HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Boundary
Boundary Home

You are viewing documentation for version v0.20.x. View latest version.

connect mongo

Command: boundary connect mongo

The connect mongo command authorizes a session against a target and invokes a MongoDB client for the connection.

You also have access to some templated values that are substituted into the command arguments, and these values are additionally injected as environment variables in the executed command:

  • {{boundary.ip}} (BOUNDARY_PROXIED_IP): The IP address of the listening socket that boundary connect has opened.
  • {{boundary.port}} (BOUNDARY_PROXIED_PORT): The port of the listening socket that boundary connect has opened.
  • {{boundary.addr}} (BOUNDARY_PROXIED_ADDR): The host:port format of the address. This is essentially equivalent to {{boundary.ip}}:{{boundary.port}}.

Example

The following example authorizes a session to a target with the ID ttcp_1234567890:

$ boundary connect mongo -target-id ttcp_1234567890

Usage

$ boundary connect mongo [options] [args]

This command performs a target authorization or consumes an existing authorization token, and launches a proxied MongoDB connection using mongosh.

Connect command options:

  • -authz-token (string: "") - The authorization string returned from the Boundary controller via an authorize-session action against a target. This option is only required if you don't set a -target-id. If you set the value to -, the command attempts to read in the authorization string from standard input. You can also specify the authorization string using the BOUNDARY_CONNECT_AUTHZ_TOKEN environment variable.

  • -exec (string: "") - If set, specifies that the given binary should be executed after connecting to the worker, if set. This value should be a binary on your path or an absolute path. If all command flags are followed by -- (space, two hyphens, space), then any arguments after that are sent directly to the binary. You can also specify a binary using the BOUNDARY_CONNECT_EXEC environment variable.

  • -host-id (string: "") - The ID of a specific host to connect to out of the target's host sets. If you do not indicate a specific host, Boundary chooses one at random.

  • -inactive-timeout=<duration> - The amount of time in seconds that can pass between connections before Boundary closes any unused sessions. You can increase this value if the proxy closes during long-running processes. Use -1 to disable the timeout altogether. If you do not specify a timeout value, Boundary uses a default value based on the subcommand:

    • -connect without a subcommand = 30 seconds
    • -rdp = 5 seconds
    • -ssh = 1 second
    • All other protocols = 3 seconds

  • -target-id (string: "") - The ID of the target to authorize against. You cannot use this option with -authz-token.

  • -target-name (string: "") - The target name, if you authorize the session using scope parameters and target name.

  • -target-scope-id (string: "") - The target scope ID, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-name. You can also specify the target scope ID using the BOUNDARY_CONNECT_TARGET_SCOPE_ID environment variable.

  • -target-scope-name (string: "") - The target scope name, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-id. You can also specify the target scope name using the BOUNDARY_CONNECT_TARGET_SCOPE_NAME environment variable.

MongoDB options:

  • -authentication-database (string: "") - Specifies the authentication database for MongoDB. If you omit this value, mongosh defaults authSource to the dbname. If there is no specified dbname, it defaults to admin. You can also specify the authentication database using the BOUNDARY_CONNECT_MONGO_AUTHENTICATION_DATABASE environment variable.
  • -dbname (string: "") - Specifies the database name to pass through to the client. You can also specify the database name using the BOUNDARY_CONNECT_DBNAME environment variable.
  • -style (string: "") - Specifies how the CLI attempts to invoke a MongoDB client. Currently, only mongosh is supported. You can also specify how the CLI attempts to invoke a MongoDB client using the BOUNDARY_CONNECT_MONGO_STYLE environment variable.
  • -username (string: "") - Specifies the username to pass through to the client. This value may be overridden by credentials sourced from a credential store. You can also specify the username using the BOUNDARY_CONNECT_USERNAME environment variable.

CLI options

In addition to the command specific options, there are options common to all CLI commands and subcommands:

Edit this page on GitHub