Broker Static Credentials to your First Target
A credential store is a Boundary resource used to store, retrieve, and sometimes generate credentials. Credential stores are scoped under projects and utilize the principle of least privilege to limit access. Credential stores may contain credential libraries.
In this tutorial, you will create
username_password and add them to a static credential
using the Boundary. These concepts are foundational to learning about
credential injection with HCP
Boundary later on.
- Access to an HCP Boundary instance.
- Boundary 0.12 installed.
- Completed the previous quick start tutorials.
- A publicly accessible Ubuntu instance.
- A ssh key-pair that can be used to authenticate with the Ubuntu instance.
Ubuntu is used in this tutorial for demonstration purposes only. You can follow this guide to create a publicly accessible EC2 instance to use for this tutorial.
In the previous tutorial, the following Boundary resources were defined:
- A project
- A target of type TCP with an assigned address
ubuntu host was created with an address assigned directly to the target.
This allowed for
boundary connect ssh to run the connection through Boundary
with user-supplied SSH credentials.
Several environment variables were created to support the tutorial. These environment variables are used throughout the Getting Started series.
Check the environment variable values defined in the previous tutorial
$TARGET_ID are available.
$ echo "UBUNTU_USER=$UBUNTU_USER"; echo "UBUNTU_KEY=$UBUNTU_KEY"; echo "PROJECT_ID=$PROJECT_ID"; echo "TARGET_ID=$TARGET_ID" UBUNTU_USER=ubuntu UBUNTU_KEY=my_key_file.pem PROJECT_ID=p_vM7cfGEgq8 TARGET_ID=ttcp_INY0BCD2VF
If any of these values are not defined, ensure that you have completed the Connect to Your First Target tutorial.
If these values were defined in an unavailable shell session, list the IDs for the resources and export them as environment variables.
For example, to find the
$ boundary targets list -scope-id $PROJECT_ID Target information: ID: ttcp_KM3A26XXvG Version: 1 Type: tcp Name: ubuntu-target Description: ubuntu target Address: 192.168.100.253 Authorized Actions: no-op read update delete add-host-sources set-host-sources remove-host-sources add-credential-sources set-credential-sources remove-credential-sources authorize-session
Then, export the environment variable.
$ export TARGET_ID=<my target ID>
Repeat this process for the other undefined variables.
The use of environment variables is not required to use HCP Boundary. Environment variables are used throughout the tutorial for ease of following along and copying the required commands.
Set up a new user on the target
In the previous tutorial,
boundary connect ssh was used with a
user-supplied private key to proxy an SSH session through Boundary.
To demonstrate credential brokering, you will first configure your Ubuntu instance with a new user.
boundary connect sshcommand to log in the Ubuntu instance.
$ boundary connect ssh -target-id=$TARGET_ID -- -l $UBUNTU_USER -i $UBUNTU_KEY The authenticity of host 'ec2-198-52-100-1.compute-1.amazonaws.com (198-51-100-1)' can't be established. ECDSA key fingerprint is l4UB/neBad9tvkgJf1QZWxheQmR59WgrgzEimCG6kZY. Are you sure you want to continue connecting (yes/no)? yes ubuntu@ip-172-32-88-177:~
Your system prompt will be replaced with a prompt similar to
The prompt within this section is shown as
$but the commands are intended to be executed within this interactive shell on the Ubuntu machine.
While logged in, create a new user account.
$ sudo useradd ssh-user
Define a password of
passw0rd1234for the new
$ sudo passwd ssh-user Changing password for user ssh-user. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
Verify the new user was defined correctly by checking the
$ cat /etc/passwd | grep ssh-user ssh-user:x:1000`:1000:ssh-user:/home/ssh-user:/bin/bash
Log out of the ubuntu machine using
On your host machine, export the
ssh-userpassword as the
SSH_USER_PASSenvironment variable. This value will be passed to Boundary when creating the new credential.
$ export SSH_USER_PASS=passw0rd1234
If you used a unique password for the
Create a static credential
Log into your HCP Boundary instance. Enter the password you created when deploying the HCP Boundary instance at the
Please enter the password (it will be hidden):prompt.
$ boundary authenticate password \ -auth-method-id=$BOUNDARY_AUTH_METHOD_ID \ -login-name=$BOUNDARY_ADMIN
Authentication information: Account ID: acctpw_TBnUEBekWg Auth Method ID: ampw_eDXtKF7g5x Expiration Time: Mon, 09 May 2022 15:13:31 EDT User ID: u_B7cPickLel
Create a new static credential store that will contain the new ssh-user login credentials.
