hashicorp/boundary hashicorp/boundary

  • Stars
    star
    3,762
  • Rank 11,140 (Top 0.3 %)
  • Language
    Go
  • License
    Other
  • Created over 4 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hashicorp/boundary
github

hashicorp

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Boundary enables identity-based access management for dynamic infrastructure.

Boundary

Please note: We take Boundary's security and our users' trust very seriously. If you believe you have found a security issue in Boundary, please responsibly disclose by contacting us at [email protected].

Boundary provides simple and secure access to hosts and services.

Traditional approaches like SSH bastion hosts or VPNs require distributing and managing credentials, configuring network controls like firewalls, and exposing the private network. Boundary provides a secure way to access hosts and critical systems without having to manage credentials or expose your network, and is entirely open source.

Boundary is designed to be straightforward to understand, highly scalable, and resilient. It can run in clouds, on-prem, secure enclaves and more, and does not require an agent to be installed on every end host.

Unlike firewalls, Boundary performs per-access authentication and authorization checks, allowing for much higher level mappings of users to services or hosts than at network layers. Although complementary to secrets managers (like HashiCorp's own Vault), Boundary fills a different niche, allowing the credential that is eventually used to be hidden entirely from the user.

Getting Started

Boundary consists of two server components: Controllers, which serve the API and coordinate session requests; and Workers, which perform the actual session handling. A normal Boundary installation will consist of one or more Controllers paired with one or more Workers. A single Boundary binary can act in either of these two modes.

Additionally, Boundary provides a client that provides access to request and connect to authorized sessions.

Boundary does not require software to be installed on the endpoint hosts and services.

Requirements

Boundary has two external dependencies: a SQL database, and one or more KMSes. Both are readily available from cloud vendors, but can be satisfied by on-premises technologies as well.

  • The database contains Boundary's configuration and session information and must be accessible by Controller nodes. Values that are secrets (such as credentials) are encrypted in the database. Currently, PostgreSQL is supported as a database and has been tested with Postgres 12 and above. Boundary uses only common extensions and both hosted and self-run instances are supported. In most instances all that is needed is a database endpoint and appropriate credentials.

  • Any cloud KMS or Vault's Transit Secrets Engine can be used to satisfy the KMS requirement. Currently, two keys within the KMS are required: one for authenticating other cluster components, which must be accessible by both Controllers and Workers; and one for encrypting secret values in the database, which need only be accessible to Controllers. These keys can be changed over time (so long as the original key remains available for any decryption needs), and key derivation is used extensively to avoid key sprawl of these high-value keys. If available, other keys can be used for other purposes, such as recovery functionality and encryption of sensitive values in Boundary's config file.

Boundary has a dev mode that can be used for testing. In this mode both a Controller and Worker are started with a single command, and they have the following properties:

  • The Controller will start a PostgreSQL Docker container to use as storage. This container will be shut down and removed (if possible) when the Controller is (gracefully) shut down.
  • The Controller will use an internal KMS with ephemeral keys

Trying out Boundary

Running Boundary in a more permanent context requires a few more steps, such as writing some simple configuration files to tell the nodes how to reach their database and KMS. The steps below, along with the extra information needed for permanent installations, are detailed in our Installation Guide.

Build and Start Boundary in Dev Mode

NOTE: Do not use the main branch except for dev or test cases. Boundary 0.10 introduced release branches which should be safe to track, however, migrations in main may be renumbered if needed. The Boundary team will not be able to provide assistance if running main over the long term results in migration breakages.

If you have the following requirements met locally:

  • Golang v1.19 or greater
  • Docker
  • Either the Boundary UI Dependencies for locally building the ui assets or gh cli for downloading pre-built ui assets.

You can get up and running with Boundary quickly. Simply run:

make install

This will build Boundary. (The first time this is run it will fetch and compile UI assets; which will take a few extra minutes.) Once complete, run Boundary in dev mode:

$GOPATH/bin/boundary dev

Please note that development may require other tools; to install the set of tools at the versions used by the Boundary team, run:

make tools

Without doing so, you may encounter errors while running make install. It is important to also note that using make tools will install various tools used for Boundary development to the normal Go binary directory; this may overwrite or take precedence over tools that might already be installed on the system.

