Boundary
Boundary 0.19.0 release notes
GA date: February 10, 2025
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
Important changes
| Change | Description |
|---|---|
| Role creation | In a future version Boundary will no longer automatically create roles when new scopes are created. This was implemented prior to multi-scope grants to ensure administrators and users had default permissions in new scopes. Since Boundary 0.15, initial roles created for new clusters provide these permissions by default to all scopes using multi-scope grants. |
Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary. The image now includes wget, which you can alternatively use to check the health endpoint for a worker. If your workflow depends on having curl in the image, you can dynamically install it using apk.Learn more: Known issues and breaking changes |
| Go version 1.23 TLS handshake behavior changes | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x and later controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. Learn more: Known issues and breaking changes |
| Error when sending requests to aliases using HCP Boundary | A known issue that was caused by the way default grants were previously configured in HCP Boundary could cause you to receive 500 errors when you attempted to list resolvable aliases. The issue has been resolved. Any clusters that you created on or after April 26, 2025 should not have the issue. You can add grants to resolve the error for any older clusters that exhibit this behavior. Learn more: Known issues and breaking changes |
| Boundary client version number realignment | Previously, the Boundary Client Agent and installer used a numbering scheme that was inconsistent with Boundary's release numbers. This inconsistency could make it difficult to understand version support and compatibility. On May 27, 2025 new versions of the Boundary Client Agent and installer were released with a new numbering scheme that more closely follows Boundary's release numbers. Those versions were released as 0.19.5 to match the major Boundary version 0.19.x. Going forward, the Client Agent and installer will use the same major number as the current Boundary release. Any patches or updates will be reflected in the minor number. Learn more about control plane and client compatibility: Boundary Enterprise supported versions policy |
New features
| Feature | Update | Description |
|---|---|---|
| Dynamic host catalogs for GCP | GA | Boundary now supports dynamic host catalogs for GCP. When you configure dynamic host catalogs, Boundary securely queries infrastructure providers at runtime to discover and configure new services. You can define rules for whether you want Boundary to automatically add any discovered hosts as members of the host set. Learn more: Host discovery and GCP dynamic hosts. |
| Worker filter generator | GA | A new filter generator was added to the Admin Console UI, allowing you to more easily create worker filters for targets, credential stores, and storage buckets. Learn more: Worker tags. |
| Vault brokered credentials format change | GA | Previously, when you brokered credentials from a Vault credential store, the credentials displayed in raw JSON and could contain special characters. It was difficult to consume the credentials in this format. Credentials are now displayed in a format that is easier to cut and paste. Learn more: Create a Vault credential store. |
| Azure Virtual Machine Scale Set support for dynamic host catalogs | GA in version 0.19.1 | The Azure plugin now supports Azure Virtual Machine Scale Sets in both Flexible and Uniform orchestration modes for dynamic host catalogs. It automatically discovers any individual virtual machine instances that are part of the scale sets and adds them as hosts. Learn more: Azure dynamic host catalogs. |
| Transparent sessions | GA in version 0.19.2 | The transparent sessions feature is now generally available to HCP Boundary and Boundary Enterprise users. Transparent sessions allows users to eliminate steps in their current workflows using Boundary’s Client Agent, a component that operates in the background to intercept network traffic and automatically route this traffic through a session if the user is authenticated and authorized. Platform teams and access management teams that administer Boundary can now build much faster, simpler secure remote access workflows that feel more intuitive and invisible to their developer customers. Learn more: Transparent sessions and Client Agent. |
Known issues and breaking changes
| Version | Issue | Description |
|---|---|---|
| 0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
| 0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
| 0.17.1+ | Docker image no longer contains curl | As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary.The image now includes wget. You can use wget to check the health endpoint for workers.Learn more: Check the health endpoint using wgetIf your workflow depends on having curl in the image, you can dynamically install it using apk. Refer to the following commands for examples of using apk to install curl:<CONTAINER-ID> apk add curlor kubectl exec -ti <NAME> -- apk add curl |
| 0.18.x+ | Boundary version 0.18.x and later CLI is unable to establish connections using the boundary connect command | Boundary version 0.18.x uses Go version 1.23, which introduced a new TLS handshake behavior. Some VPN providers struggle with the TLS handshake being sent over 2 frames instead of 1, which can lead to Boundary version 0.18.x and later controllers, workers, or clients being unable to establish connections. As a workaround, you can revert back to the previous TLS handshake behavior. To revert back to the previous TLS handshake behavior, add the tlskyber=0 parameters to the GODEBUG environment variable before the boundary connect command. For example:GODEBUG=tlskyber=0 boundary connect ssh -target-id <ID>Learn more: Go issue #70047 and Go 1.23 Release Notes |
| 0.19.0 (Fixed in 0.19.1) | Soft-deleted users are not properly authenticated | Version 0.19.0 introduced a soft delete for when a cached user's auth tokens are deleted, but there is a valid refresh token that is less than 20 days old. Boundary considers those users as deleted. But it keeps their user information in the cache so that it can restore the information, if they log in again. However, soft-deleted users were not being properly restored when they logged back in and it affected search capabilities. This issue is resolved in version 0.19.1. Soft-deleted users are now properly restored as active when they log in again if the refresh token is less than 20 days old. Upgrade to the latest version of Boundary |
| 0.17.0 - 0.19.0 (Fixed in 0.19.2) | Canceled SSH connections cause performance issues | When an SSH connection was canceled, it could cause a spike in CPU usage. In some cases, egress workers become unresponsive, leading to performance issues. The issue occurred when the connection context was canceled at specific times in the process, creating a busy loop that prevented workers from completing tasks. This issue is resolved in version 0.19.2. Workers no longer enter a busy loop when SSH connections are canceled. Upgrade to the latest version of Boundary |
| 0.19.0 (Fixed in 0.19.2) | Unable to change key type for Vault SSH certificate credential library using the UI | When you attempted to change the key type for a Vault SSH certificate credential library using the UI, the update failed. This issue is resolved in version 0.19.2. You can now change the key type using the UI. Upgrade to the latest version of Boundary |
| 0.19.0 (Fixed in 0.19.2) | CVE-2025-22873 | The version of Go that was used in Boundary release 0.19.x contained a security vulnerability. Although this vulnerability did not affect Boundary, release 0.19.2 was updated to use a new version of Go. Learn more: CVE-2025-22873 Upgrade to the latest version of Boundary |
| 0.19.0 (Fixed in 0.19.2) | 500 error when attempting to list resolvable aliases | In HCP Boundary, you may receive a 500 error when you attempt to list resolvable aliases. This is a known issue that is caused by the way default grants were previously configured in HCP Boundary. The issue has been resolved, and any clusters that were created on or after April 26, 2025 should not have the issue. For any clusters created before April 26, 2025, you can add grants to resolve the error:
|
| 0.18.0 - 0.19.0 (Fixed in Boundary installer version 0.19.5) | Windows shortcuts are mandatory | Previously, the Boundary installer for Windows always required you to install Desktop and Start menu shortcuts. This issue has been resolved, and you can now choose whether to install the shortcuts. Learn more: Transparent sessions Upgrade to the latest version of Boundary |