Deploy an HCP Boundary Instance

HCP Boundary is a fully-managed cloud-based workflow. It enables secure access to remote hosts and critical systems across cloud service catalogs, on-premises infrastructure, and Kubernetes clusters without needing to manage any of the underlying systems or operations.

To deploy an HCP Boundary instance:

Navigate to HashiCorp Cloud Platform and login using your credentials.
Click the Boundary (Beta) tab, and then and click Deploy Boundary on the right-hand pane.
Fill out the following form details:
- Instance Name
- Administrator Username
- Administrator Password
Store the administrator username and password in a safe location. These credentials will be used when authenticating using the Admin Console, CLI, or Terraform.
Click Deploy after completing the form. It may take a few minutes to initialize the HCP Boundary instance.

Deploy boundary

Once the deployment is complete, the HCP Boundary instance can be accessed directly from the HCP Boundary portal using the credentials created during setup.

From the HCP Boundary portal page, click the Open Admin UI button.
Enter the admin username and password you created when you deployed the new instance, and click Authenticate.
The Welcome to Boundary setup wizard will launch automatically.
There are two options for Boundary’s initial setup:
- Quick setup
- Manual
The Quick setup is recommended for new users, and generates a set of initial resources to assist in connecting to your first target.
The Manual setup drops the user directly into Boundary, without any provisioned resources.
Upon completion of the setup wizard, you will be logged into your HCP Boundary instance's Global scope via the web UI. This is the default scope for all new Boundary clusters.
Click Auth Methods.
Click the copy icon for the Password Auth Method ID. The ID is needed to authenticate to HCP Boundary using the CLI.

In the HCP Boundary portal, open the Boundary Overview page, and click the copy icon in the Copy this into Boundary Desktop section. This copies your environment’s Boundary Origin URL.
Open a terminal session and set the BOUNDARY_ADDR environment variable to the copied origin URL.

$ export BOUNDARY_ADDR=<boundary-origin-url>

$ boundary authenticate password \
   -auth-method-id=COPIED_AUTH_ID \
   -login-name=ADMIN_USERNAME

You are now logged into your HCP Boundary instance's Global scope via the CLI. This is the default scope for all new Boundary clusters.

If you are on Windows or macOS, the system password store will be used to store the new token. On any other operating system, you may get an error indicating that the token could not be stored. Boundary defaults to using pass on these machines, which uses GNU Privacy Guard to encrypt values. If it is not available, the token will be displayed and can be stored in a system of your choice and passed in via the BOUNDARY_TOKEN environment variable.

It is recommended to make use of pass or another alternative (such as any implementation of the freedesktop.org Secret Service feature). Installation and configuration of pass or other alternatives is beyond the scope of this article; consult the documentation for pass or your specific OS distribution help pages.

Boundary Desktop can be used to connect to HCP Boundary.

To get started with Boundary Desktop:

Install Boundary Desktop.
Enter your HCP Boundary instance’s origin URL.
Enter the login name and password.

To authenticate using the Boundary desktop client, launch Boundary desktop client and connect to boundary to using your environment's Origin URL.

You can find your environment’s origin url In the HCP portal. Open the Boundary Overview page and click the copy icon in the Copy this into Boundary Desktop section. This copies your environment’s Boundary Origin URL.

The admin username and password from instance creation can be used for initial setup. Once additional users have been created, they can also log in to HCP Boundary using the Boundary Desktop app.

You can also use these overrides to configure the Terraform provider for Boundary:

provider "boundary" {
    base_url             = "hcp-boundary-origin-url"
    auth_method_id       = "auth-method-id"
    auth_method_username = "admin-username"
    auth_method_password = "admin-password"
}

To find your environment’s base_url:

In the HCP portal, open the Boundary Overview page.
Click the copy icon in the Copy this into Boundary Desktop section. This copies your environment’s Boundary Origin URL.

To find your environment’s default auth_method_id:

In your HCP Boundary portal, click the Admin UI button.
Log in to the Admin Console by entering the admin username and password you created when you deployed the HCP Boundary instance, and click Authenticate.
Click Auth Methods.
Click the copy icon for the Password Auth Method ID

Tutorial

Refer to the Create a Boundary Instance on HCP tutorial to learn how to deploy a Boundary instance.
Refer to the Install Boundary Desktop tutorial to learn how to use the Boundary desktop to connect to a running HCP Boundary instance.

Next Steps

See connecting to your first target for how to use HCP Boundary to run your first SSH session.

Deploy an HCP Boundary Instance

Login to HCP Boundary

Tutorial

Next Steps