Connect to your first target
The Quick setup wizard is the fastest way to onboard a target to HCP Boundary.
The Quick setup wizard creates a default
tcp target with the port
22 (the default SSH port using TCP).
The target is created with the address
When you execute
boundary connect against this target, Boundary establishes a local, authenticated proxy to the address on the target's default port (
To connect to the initial EC2 Instances target:
Copy the EC2 Instances target ID (such as
Open a terminal session. Export the Boundary Cluster URL as an environment variable.
$ export BOUNDARY_ADDR=<boundary-cluster-url>
Connect to the target.
$ boundary connect -target-id ttcp_eTcZMueUYv
The output displays the address and port that your SSH client must use. In the next section the
sshconnect helper is used to make it easier to connect to the target with a client.
boundary connect command has a number of notable options, such as
-listen-port to choose the port on which the connect command will listen for
an incoming connection. This is convenient for allowing Boundary to work with
applications that allow you to select the connection address, but not the port.
For many applications there are still some extra hurdles that can exist, which
is why connect helpers can be useful.
The dev-mode default target allows you to make as many connections as you want
within the authorized session. When you are finished making connections, simply
boundary connect process to shut down the session.
boundary connect you must identify the target used for connecting.
Convention in this documentation is to use the target ID because it refers to a
single explicit value, however other flags are supported:
target-name: The name of the target
target-scope-id: The ID of the scope in which the target lives
target-scope-name: The name of the scope in which the target lives
Note however that these are not uniquely identifying, as names can be reused across scopes. As a result, when not using the target ID, you must use the target's name in conjunction with the scope name or scope ID so that Boundary can correctly identify the desired target.
Here is an SSH example in dev-mode:
$ boundary connect ssh -target-name "Generated target" -target-scope-name "Generated project scope"
Boundary includes connect helpers that automatically accept host SSH key prompts
These are written as
boundary connect <subcommand> and are supported for the following connection types:
Refer to the Connect helpers documentation for more information.
In addition to the built-in connect helpers,
can accommodate executing clients even when there is no built-in support
for a specific client using
-exec flag is a very powerful
tool, allowing you to wrap Boundary TCP sessions in your preferred
client. You can use this flag to create an authenticated proxy to almost
Refer to the Exec flag documentation for more information.
ProxyCommand lets you proxy an SSH connection to a target according to a configuration file that you create.
It can help simplify common developer and operator workflows.
You can configure the file to connect to the target ID or the target domain.
Refer to the SSH ProxyCommand documentation for more information.
While using the desktop client, choose the target and connect to retrieve local proxy details.
Refer to the Connect to your First Target tutorial for steps on how to create a host catalog, host set, and a target in Boundary.
Refer to our basic administration workflows tutorial series for in depth discussions on managing scopes, targets, identities, and sessions.