Specify a UI Commitish at Build Time

By default the UI will be built from a preselected commit ID from the UI repo. A different commitish from which to build UI assets may be specified via the UI_COMMITISH environment variable. For example:

UI_COMMITISH=feature-branch make build-ui

will update your local UI assets.

UI Build Troubleshooting

UI assets are built within a Docker container. If you encounter issues with this build step, trying increasing memory and swap available to Docker.

UI Development

It would be impractical to rebuild the binary on every change when actively developing the UI. To make UI development more convenient, the binary supports a passthrough directory. This is an arbitrary local directory from which UI assets are served. Note this option is only available in dev mode. For example:

BOUNDARY_DEV_UI_PASSTHROUGH_DIR=/boundary-ui/ui/admin/dist ~/go/bin/boundary dev

Download and Run from Release Page

Download the latest release of the server binary and appropriate desktop client(s) from our releases page

Start Boundary

Start the server binary with:

boundary dev

This will start a Controller service listening on http://127.0.0.1:9200 for incoming API requests and a Worker service listening on http://127.0.0.1:9202 for incoming session requests. It will also create various default resources and display various useful pieces of information, such as a login name and password that can be used to authenticate.

Configuring Resources

For a simple test of Boundary in dev mode you don't generally need to configure any resources at all! But it's useful to understand what dev mode did for you so you can then take further steps. By default, dev mode will create:

  • The global Scope for initial authentication, containing a Password-type Auth Method, along with an Account for login.
  • An organization Scope under global, and a project Scope inside the organization.
  • A Host Catalog with a default Host Set, which itself contains a Host with the address of the local machine (127.0.0.1)
  • A Target mapping the Host Set to a set of connection parameters, with a default port of 22 (e.g. SSH)

You can of course go into Boundary's web UI or use its API to change these default values, for instance if you want to connect to a different host or need to modify the port on which to to connect.

Making the Connection

Next, let's actually make a connection to your local SSH daemon via Boundary:

  1. Authenticate to Boundary; using default dev values, this would be boundary authenticate password -auth-method-id ampw_1234567890 -login-name admin -password password. (Note that if you do not include the password flag you will be prompted for it.)
  2. Run boundary connect ssh -target-id ttcp_1234567890. If you want to adjust the username, pass -username <name> to the command.

A lot more is possible with Boundary, even at this early stage. Check out the possibilities for target configuration to test out limiting (or increasing) the number of connections per session or setting a maximum time limit; try canceling an active session from the sessions page or via boundary sessions, make your own commands with boundary connect -exec, and so on.

Going Further

This example is a simple way to get started but omits several key steps that could be taken in a production context:

  • Using a firewall or other means to restrict the set of hosts allowed to connect to a local service to only Boundary Worker nodes, thereby making Boundary the only means of ingress to a host
  • Using the Boundary Terraform provider to easily integrate Boundary with your existing code-based infrastructure
  • Pointing a BI tool (PowerBI, Tableau, etc.) at Boundary's session warehouse to generate insights and look for anomalies with respect to session access

There are many, many more things that Boundary will do in the future in terms of integrations, features, and more. We have a long roadmap planned out, so stay tuned for information about new features and capabilities!

Contributing

Thank you for your interest in contributing! Please refer to CONTRIBUTING.md for guidance.

More Repositories

1

terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Go
40,845
star
2

vault

A tool for secrets management, encryption as a service, and privileged access management
Go
29,344
star
3

consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
Go
27,763
star
4

vagrant

Vagrant is a tool for building and distributing development environments.
Ruby
25,729
star
5

packer

Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.
Go
14,818
star
6

nomad

Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Nomad is easy to operate and scale and has native Consul and Vault integrations.
Go
14,315
star
7

terraform-provider-aws

Terraform AWS provider
Go
9,438
star
8

raft

Golang implementation of the Raft consensus protocol
Go
7,383
star
9

serf

Service orchestration and management tool.
Go
5,692
star
10

go-plugin

Golang plugin system over RPC.
Go
4,874
star
11

hcl

HCL is the HashiCorp configuration language.
Go
4,827
star
12

waypoint

A tool to build, deploy, and release any application on any platform.
Go
4,789
star
13

terraform-cdk

Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform
TypeScript
4,701
star
14

consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
Go
4,682
star
15

terraform-provider-azurerm

Terraform provider for Azure Resource Manager
Go
4,347
star
16

otto

Development and deployment made easy.
HTML
4,282
star
17

golang-lru

Golang LRU cache
Go
4,015
star
18

memberlist

Golang package for gossip based membership and failure detection
Go
3,303
star
19

go-memdb

Golang in-memory database built on immutable radix trees
Go
2,937
star
20

next-mdx-remote

Load mdx content from anywhere through getStaticProps in next.js
TypeScript
2,245
star
21

terraform-provider-google

Terraform Google Cloud Platform provider
Go
2,213
star
22

go-multierror

A Go (golang) package for representing a list of errors as a single error.
Go
2,029
star
23

yamux

Golang connection multiplexing library
Go
2,003
star
24

envconsul

Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.
Go
1,967
star
25

go-retryablehttp

Retryable HTTP client in Go
Go
1,702
star
26

go-getter

Package for downloading things from a string URL using a variety of protocols.
Go
1,541
star
27

terraform-provider-kubernetes

Terraform Kubernetes provider
Go
1,538
star
28

best-practices

HCL
1,490
star
29

go-version

A Go (golang) library for parsing and verifying versions and version constraints.
Go
1,459
star
30

go-metrics

A Golang library for exporting performance and runtime metrics to external metrics systems (i.e. statsite, statsd)
Go
1,404
star
31

terraform-guides

Example usage of HashiCorp Terraform
HCL
1,324
star
32

setup-terraform

Sets up Terraform CLI in your GitHub Actions workflow.
JavaScript
1,238
star
33

mdns

Simple mDNS client/server library in Golang
Go
1,020
star
34

vault-guides

Example usage of HashiCorp Vault secrets management
Shell
990
star
35

terraform-provider-helm

Terraform Helm provider
Go
976
star
36

go-immutable-radix

An immutable radix tree implementation in Golang
Go
926
star
37

vault-helm

Helm chart to install Vault and other associated components.
Shell
904
star
38

terraform-ls

Terraform Language Server
Go
896
star
39

vscode-terraform

HashiCorp Terraform VSCode extension
TypeScript
870
star
40

levant

An open source templating and deployment tool for HashiCorp Nomad jobs
Go
822
star
41

vault-k8s

First-class support for Vault and Kubernetes.
Go
697
star
42

terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer
HCL
653
star
43

terraform-github-actions

Terraform GitHub Actions
Shell
618
star
44

terraform-exec

Terraform CLI commands via Go.
Go
608
star
45

terraform-provider-vsphere

Terraform Provider for VMware vSphere
Go
601
star
46

consul-k8s

First-class support for Consul Service Mesh on Kubernetes
Go
599
star
47

raft-boltdb

Raft backend implementation using BoltDB
Go
585
star
48

nextjs-bundle-analysis

A github action that provides detailed bundle analysis on PRs for next.js apps
JavaScript
539
star
49

go-discover

Discover nodes in cloud environments
Go
537
star
50

consul-replicate

Consul cross-DC KV replication daemon.
Go
504
star
51

next-mdx-enhanced

A Next.js plugin that enables MDX pages, layouts, and front matter
JavaScript
496
star
52

terraform-provider-kubernetes-alpha

A Terraform provider for Kubernetes that uses dynamic resource types and server-side apply. Supports all Kubernetes resources.
Go
493
star
53

docker-vault

Official Docker images for Vault
Shell
492
star
54

terraform-k8s

Terraform Cloud Operator for Kubernetes
Go
449
star
55

puppet-bootstrap

A collection of single-file scripts to bootstrap your machines with Puppet.
Shell
444
star
56

terraform-provider-vault

Terraform Vault provider
Go
431
star
57

cap

A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP
Go
426
star
58

consul-helm

Helm chart to install Consul and other associated components.
Shell
422
star
59

nomad-autoscaler

Nomad Autoscaler brings autoscaling to your Nomad workloads.
Go
411
star
60

damon

A terminal UI (TUI) for HashiCorp Nomad
Go
405
star
61

terraform-provider-azuread

Terraform provider for Azure Active Directory
Go
404
star
62

vault-ssh-helper

Vault SSH Agent is used to enable one time keys and passwords
Go
404
star
63

terraform-provider-scaffolding

Quick start repository for creating a Terraform provider
Go
402
star
64

docker-consul

Official Docker images for Consul.
Dockerfile
399
star
65

vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
Go
398
star
66

terraform-aws-consul

A Terraform Module for how to run Consul on AWS using Terraform and Packer
HCL
397
star
67

vault-action

A GitHub Action that simplifies using HashiCorp Vaultβ„’ secrets as build variables.
JavaScript
391
star
68

terraform-plugin-sdk

Terraform Plugin SDK enables building plugins (providers) to manage any service providers or custom in-house solutions
Go
383
star
69

hil

HIL is a small embedded language for string interpolations.
Go
382
star
70

nomad-pack

Go
377
star
71

hcl2

Former temporary home for experimental new version of HCL
Go
375
star
72

errwrap

Errwrap is a Go (golang) library for wrapping and querying errors.
Go
373
star
73

learn-terraform-provision-eks-cluster

HCL
364
star
74

go-cleanhttp

Go
359
star
75

design-system

Helios Design System
TypeScript
358
star
76

logutils

Utilities for slightly better logging in Go (Golang).
Go
356
star
77

vault-ruby

The official Ruby client for HashiCorp's Vault
Ruby
336
star
78

vault-rails

A Rails plugin for easily integrating Vault secrets
Ruby
334
star
79

waypoint-examples

Example Apps that can be deployed with Waypoint
PHP
326
star
80

next-remote-watch

Decorated local server for next.js that enables reloads from remote data changes
JavaScript
325
star
81

go-hclog

A common logging package for HashiCorp tools
Go
307
star
82

terraform-config-inspect

A helper library for shallow inspection of Terraform configurations
Go
293
star
83

consul-haproxy

Consul HAProxy connector for real-time configuration
Go
279
star
84

nomad-guides

Example usage of HashiCorp Nomad
HCL
275
star
85

consul-esm

External service monitoring for Consul
Go
260
star
86

http-echo

A tiny go web server that echos what you start it with!
Makefile
257
star
87

vault-csi-provider

HashiCorp Vault Provider for Secret Store CSI Driver
Go
253
star
88

terraform-aws-nomad

A Terraform Module for how to run Nomad on AWS using Terraform and Packer
HCL
253
star
89

faas-nomad

OpenFaaS plugin for Nomad
Go
252
star
90

terraform-provider-google-beta

Terraform Google Cloud Platform Beta provider
Go
251
star
91

go-sockaddr

IP Address/UNIX Socket convenience functions for Go
Go
250
star
92

terraform-foundational-policies-library

Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. This repository contains a library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform.
HCL
233
star
93

vagrant-vmware-desktop

Official provider for VMware desktop products: Fusion, Player, and Workstation.
Go
225
star
94

nomad-driver-podman

A nomad task driver plugin for sandboxing workloads in podman containers
Go
219
star
95

go-tfe

Terraform Cloud/Enterprise API Client/SDK in Golang
Go
217
star
96

terraform-provider-awscc

Terraform AWS Cloud Control provider
HCL
213
star
97

boundary-reference-architecture

Example reference architecture for a high availability Boundary deployment on AWS.
HCL
206
star
98

nomad-pack-community-registry

A repo for Packs written and maintained by Nomad community members
HCL
205
star
99

terraform-plugin-framework

A next-generation framework for building Terraform providers.
Go
204
star
100

vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
Go
192
star