»Deploy an HCP Boundary Instance
HCP Boundary is a fully-managed cloud-based workflow. It enables secure access to remote hosts and critical systems across cloud service catalogs, on-premises infrastructure, and Kubernetes clusters without needing to manage any of the underlying systems or operations.
To deploy an HCP Boundary instance:
Navigate to HashiCorp Cloud Platform and login using your credentials.
Click the Boundary (Beta) tab, and then and click Deploy Boundary on the right-hand pane.
Fill out the following form details:
- Instance Name
- Administrator Username
- Administrator Password
Store the administrator username and password in a safe location. These credentials will be used when authenticating using the Admin Console, CLI, or Terraform.
Click Deploy after completing the form. It may take a few minutes to initialize the HCP Boundary instance.
Once the deployment is complete, the HCP Boundary instance can be accessed directly from the HCP Boundary portal using the credentials created during setup.
From the HCP Boundary portal page, click the Open Admin UI button.
Enter the admin username and password you created when you deployed the new instance, and click Authenticate.
The Welcome to Boundary setup wizard will launch automatically.
There are two options for Boundary’s initial setup:
- Quick setup
The Quick setup is recommended for new users, and generates a set of initial resources to assist in connecting to your first target.
The Manual setup drops the user directly into Boundary, without any provisioned resources.
Upon completion of the setup wizard, you will be logged into your HCP Boundary instance's Global scope via the web UI. This is the default scope for all new Boundary clusters.
Click Auth Methods.
Click the copy icon for the Password Auth Method ID. The ID is needed to authenticate to HCP Boundary using the CLI.
In the HCP Boundary portal, open the Boundary Overview page, and click the copy icon in the Copy this into Boundary Desktop section. This copies your environment’s Boundary Origin URL.
Open a terminal session and set the
BOUNDARY_ADDRenvironment variable to the copied origin URL.
$ export BOUNDARY_ADDR=<boundary-origin-url>
- Log in with the administrator credentials you created when you deployed the HCP Boundary instance.
$ boundary authenticate password \ -auth-method-id=COPIED_AUTH_ID \ -login-name=ADMIN_USERNAME
You are now logged into your HCP Boundary instance's Global scope via the CLI. This is the default scope for all new Boundary clusters.
If you are on Windows or macOS, the system password store will be used to store
the new token. On any other operating system, you may get an error indicating
that the token could not be stored. Boundary defaults to using
pass on these machines, which uses GNU
Privacy Guard to encrypt values. If it is not available,
the token will be displayed and can be stored in a system of your choice and
passed in via the
BOUNDARY_TOKEN environment variable.
It is recommended to make use of
pass or another alternative (such as any
implementation of the freedesktop.org Secret Service feature). Installation and
pass or other alternatives is beyond the scope of this
article; consult the documentation for
pass or your specific OS distribution
- Refer to the Create a Boundary Instance on HCP tutorial to learn how to deploy a Boundary instance.
- Refer to the Install Boundary Desktop tutorial to learn how to use the Boundary desktop to connect to a running HCP Boundary instance.
See connecting to your first target for how to use HCP Boundary to run your first SSH session.