Boundary
Enable session recording with S3-compatible storage
Boundary 0.16 added SSH session recording support using the MinIO storage backend. This support enables users who want to integrate an S3-compatible storage backend for monitoring Boundary session activity. Session recording is available for HCP Boundary Plus and Boundary Enterprise users, and provides insight into user actions over remote SSH sessions to meet regulatory requirements for organizations and prevent malicious behavior. Administrators can enable session recording on SSH targets in their Boundary environment and replay recordings back within the Boundary admin UI.
The MinIO plugin is S3 compatible and enables session recording for other Amazon S3 compatible storage providers, such as Hitachi Object Storage.
This tutorial demonstrates enabling SSH session recording using MinIO as the storage backend and Boundary's native credential management features.
Tutorial overview
- Prerequisites
- Background
- Get setup
- Deploy a target and worker
- Set up MinIO
- Set up Boundary
- Enable session recording
- Verify and play back recordings
Prerequisites
Note
This tutorial was tested on in August 2024 using macOS 14.5, and in the Windows 11 Subsystem for Linux (WSL) with Ubuntu 20.04.
Before moving on, check that the following versions or greater are installed.
This tutorial recommends completing the HCP Boundary administration tutorials first. The learner should have a working Boundary cluster and org running on HCP, or a licensed Boundary Enterprise cluster.
Docker is installed (Note: Learners may also bring their own target, instead of using Docker)
A Boundary binary greater than 0.16.0 in your
PATH
Terraform 0.14.9 or greater provides an optional workflow to complete the lab. The binary must be available in your
PATH
.The
jq
utility is recommended to simplify the CLI workflow. It should be installed and in yourPATH
.Installing the Boundary Desktop App provides an optional workflow for this tutorial. The 2.0.0 version or above is recommended.
Session recording background
A common requirement and challenge in highly regulated environments is having a system of record that archives actions taken on the network so that organizations can improve their security posture and enhance compliance.
Session recording allows administrators to get insight into user actions over remote SSH sessions to meet regulatory requirements for organizations and prevent malicious behavior. Administrators can enable session recording on SSH targets in their Boundary environment, store signed recordings in their storage bucket, and replay recordings back within the Boundary admin UI.
Recorded sessions get converted into a Boundary session recording (BSR) file, a binary file format and specification created to define the structure of Boundary recording files.
BSR files are designed to:
- Support the recording of both multiplexed and non-multiplexed protocols
- Allow recordings of independent byte streams in a session to be written in parallel
- Support an optimal user experience during playback
- Be extensible to support more protocols in the future
BSR contains all the data transmitted between a user and a target during a session and is available within your storage bucket. These files are signed to ensure they are tamper-proof.
SSH session recording is available as a part of the Plus tier in both HCP Boundary and Boundary Enterprise.
Get set up
The following components get configured in the lab environment for this tutorial:
- HCP Boundary Plus or Boundary Enterprise cluster
- MinIO storage bucket
- SSH host
- A worker instance to proxy & record your SSH session
Gather your Boundary Enterprise cluster details
Session recording, credential injection, and SSH targets are features available in Boundary Enterprise.
If you do not have admin level access to a Boundary Enterprise deployment, consider following the HCP Boundary deployment workflow at the top of this tutorial. Refer to the Boundary Enterprise deployment guide to learn more about setting up Boundary Enterprise.
The following values are needed later on.
Copy the Boundary Cluster URL from your Boundary controller's URI, or login page. An admin-level password auth method ID is recommended for this tutorial.
- Boundary address: the
BOUNDARY_ADDR
variable - Boundary admin username: the
BOUNDARY_USERNAME
variable - Boundary admin password: the
BOUNDARY_PASSWORD
variable
Store these values in a safe location.
Next, Open the Boundary Admin UI.
Log in to Boundary using your admin credentials used to launch the cluster.
Navigate to the Auth Methods page using the left navigation panel. Locate the
password
auth method, and copy its ID (such as ampw_AQSr776Hnm
).
If you follow the Terraform workflow, you will use this value later on:
- Boundary auth method ID: the
BOUNDARY_AUTH_METHOD_ID
variable
Deploy a target and worker
Deploy an open-ssh container as a target for Boundary.
Note
You may also bring your own target for this tutorial. You can follow this guide to create a publicly accessible EC2 instance to use for this tutorial. If using a privately accessible target for testing, you must deploy a Boundary worker with network access to the target.
Deploy the target
Ensure Docker is running, and then deploy an openssh container to use as a target.
