HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Boundary
Boundary Home

You are viewing documentation for version v0.13.x. View latest version.

connect ssh

Command: boundary connect ssh

The connect ssh command authorizes a session against a target and invokes an SSH client for the connection. The command fills in the local address and port. You can specify your SSH client of choice using the -style option.

You also have access to some templated values that are substituted into the command arguments, and these values are additionally injected as environment variables in the executed command:

  • {{boundary.ip}} (BOUNDARY_PROXIED_IP): The IP address of the listening socket that boundary connect has opened.
  • {{boundary.port}} (BOUNDARY_PROXIED_PORT): The port of the listening socket that boundary connect has opened.
  • {{boundary.addr}} (BOUNDARY_PROXIED_ADDR): The host:port format of the address. This is essentially equivalent to {{boundary.ip}}:{{boundary.port}}.

The SSH helper command sets the host key Alias. When an Alias is set, SSH does not use localhost:<port> for host key validation, but instead uses one of the following:

  • For connections to a target that has an attached host set, the SSH helper command sets the HostID as the alias.
  • For connections directly to a host, the SSH helper command sets the HostID as the alias.
  • For connections to a target that has an address field configured, the SSH helper command sets the TargetID as the alias.

Examples

The following example authorizes a session to a target with the ID ttcp_eTcZMueUYv and invokes the default SSH client without any additional options:

$ boundary connect ssh -target-id ttcp_eTcZMueUYv

The following example authorizes a session to a target with the ID ttcp_eTcZMueUYv, and pipes arguments directly to the invoked SSH binary. Any SSH arguments after the double hyphen are sent directly to the binary:

$ boundary connect ssh -target-id ttcp_eTcZMueUYv --  -A

$ boundary connect ssh -target-scope-name Helpdesk -target-name ubuntu-server --  -A

$ boundary connect ssh -target-id=ttcp_Gymo7Vcq7Y \
   -host-id=hst_FrdNPd9Zm9 -- -l ubuntu -i private_key.pem

Usage

$ boundary connect ssh [options] [args]

This command performs a target authorization or consumes an existing authorization token, and launches a proxied SSH connection.

Connect command options:

  • -authz-token (string: "") - The authorization string returned from the Boundary controller via an authorize-session action against a target. This option is only required if you don't set a -target-id. If you set the value to -, the command attempts to read in the authorization string from standard input. You can also specify the authorization string using the BOUNDARY_CONNECT_AUTHZ_TOKEN environment variable.

  • -exec (string: "") - If set, specifies that the given binary should be executed after connecting to the worker, if set. This value should be a binary on your path or an absolute path. If all command flags are followed by -- (space, two hyphens, space), then any arguments after that are sent directly to the binary. You can also specify a binary using the BOUNDARY_CONNECT_EXEC environment variable.

  • -host-id (string: "") - The ID of a specific host to connect to out of the target's host sets. If you do not indicate a specific host, Boundary chooses one at random.

  • -target-id (string: "") - The ID of the target to authorize against. You cannot use this option with -authz-token.

  • -target-name (string: "") - The target name, if you authorize the session using scope parameters and target name.

  • -target-scope-id (string: "") - The target scope ID, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-name. You can also specify the target scope ID using the BOUNDARY_CONNECT_TARGET_SCOPE_ID environment variable.

  • -target-scope-name (string: "") - The target scope name, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-id. You can also specify the target scope name using the BOUNDARY_CONNECT_TARGET_SCOPE_NAME environment variable.

SSH options:

  • style (string: "") - How the CLI attempts to invoke an SSH client. This value also sets a suitable default for -exec, if you did not specify a value. Currently understood values are ssh and putty. The default is ssh. You can also specify how the CLI attempts to invoke the SSH client using the BOUNDARY_CONNECT_SSH_STYLE environment variable.

  • username (string: "") - The username you want to pass through to the client. You can also specify a username using the BOUNDARY_CONNECT_USERNAME environment variable.

Edit this page on GitHub