to prevent credentials from being logged within the terminal.Example output:
Notice that only the
Password HMAC
is returned upon creating the new credential.Export the credential ID as the
SSH_USER_CRED_ID
environment variable.
Attach the credential to a target
Now that the username_password
credential exists within Boundary, it can be added to the ubuntu-target
target.
Associate the credential with the target.
Example output:
With the new credential attached to the ubuntu-target as a Brokered Credential Source, the credentials will be displayed to the user when Boundary authorizes a session.
Connect and broker credentials
Connect to the target.
During the connection process, the brokered credentials are displayed to the client:
Note that
passw0rd1234
is the password supplied when setting up the ssh-user on the Ubuntu host, and defined when creating theusername_password
credential.With these brokered credentials, the user could log in as this user, or perform other tasks requiring these credentials:
This is a simple example of logging in as another system-level user, but other useful application credentials could also be provided to the client, such as credentials for a database running on the ubuntu host.
Log out of the ssh-user account and then the ubuntu host using
exit
.
Next steps
In this tutorial you learned how to broker static credentials when connecting to a host. Next, you will learn how to install the Boundary Desktop app and connect to a host.