$ docker run -d \
--name openssh-server \
-e USER_NAME=admin \
-e PASSWORD_ACCESS=true \
-e USER_PASSWORD=password \
-p 2222:2222 \
lscr.io/linuxserver/openssh-server:latest
Note that the username for the openssh server is admin
, the password is password
, and the target is available on your localhost at port 2222
(127.0.0.1:2222
).
Export the openssh container password as an environment variable.
$ export OPENSSH_PASSWORD=password
Check that the container is running.
$ docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Image}}\t{{.Status}}"
CONTAINER ID NAMES IMAGE STATUS
6e63f8178576 openssh-server lscr.io/linuxserver/openssh-server:latest Up 20 seconds
Deploy a worker
Session recording requires HCP Boundary or Boundary Enterprise. This tutorial uses Docker to deploy a Boundary worker to provide access to the openssh target container.
When using this image as a worker with HCP Boundary or Boundary Enterprise, you do not need to provide the license using an environment variable or config, but the worker must connect with a licensed controller.
Create a new file in your working directory called config.hcl
. Supply the controller DNS for the initial_upstreams
, which is the a resolvable address for the Boundary Enterprise cluster. If your cluster is listening on a port other than 9201, then change that value too.
Tip
If your cluster is configured for multi-hop sessions, add an upstream worker for initial_upstreams
instead.
config.hcl
listener "tcp" {
address = "127.0.0.1:9202"
purpose = "proxy"
}
worker {
initial_upstreams = ["<YOUR_CONTROLLER_ADDRESS>:9201"]
public_addr = "minio-worker"
auth_storage_path = "/boundary/minio-worker"
recording_storage_path = "/tmp/boundary"
tags {
type = ["minio", "openssh"]
}
}
Save the config file.
Open a new terminal and switch to the directory with the config.hcl
file, then deploy the boundary-enterprise
Docker container.
$ docker run \
--network host \
--hostname=minio-worker \
-v "$(pwd)":/boundary/ \
hashicorp/boundary-enterprise
The worker will start attempting to connect to the controller.
Scroll to the top of the output and copy the Worker Auth Registration Request value.
You can register the worker using the Admin Console Web UI or the CLI.
Authenticate to the Boundary Admin UI as the admin user.
Enter the admin username and password and click Authenticate.
Once logged in, navigate to the Workers page.
Click New.
The new workers page can be used to construct the contents of the
worker.hcl
file.
Do not fill in any of the worker fields.
Providing the following details will construct the worker config file contents for you:
- Worker Public Address
- Config file path
- Worker Tags
The instructions on this page provide details for installing the Boundary Enterprise binary and deploying the constructed config file.
Because the worker has already been deployed, only the Worker Auth Registration Request key needs to be provided on this page.
Scroll down to the bottom of the New Worker page and paste the Worker Auth Registration Request key you copied earlier.
Click Register Worker.
Click Done and notice the new worker on the Workers page.
Set up MinIO
This tutorial deploys MinIO using Docker. Alternatively, a MinIO server can be deployed locally on Linux, macOS, or Windows.
Deploy MinIO
Open a new terminal session and create a local config directory for MinIO.
$ mkdir -p ${HOME}/minio/data
Next, deploy a MinIO container using Docker. These instructions come from the MinIO container documentation.
$ docker run \
-p 9000:9000 \
-p 9001:9001 \
--name minio \
-e "MINIO_ROOT_USER=ROOTUSER" \
-e "MINIO_ROOT_PASSWORD=CHANGEME123" \
-v ${HOME}/minio/data:/data \
quay.io/minio/minio server /data --console-address ":9001"
Open a new terminal session and verify that all three containers are running.
$ docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Image}}\t{{.Status}}"
CONTAINER ID NAMES IMAGE STATUS
3af7a93654d3 minio quay.io/minio/minio Up 3 minutes
49f1ec39b3d8 great_keller hashicorp/boundary-enterprise Up 11 minutes
6e63f8178576 openssh-server lscr.io/linuxserver/openssh-server:latest Up 17 minutes
Configure a MinIO storage bucket
Open the MinIO Console by visiting the following address in a web browser:
http://127.0.0.1:9001
Log in with the following credentials (credentials are case sensitive):
- Username:
ROOTUSER
- Password:
CHANGEME123
Complete the following steps to configure a storage bucket:
Create a bucket.
Under the Administrator panel in the sidebar, click on Buckets.
Click the Create Bucket button.
Give the bucket a name, such as
boundary-recordings
.Click Create Bucket.
