Boundary
connect
Command: boundary connect
Every command that results in an API call contains a set of flags that control connection options, which include TLS and other settings.
Boundary provides connect helpers that can facilitate access to certain protocols like HTTP, RDP, and SSH.
One example is the Boundary helper for SSH that automatically accepts host SSH key prompts for you.
You run these connect helpers using the command boundary connect <subcommand>
.
You can run boundary connect -h
to see the available helpers, options, and arguments.
Examples
The following example connects to a target ttcP_INY0BCD2VF
and shows the use of the
-listen-addr
and
-listen-port
flags
to specify the listening address and port used that Boundary will attempt to use
for every connection. This example uses the address 127.0.0.1
and
the port 8872
:
$ boundary connect ssh \
-listen-addr=127.0.0.1 \
-listen-port=8872
-target_id=ttcp_INY0BCD2VF
Usage
Usage: boundary connect <subcommand> [options] [args]
# ...
Subcommands:
http Authorize a session against a target and invoke an HTTP client to connect
kube Authorize a session against a target and invoke a Kubernetes client to connect
postgres Authorize a session against a target and invoke a Postgres client to connect
rdp Authorize a session against a target and invoke an RDP client to connect
ssh Authorize a session against a target and invoke an SSH client to connect
For more information, examples, and usage, click on the name of the subcommand in the sidebar or one of the links below:
Command options
-addr
(string: "")
- The address of the Boundary controller as a complete URL, for example https://boundary.example.com:9200. Instead of passing the-addr
argument with every command, you can configure the BOUNDARY_ADDR environment variable. In both cases, the value denotes the address of the Boundary environment you want to send CLI commands to.-ca-cert
(string: "")
- The path on the local disk to a single PEM-encoded CA certificate that should be used to verify the controller or worker server's SSL certificate. This value takes precedence over-ca-path
. You can also specify the path using the BOUNDARY_CACERT environment variable.-ca-path
(string: "")
- The path on the local disk to a directory of PEM-encoded CA certificates that should be used to verify the controller's SSL certificate. You can also specify the path using the BOUNDARY_CAPATH environment variable.-client-cert
(string: "")
- The path on the local disk to a single PEM-encoded CA certificate that should be used for TLS authentication to the Boundary controller. If you configure this flag, the-client-key
value is also required. You can also specify the path using the BOUNDARY_CLIENT_CERT environment variable.-client-key
(string: "")
- The path on the local disk to a single PEM-encoded private key that matches the client certificate you referenced with-client-cert
. You can also specify the path using the BOUNDARY_CLIENT_KEY environment variable.-listen-addr
(string: "")
- If set, the CLI attempts to bind its listening address to the given value, which must be an IP address. If it cannot bind the listening address, the command produces an error. If you do not set this value, Boundary defaults to the most common IPv4 loopback address, 127.0.0.1. You can also specify a listening address using the BOUNDARY_CONNECT_LISTEN_ADDR environment variable.-listen-port
(string: "")
- If set, the CLI attempts to bind its listening port to the given value. If it cannot bind the listening port, the command produces error. You can also specify a listening address using the BOUNDARY_CONNECT_LISTEN_PORT environment variable.-tls-insecure
- If set, this option disables verification of TLS certificates. We highly discourage using this option as it decreases the security of data transmissions to and from the Boundary server. The default value isfalse
. You can also disable TLS certificate validation using the BOUNDARY_TLS_INSECURE environment variable.-tls-server-name
(string: "")
- A name to use as the SNI host when you connect to the Boundary server using TLS. You can also specify the SNI host using the BOUNDARY_TLS_SERVER_NAME environment variable.
Connect command options:
-authz-token
(string: "")
- The authorization string returned from the Boundary controller via anauthorize-session
action against a target. This option is only required if you don't set a-target-id
. If you set the value to-
, the command attempts to read in the authorization string from standard input. You can also specify the authorization string using the BOUNDARY_CONNECT_AUTHZ_TOKEN environment variable.-exec
(string: "")
- If set, specifies that the given binary should be executed after connecting to the worker, if set. This value should be a binary on your path or an absolute path. If all command flags are followed by--
(space, two hyphens, space), then any arguments after that are sent directly to the binary. You can also specify a binary using the BOUNDARY_CONNECT_EXEC environment variable.-host-id
(string: "")
- The ID of a specific host to connect to out of the target's host sets. If you do not indicate a specific host, Boundary chooses one at random.-target-id
(string: "")
- The ID of the target to authorize against. You cannot use this option with-authz-token
.-target-name
(string: "")
- The target name, if you authorize the session using scope parameters and target name.-target-scope-id
(string: "")
- The target scope ID, if you authorize the session using scope parameters and target name. This value is mutually exclusive with-scope-name
. You can also specify the target scope ID using the BOUNDARY_CONNECT_TARGET_SCOPE_ID environment variable.-target-scope-name
(string: "")
- The target scope name, if you authorize the session using scope parameters and target name. This value is mutually exclusive with-scope-id
. You can also specify the target scope name using the BOUNDARY_CONNECT_TARGET_SCOPE_NAME environment variable.