Skip to content

Hashicorp Boundary standalone

Updated: 21 July 2024

Introduction

Every components needed for an Hashicorp Boundary infrastructure are installed on this single instance: - A Postgresql database - A Boundary Controller - A Boundary Worker

The purpose is to be simple to instanciate, test, and use.

Getting started

Connecting to the web console

To connect to the web console:

  • Connect to https://[instance url/ip]:9200
    • login: admin
    • password: [instance's hostname]

To check the the configuration is fine, in the web console:

  • Click on "Workers" in the right side menu
  • Select "worker-01"
  • Verify that the "addess" will be reachable from the machine from which you will launch your boundary client
    If not, follow the instructions at "Worker Public Addess"

/!\ be carreful: The public address of your server can change if you stop and start it. Then, you need to modify it accordingly in the configuration of the controller.

An easy way to test the instance

To connect to your boundary host, as a target

To connect to your Boundary bastion as a target:

  • Authenticate to your instance:
$ boundary authenticate password -addr=https://[instance url/ip]:9200 -tls-insecure
Please enter the login name (it will be hidden): admin
Please enter the password (it will be hidden): [instance's hostname]
  • Export the authentication token in an environment variable. For example:
$ export BOUNDARY_TOKEN=at_21Ry8IsRRm_s1tCPrptyavGZ73TccJHCynHU9EzEjeM8999PEWzCfwk6PxsC733bLbAevVuHFh8g3tH7vAYJgNCVX7An59QxKCYdUimVEXNhbo1nuu8XU79DLBS48GtvQQuZSCpeRDbhCudFEoBfvLbf2Vh7j
  • Connect to your target. For example, for an SSH target:
$ boundary connect ssh -addr=https://[instance url/ip]:9200 -tls-insecure -target-scope-name='Generated project scope' -target-name='Generated target with a direct address' -token=env://BOUNDARY_TOKEN -- -l [target login name] -i [your instance ssh key]

Specific configurations

Services

The main services for this Boundary instance are:

  • The database:

    • Name of the service: postgresql

  • The Boundary Controller:

    • Name of the service: boundary-controller.service
    • Configuration file: /etc/boundary.d/controller.hcl

  • The Boundary Worker:

    • Name of the service: boundary-worker.service
    • Configuration file: /etc/boundary.d/worker.hcl

Controller TLS certificates #TODO

By default, the controller certificate and private key are stored in /etc/boundary.d/tls/.

It is configured in /etc/boundary.d/controller.hcl:

  tls_disable = false
  tls_cert_file = "/etc/boundary.d/tls/boundary.pem"
  tls_key_file  = "/etc/boundary.d/tls/boundary.key"

Worker public address

Your boundary client will connect to the Boundary worker public address to reach your target. So, this address must be reachable by the machine you are launching your Boundary client from.

To modify this address:

  • Connect in SSH to your instance
  • Edit the file /etc/boundary.d/worker.hcl as root
  • Change the parameter: public_addr = "[the public address of the instance]"
  • Restart the service: $ sudo systemctl restart boundary-worker.service

Official documentation

For other matters, please refer to the official documentation:

https://developer.hashicorp.com/boundary