If you're following the CLI workflow, export the bucket name as a variable in your terminal session.
$ export MINIO_BUCKET_NAME=boundary-recordings
Create an access policy.
Under the User panel in the sidebar, click on Access Keys.
Click Create access key.
In the Create Access Key page, toggle the switch for Restrict beyond user policy to On.
Paste in the following IAM policy document:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAttributes", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::boundary-recordings/*" }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "arn:aws:s3:::boundary-recordings" } ] }
Ensure that lines 12 and 17 contain the correct name of your bucket, such as
boundary-recordings
.Enter an access key name in the Name field, such as
boundary-admin
.Click Create.
Copy the Access Key and Secret Key. You will not be able to view the Secret Key again, so you should also consider downloading the key.
If you are following the CLI workflow, export the bucket name as a variable in your terminal session.
$ export MINIO_ACCESS_KEY_ID=<your-copied-minio-access-key-id>; export MINIO_SECRET_ACCESS_KEY=<your-copied-minio-secret-access-key>
Set up Boundary
The following resources are used in Boundary to enable session recording for an SSH target:
- A credential store
- A credential library
- A Boundary storage bucket
- An SSH target type with credential injection enabled
These resources can be configured using the Admin Console UI, the CLI, or Terraform. Select a workflow below to continue setting up Boundary.
Tip
Boundary storage bucket lifecycle management is still under development. To prevent unintentional loss of session recordings, orgs that contain storage buckets with recordings cannot currently be deleted. Before continuing, please note that the org created for this tutorial cannot be deleted until the session recordings it contains are deleted.
Start by logging in to the Boundary Admin UI.
Enter the admin username and password and click Authenticate.
Next, set up a new testing org and project scope.
Note
Please use a new test org for this tutorial, because orgs that contain session recordings cannot currently be deleted.Navigate to the Orgs page and click New Org.
Fill out the new org form with a Name of
ssh-recording-org
and Description ofSSH test org
. Click Save.From within the new org, click New Project.
Fill out the new project form with a Name of
ssh-recording-project
and Description ofSecure Socket Handling recordings
. Click Save.
Create a credential store
Credential injection is required to enable session recording. You manage credentials using a Boundary credential store.
Navigate back to the
ssh-recording-org
, and select thessh-recording-project
.Select the Credential Stores page, and click New.
Enter the Name
SSH Credentials
.Select the type Static, and click Save.
Click the Credentials tab in the new credential store. Click New.
Under the New Credential page, enter the following details:
- Name:
openssh-creds
- Type:
Username & Password
- Username & Password:
admin
- Password:
password
Click Save.
- Name:
Enable session recordings
To finish setting up session recordings you need to:
- Set up a Boundary storage bucket
- Create an SSH target
The SSH target requires the injected application credentials (supplied from the static credential store), and the Boundary storage bucket it should associate recordings with.
Create a storage bucket
Within Boundary, a storage bucket resource is used to store the recorded sessions. A storage bucket represents a bucket in an external store, in this case, MinIO. You must create a Boundary storage bucket associated with an external store before enabling session recording.
Navigate to the Global scope, and then the Storage Buckets page.
Click New Storage Bucket. Fill out the following details:
- Name:
ssh-test-bucket
- Scope:
ssh-recording-org
- Provider:
MinIO
- Endpoint URL:
http://127.0.0.1:9000
- Bucket name:
boundary-recordings
Note: this must match the name of the bucket in MinIO. - Access key ID:
YOUR_MINIO_ACCESS_KEY_ID
- Secret access key:
YOUR_MINIO_SECRET_ACCESS_KEY
- Worker filter:
"minio" in "/tags/type"
The
YOUR_MINIO_ACCESS_KEY_ID
andYOUR_MINIO_SECRET_ACCESS_KEY
values were copied from the MinIO console.For the Worker Filter, a worker with access to the MinIO storage bucket is needed. For this tutorial, the minio-worker was deployed locally using Docker to access the MinIO server, which is running in a separate containter.
Select the worker tagged with
"type" = ["minio", "openssh"]
, which provides access to MinIO. The following filter will select this worker:"minio" in "/tags/type"
Lastly, check the box next to Disable credential rotation.
- Name:
Click Save.
If there are errors, double-check the Endpoint URL, Bucket name, Access keys, and Worker filter. If there are still problems, check the Access Key Policy for the MinIO bucket, and ensure the bucket name matches the Resource ARN.
Create an SSH target
To finish setting up recordings, create a target for the openssh-server
container.
Navigate to the ssh-recording-org scope, and select the
ssh-recording-project
project.Select the Targets page and click New.
