HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Boundary
Boundary Home

You are viewing documentation for version v0.20.x. View latest version.

Connect helpers

Boundary includes connect helpers that automatically accept host key prompts for you to help facilitate connections. These are written as boundary connect <subcommand> and are supported for the following connection types:

  • Cassandra
  • HTTP
  • Kubernetes
  • Mongo
  • MySQL
  • PostgreSQL
  • RDP
  • Redis
  • SSH

If you want to pass additional flags to the client, you can add them to the command line separated by a double dash. Boundary passes anything after the double dash to the executed client. For example, the following command uses the SSH connect helper to pass -l some-other-user to the SSH client:

$ boundary connect ssh -target-id ttcp_1234567890 -- -l some-other-user

Connect helpers also support a -style flag that lets you override the default client and format arguments in a different style. For example, besides the default style ssh, the SSH connect helper supports a -style putty option that lets you pass connection information to PuTTY.

One advantage to styles is that Boundary can provide information to the client in a format that makes sense. For example, the -username flag is used to specify a username other than the currently logged-in user. This ensures that regardless of the -style you choose, the username is properly passed to the executed client, and you don't have to figure out the syntax for yourself.

Cassandra connect helper

The Cassandra connect helper authorizes a session against a target and uses cqlsh to invoke a Cassandra client to automatically connect with the appropriate connection parameters and credentials. Only username/password credentials and configurations using Cassandra's PasswordAuthenticator are supported.

The following example executes the Cassandra client and establishes the connection to a target with the ID ttcp_1234567890. It passes the user name admin through to the client.

$ boundary connect cassandra -target-id ttcp_1234567890 -username admin

The Cassandra helper supports the following flags:

  • -keyspace (string: "") - The keyspace name that you want to pass through to the client. You can also specify the keyspace name using the BOUNDARY_CONNECT_KEYSPACE environment variable.
  • -style (string: "") - How the CLI attempts to invoke a Cassandra client. This value also sets a suitable default for -exec, if you did not specify a value. The default value is cqlsh. You can also specify how the CLI attempts to invoke a Cassandra client using the BOUNDARY_CONNECT_CASSANDRA_STYLE environment variable.
  • -username (string: "") - The username you want to pass through to the client. This value may be overridden by credentials sourced from a credential store. You can also specify a username using the BOUNDARY_CONNECT_USERNAME environment variable.

For more information, refer to the connect cassandra command documentation.

HTTP connect helper

The HTTP connect helper executes curl, and passes information such as the HTTP path, method, and verb. It can be useful to call API endpoints through the Boundary proxy.

The following example calls a weather API endpoint to get the rain forecast for New York:

$ boundary connect http -target-id ttcp_VlpkajEuuf -path '/v1/forecast?latitude=40.7143&longitude=-74.006&daily=precipitation_sum&timezone=America%2FNew_York'

The HTTP helper supports the following flags:

  • -host: Specifies the host value to use, and overrides the endpoint address from the session information. Boundary passes the specified hostname to the client for use in the Host header and TLS SNI value. You can also specify the host using the BOUNDARY_CONNECT_HTTP_HOST environment variable.
  • -method: Specifies the method to use. If you do not set this value, the helper uses the client's default method. You can also specify the method using the BOUNDARY_CONNECT_HTTP_METHOD environment variable.
  • -path: Specifies a path that Boundary appends to the generated URL. You can also specify the path using the BOUNDARY_CONNECT_HTTP_PATH environment variable.
  • -scheme: Specifies the scheme to use. The default scheme is https. You can also specify the scheme using the BOUNDARY_CONNECT_HTTP_SCHEME environment variable.
  • -style: Specifies how the CLI attempts to invoke an HTTP client. The only supported style for the HTTP helper is curl. You can also specify the style using the BOUNDARY_CONNECT_HTTP_STYLE environment variable.

For more information, refer to the connect http command documentation.

Kubernetes connect helper

The Kubernetes connect helper executes kubectl by proxying the call through Boundary. It can be useful to access a Kubernetes cluster that does not publicly expose its API server. To pass subcommands to kubectl, use -- followed by the command you want to pass. The following example calls kubectl top node:

$ boundary connect kube -target-id ttcp_Yq0QCUMSe2 -- top node

The Kubernetes helper supports the following flags:

  • -host: Specifies the host value to use, and overrides the endpoint address from the session information. You can also specify the host using the BOUNDARY_CONNECT_KUBE_HOST environment variable.
  • -scheme: Specifies the scheme to use. The default scheme is https. You can also specify the scheme using the BOUNDARY_CONNECT_KUBE_SCHEME environment variable.
  • -style: Specifies how the CLI attempts to invoke a Kubernetes client. The only supported style for the Kubernetes helper is kubectl. You can also specify the style using the BOUNDARY_CONNECT_KUBE_STYLE environment variable.

For more information, refer to the connect kube command documentation.

Mongo connect helper

The Mongo connect helper authorizes a session against a target and uses mongosh to invoke a MongoDB client to automatically connect with the appropriate connection parameters and credentials.

The following example executes the MongoDB client and establishes the connection to a database named mongo:

$ boundary connect mongo -target-id ttcp_1234567890 -dbname mongo

The Mongo helper supports the following flags:

  • -authentication-database (string: "") - Specifies the authentication database for MongoDB. If you omit this value, mongosh defaults authSource to the dbname. If there is no specified dbname, it defaults to admin. You can also specify the authentication database using the BOUNDARY_CONNECT_MONGO_AUTHENTICATION_DATABASE environment variable.
  • -dbname (string: "") - Specifies the database name to pass through to the client. You can also specify the database name using the BOUNDARY_CONNECT_DBNAME environment variable.
  • -style (string: "") - Specifies how the CLI attempts to invoke a MongoDB client. Currently, only mongosh is supported. You can also specify how the CLI attempts to invoke a MongoDB client using the BOUNDARY_CONNECT_MONGO_STYLE environment variable.
  • -username (string: "") - Specifies the username to pass through to the client. This value may be overridden by credentials sourced from a credential store. You can also specify the username using the BOUNDARY_CONNECT_USERNAME environment variable.

For more information, refer to the connect mongo command documentation.

MySQL connect helper

The MySQL connect helper authorizes a session against a target and invokes a MySQL client to automatically connect with the appropriate connection parameters and credentials.

The following example executes the MySQL client and establishes the connection through Boundary:

$ boundary connect mysql -target-id ttcp_1234567890

The MySQL helper supports the following flags:

  • -dbname (string: "") - The database name you want to pass through to the client. You can also specify the database name using the BOUNDARY_CONNECT_DBNAME environment variable.

  • -style (string: "") - How the CLI attempts to invoke a MySQL client. This value also sets a suitable default for -exec, if you did not specify a value. The default and currently-understood value is mysql. You can also specify how the CLI attempts to invoke a MySQL client using the BOUNDARY_CONNECT_MYSQL_STYLE environment variable.

  • -username (string: "") - The username you want to pass through to the client. This value may be overridden by credentials sourced from a credential store. You can also specify a username using the BOUNDARY_CONNECT_USERNAME environment variable.

For more information, refer to the connect mysql command documentation.

PostgreSQL connect helper

The PostgreSQL helper executes psql, and passes information such as the username and database name from the command line.

The following example connects to a PostgreSQL database named boundary:

$ boundary connect postgres -target-id ttcp_eTcZMueUYv -username admin -dbname postgres

The PostgreSQL helper automatically injects brokered credentials, allowing you to access the PostgreSQL instance without knowing the username and password.

$ boundary connect postgres -target-id ttcp_eTcZMueUYv -dbname postgres

The PostgreSQL helper supports the following flags:

  • -dbname: Specifies the database name you want to pass through to the client. You can also specify the database name using the BOUNDARY_CONNECT_DBNAME environment variable.
  • -style: Specifies how the CLI attempts to invoke a PostgreSQL client. The only supported style for the PostgreSQL helper is psql. You can also specify the style using the BOUNDARY_CONNECT_POSTGRES_STYLE environment variable.
  • -username: Specifies the username you want to pass through to the client. You can also specify the username using the BOUNDARY_CONNECT_USERNAME environment variable.

For more information, refer to the connect postgres command documentation.

RDP connect helper

The RDP connect helper determines which RDP client to use depending on your operating system. On Windows, it uses mstsc.exe. On Mac, it uses open. Other operating systems are not currently supported.

The following example executes the RDP client and establishes the connection through Boundary:

$ boundary connect rdp -target-id ttcp_eTcZMueUYv

The RDP helper supports the following flag:

  • -style: Specifies how the CLI attempts to invoke an RDP client. The RDP helper supports the styles mstsc and open. On Windows clients, mstsc is the default style. The default value on Mac clients is open. You can also specify the style using the BOUNDARY_CONNECT_RDP_STYLE environment variable.

For more information, refer to the connect rdp command documentation.

Redis connect helper

The Redis connect helper authorizes a session against a target and invokes a Redis client to automatically connect with the appropriate connection parameters and credentials. Only username/password credentials are supported.

The following example executes the Redis client and establishes the connection through Boundary:

$ boundary connect redis -target-id ttcp_1234567890

The Redis helper supports the following flags:

  • -style (string: "") - Specifies how the CLI attempts to invoke a Redis client. Currently, only redis-cli is supported. You can also specify how the CLI attempts to invoke a Redis client using the BOUNDARY_CONNECT_REDIS_STYLE environment variable.
  • -username (string: "") - Specifies the username to pass through to the client. This value may be overridden by credentials sourced from a credential store. You can also specify the username using the BOUNDARY_CONNECT_USERNAME environment variable.

For more information, refer to the connect redis command documentation.

SSH connect helper

The SSH connect helper automatically executes SSH and passes connection information. An expected host ID is set to avoid warnings on future connections when a different port is allocated automatically. You must still accept a host key upon the first connection.

The following example connects to a target with the ID ttcp_1234567890 and automatically fills in the local address and port:

$ boundary connect ssh -target-id ttcp_1234567890

The SSH helper supports the following flags:

  • -remote-command: Specifies a command you want to run on the remote host. You can specify a complete command line, or you may include additional arguments. If you include additional arguments, you must append them to the command and separate them using spaces.
  • -style: Specifies how the CLI attempts to invoke an SSH client. The SSH helper supports the styles ssh and putty. The default style is ssh. You can also specify the style using the BOUNDARY_CONNECT_SSH_STYLE environment variable.
  • -username: Specifies the username you want to pass through to the client. You can also specify the username using the BOUNDARY_CONNECT_USERNAME environment variable.

For more information, refer to the connect ssh command documentation.

Edit this page on GitHub