$ boundary credential-stores create static \ -scope-id $PROJECT_ID \ -name "login-credentials"
Credential Store information: Created Time: Mon, 29 Aug 2022 15:41:05 MDT ID: csst_O8utI0b3XC Name: login-credentials Type: static Updated Time: Mon, 29 Aug 2022 15:41:05 MDT Version: 1 Scope: ID: p_vM7cfGEgq8 Name: quick-start-project Parent Scope ID: o_XVoiuPfG1D Type: project Authorized Actions: no-op read update delete Authorized Actions on Credential Store's Collections: credentials: create list
Copy the ID of the new static credential store and export it as the
$ export CRED_STORE_ID=<actual-cred-store-id>
Define a new
username_passwordcredential within the static credential store.
Passwords can only be passed to the
-passwordoption using the
file://syntax to prevent credentials from being logged within the terminal.
$ boundary credentials create username-password \ -name ssh-user \ -credential-store-id $CRED_STORE_ID\ -username ssh-user \ -password env://SSH_USER_PASS
Credential information: Created Time: Mon, 29 Aug 2022 15:53:02 MDT Credential Store ID: csst_O8utI0b3XC ID: credup_bAPYr1NK1C Name: ssh-user Type: username_password Updated Time: Mon, 29 Aug 2022 15:53:02 MDT Version: 1 Scope: ID: p_vM7cfGEgq8 Name: quick-start-project Parent Scope ID: o_XVoiuPfG1D Type: project Authorized Actions: no-op read update delete Attributes: Password HMAC: HrtC8JypKXjryr_GefweWGceMPOBrnVtX1CRJ4qiULc Username: ssh-user
Notice that only the
Password HMACis returned upon creating the new credential.
Export the credential ID as the
$ export SSH_USER_CRED_ID="credup_bAPYr1NK1C"
Attach the credential to a target
Now that the
username_password credential exists within Boundary, it can be added to the
Associate the credential with the target.
$ boundary targets add-credential-sources \ -id $TARGET_ID \ -brokered-credential-source $SSH_USER_CRED_ID
Target information: Created Time: Mon, 29 Aug 2022 15:32:24 MDT Description: my first target ID: ttcp_INY0BCD2VF Name: quick-start-target Session Connection Limit: -1 Session Max Seconds: 28800 Type: tcp Updated Time: Mon, 29 Aug 2022 16:09:47 MDT Version: 3 Scope: ID: p_vM7cfGEgq8 Name: quick-start-project Parent Scope ID: o_XVoiuPfG1D Type: project Authorized Actions: no-op read update delete add-host-sources set-host-sources remove-host-sources add-credential-sources set-credential-sources remove-credential-sources authorize-session Host Sources: Host Catalog ID: hcst_fp08VKJu1F ID: hsst_rtS9Smbqi8 Brokered Credential Sources: Credential Store ID: csst_O8utI0b3XC ID: credup_bAPYr1NK1C Attributes: Default Port: 22
With the new credential attached to the ubuntu-target as a Brokered Credential Source, the credentials will be displayed to the user when Boundary authorizes a session.
Connect and broker credentials
Connect to the target.
$ boundary connect ssh -target-id=$TARGET_ID -- -l $UBUNTU_USER -i $UBUNTU_KEY Credentials: Credential Source ID: credup_bAPYr1NK1C Credential Source Name: ssh-user Credential Store ID: csst_O8utI0b3XC Credential Store Type: static Credential Type: username_password Secret: password: passw0rd1234 username: ssh-user Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-1011-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Aug 29 22:13:44 UTC 2022 System load: 0.0 Processes: 98 Usage of /: 19.2% of 7.58GB Users logged in: 0 Memory usage: 21% IPv4 address for eth0: 172.31.22.151 Swap usage: 0% 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Mon Aug 29 22:00:40 2022 from 126.96.36.199 ubuntu@ip-172-31-22-151:~$
During the connection process, the brokered credentials are displayed to the client:
Secret: password: passw0rd1234 username: ssh-user
passw0rd1234is the password supplied when setting up the ssh-user on the Ubuntu host, and defined when creating the
With these brokered credentials, the user could log in as this user, or perform other tasks requiring these credentials:
ubuntu@ip-172-31-22-151:~$ su ssh-user Password: $ whoami ssh-user $ exit
This is a simple example of logging in as another system-level user, but other useful application credentials could also be provided to the client, such as credentials for a database running on the ubuntu host.
Log out of the ssh-user account and then the ubuntu host using
In this tutorial you learned how to broker static credentials when connecting to a host. Next, you will learn how to install the Boundary Desktop app and connect to a host.