Boundary
Create a Vault credential store
You can manage credentials in Boundary using credential stores, which are resources that store credentials for various targets. Vault credential stores point to a HashiCorp Vault instance, which provides capabilities like generating short-lived dynamic credentials.
Requirements
- You must have a Vault instance available with an address or URL that is reachable from your Boundary instance. This will be used to connect Boundary to Vault.
- You must have static credentials stored in Vault’s key/value secrets engine. Examples of static credential types include username and password or username and SSH private key.
- You must have a Vault token for Boundary to authenticate and access your static credentials.
Configuration
Complete the following steps to create a Vault credential store:
Log in to Boundary.
Select Orgs on the navigation pane.
Select your desired org.
Select the project to which your static credential store should belong.
Select Credential Stores on the navigation pane.
Select New Credential Store.
Provide a name for your credential store and select type Vault.
Complete the fields related to your Vault instance:
- Address - The address of your Vault instance.
- Worker Filter (optional) - If your Vault instance does not have a publicly accessible address and instead is proxied through a Boundary worker, enter the worker filter. This should be a boolean expression. Refer to the examples in the Worker tags documentation.
- Token - Token provided by Vault that provides access to the static credentials within your Vault instance.
- Namespace (optional) - Vault namespace. Requires Vault Enterprise.
- TLS Server Name (optional) - Name to use as the SNI host if you connect to Vault via TLS.
- Client Certificate (optional) - A PEM-encoded client certificate to use for TLS authentication to the Vault server.
- Client Certificate key (optional) - A PEM-encoded private key that matches the client certificate from client certificate.
- CA Certificate (optional) - A PEM-encoded CA certificate to verify the Vault server's TLS certificate.
Click Save. You now have a static credential store where you can store static credentials.
In your newly created Vault credential store, click on the Credential Libraries tab.
Click Manage, and then select New Credential Library in the pull down menu.
Complete the fields related to the static credentials stored in your Vault instance:
- Name (optional) - The name is optional, but if you enter a name, it must be unique within the parent credential store.
- Type - Select Generic Secrets.
- Vault Path - Enter the path for the location of your static credentials stored in Vault. Boundary uses this field to locate the static credentials inside Vault.
- Credential Type - Select the appropriate credential type that matches the static credential stored in Vault.
- HTTP Method - Select GET.
Click Save.
Next steps
Once you have created a credential store, you can configure targets for credential brokering or credential injection. When you use credential brokering, Boundary centrally manages credentials and returns them to the user when they attempt to connect to a target. Credential injection requires HCP Boundary or Boundary Enterprise, and it provides end users with a passwordless experience when they connect to targets.