Configure targets with credential injection

This feature requires HCP Boundary or Boundary Enterprise

The following section provides steps to configure your targets with credential injection. Credential injection provides end users with a passwordless experience when they connect to targets by automatically injecting credentials without exposing them to the user.

Credential injection is supported for:

SSH targets: Protocol-aware SSH connections
RDP targets: Protocol-aware RDP connections (BETA)
Beta feature
Beta functionality is stable, but possibly incomplete and subject to change. We strongly discourage using beta features in production deployments of Boundary.

Requirements

This feature requires either HCP Boundary or Boundary Enterprise
You must have an existing target available that supports credential injection:
- RDP targets: Must be configured with at least one injected application credential
- SSH targets: Must be configured with at least one injected application credential
- TCP targets: Do not support credential injection
You must have configured either a static credential store or a Vault credential store:
- To configure a static credential store, refer to Create static credential stores.
- To configure a Vault credential store and credential library, refer to Create Vault credential stores.
You must have a static credential saved in your static credential store or Vault credential store. The credential must correspond to the target to which you want to authenticate.
For RDP targets: Network Level Authentication (NLA) is supported. Kerberos and NTLMv2 authentication methods are supported for domain-joined workers. NTLMv2 is supported for non-domain-joined workers.
For SSH targets: Keyboard-interactive authentication is not supported. When you use username-password credentials, ensure that your SSH server is configured to allow password authentication.

Configuration

Complete the following steps to configure targets with credential injection:

Log in to Boundary.
Select Orgs on the navigation pane.
Select your desired org.
Select the project where your target resides.
Click Targets on the navigation pane.
Click on your target you want to configure for credential injection.
Click on the Injected Application Credential tab.
Click Managed and select Add Injected Application Credential in the pull down menu.
Do one of the following:
- If you are using a static credential store: Select the credential that corresponds to your target and click Add Injected Application Credential.
- If you are using a Vault credential store: Select the credential library that corresponds to your target and click Add Injected Application Credential.

Log into Boundary.

$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):

Add credential injection to target.

$ boundary targets add-credential-sources \
  -id trdp_vO60a7TwpI \
  -injected-application-credential-source csvlt_Xqa6V6QwfM

Tip

If you are using a static credential store, brokered-credential-source refers to the ID of a credential in the static credential store.

If you are using a Vault credential store, brokered-credential-source refers to the ID of a credential library in the Vault credential store.

More information

Refer to the following topics for more information: