HashiConf 2024 Now streaming live from Boston! Attend for free
Boundary
Boundary Home

Exec flag

Boundary includes built-in connect helpers for clients, however, boundary connect can execute clients even when there is no built-in support for a specific client using the -exec flag. The -exec flag lets you wrap Boundary TCP sessions in your preferred client. You can use this flag to create an authenticated proxy to almost anything.

When you use -exec, you can pass flags to the client by including them in the executed command after a double-dash --. For example, the following command passes -l myuser -i ~/.ssh/identity to the PuTTY client:

$ boundary connect ssh -style putty -exec putty.exe -target-id ttcp_1234567890 -- -l myuser -i ~/.ssh/identity

You can substitute the following templated values into the command arguments. Boundary injects these values in the executed command as environment variables:

  • {{boundary.ip}} (BOUNDARY_PROXIED_IP): The IP address of the listening socket that boundary connect opened.
  • {{boundary.port}} (BOUNDARY_PROXIED_PORT): The port of the listening socket that boundary connect has opened.
  • {{boundary.addr}} (BOUNDARY_PROXIED_ADDR): The host:port format of the address. This value is essentially equivalent to {{boundary.ip}}:{{boundary.port}}.

For example, if you wanted to use Boundary to create an authenticated firewall around curl, you could update the default TCP target from a default port of :22 to :443 using the following command:

$ boundary targets update tcp -default-port 443 -id ttcp_1234567890

Target information:
  Address:                    127.0.0.1
  Created Time:               Fri, 25 Sep 2020 18:35:47 PDT
  Description:                Provides an initial target in Boundary
  ID:                         ttcp_1234567890
  Name:                       Generated target
  Session Connection Limit:   1
  Session Max Seconds:        28800
  Type:                       tcp
  Updated Time:               Fri, 25 Sep 2020 18:36:18 PDT
  Version:                    2

  Scope:
    ID:                       p_1234567890
    Name:                     Generated project scope
    Parent Scope ID:          o_1234567890
    Type:                     project

  Attributes:
    Default Port:             443

In the output above, the default port for the target has now changed to :443.

Now, you can use curl as the client for a TCP target session. For example, the following command uses curl to perform an authenticated download of hashicorp.com:

$ boundary connect -exec curl -target-id ttcp_1234567890 \
         -- -vvsL --output /dev/null hashicorp.com

*   Trying 76.76.21.21...
* TCP_NODELAY set
* Connected to hashicorp.com (76.76.21.21) port 80 (#0)
> GET / HTTP/1.1
> Host: hashicorp.com
> User-Agent: curl/7.64.1
> Accept: */*
...<truncated output>...

Note that you can use -exec for subcommands that wrap clients as well. As an example, if putty.exe is available on a Windows host but the command is being run from WSL, you could use the following command to specify the correct binary to use, since WSL must use .exe when it invokes Windows binaries:

$ boundary connect ssh -style putty -exec putty.exe -target-id ttcp_1234567890
Edit this page on GitHub