Fill out the New Target form. Select a Type of SSH.
- Name:
openssh-target
- Type:
SSH
- Target Address:
127.0.0.1
- Default Port:
2222
- Maximum Connections:
-1
- Aliases:
openssh.target
Click Save.
- Name:
Click the Workers tab. Click Edit worker filter for Egress workers.
When you create a target, you can specify an egress worker filter. The filter tells Boundary which worker is deployed in the same network as the target. An ingress worker is not used in this example.
Recall the tags associated with the
minio-worker
, which provides access to theopenssh-server
container:Tags: Configuration: type: ["minio" "openssh"] Canonical: type: ["minio" "openssh"]
The tags for this worker are:
"type" = ["minio", "openssh"]
An appropriate filter to select this worker is:
"openssh" in "/tags/type"
Paste in the following worker filter:
"openssh" in "/tags/type"
Click Save.
Next, add credential injection for the target.
Select the Injected Application Credentials tab for
openssh-target
.Click +Add Injected Application Credentials.
Check the box next to the credential named openssh-creds, then click Add Injected Application Credentials.
Enable session recording
To enable session recording for the openssh-target
:
Navigate back to the
openssh-target
Details page.Under Session Recording, click Enable recording.
On the Enable Session Recording for Target page, toggle the switch next to Record sessions for this target.
For the Storage buckets, select the
ssh-test-bucket
.Click Save.
Under the openssh-target
Details page, the ssh-test-bucket
should
now be listed under Session Recording.
Record a session
Now you are ready to test session recording for the openssh-target
.
To log into Boundary using the Desktop app, you must gather the BOUNDARY_ADDR
values from the HCP Boundary Admin Console.
Check the value of BOUNDARY_ADDR
in the terminal session where Terraform was
applied.
$ echo $BOUNDARY_ADDR
https://d2a6e010-ba05-431a-b7f2-5cbc4e1e9f06.boundary.hashicorp.cloud
Open the Boundary Desktop app.
Enter the Boundary cluster URL (for example,
https://d2a6e010-ba05-431a-b7f2-5cbc4e1e9f06.boundary.hashicorp.cloud
) and
click Submit.
Authenticate using your HCP Boundary admin credentials.
On the Targets page, notice the target details for openssh-target
.
Click Connect to initiate a session.
The Successfully Connected page displays the target ID (Target Connection details) and Proxy URL.
To start a session, click on the Shell tab, or open your terminal or SSH client of choice. You can start a session using SSH and the Proxy URL from the Boundary Desktop app.
If you use your own client, connect on 127.0.0.1
and provide the proxy port using the -p
option. Enter yes
when prompted to establish a connection.
$ ssh 127.0.0.1 -p 53361 -o NoHostAuthenticationForLocalhost=yes
~ % ssh 127.0.0.1 -p 53361 -o NoHostAuthenticationForLocalhost=yes
Welcome to OpenSSH Server
a7f717a4cee9:~
Type some simple commands you will recognize when playing back the recording, like pwd
or whoami
. When finished, you can close the connection to the server by entering exit
, or you can cancel the session directly from the Boundary Desktop app under the Sessions view.
View the recording
You can view a list of all recorded sessions, or if you know the ID of a specific recorded session, you can find any channels associated with that recording.
To play back a session, open the Admin Console Web UI, and re-authenticate as the admin user if necessary.
From the global
scope, navigate to the Session Recordings page.
The following details are listed for each recording:
- Time
- Status
- User
- Target
- Duration
Click View next to the openssh-target
recording.
Within the Session Playback page, click Play for Channel 1.
After the recording loads, click the Play button to start playback for Channel 1.
Note the Channel details on the right, which display the duration and bytes up / bytes down.
Validate the recording (optional)
A session recording represents a directory structure of files in an external object store that together are the recording of a single session between a user and a target.
To validate a session recording and download it, you can use the CLI.
First, set the BOUNDARY_ADDR
and BOUNDARY_AUTH_METHOD_ID
environment variables in your shell session. Replace the example address and auth method ID with the values for your cluster.
$ export BOUNDARY_ADDR="https://c3a7a20a-f663-40f3-a8e3-1b2f69b36254.boundary.hashicorp.cloud"
$ export BOUNDARY_AUTH_METHOD_ID="ampw_KfLAjMS2CG"
Log into the CLI as the admin user, providing the admin login name and admin password when prompted.
$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
Account ID: acctpw_VOeNSFX8pQ
Auth Method ID: ampw_ZbB6UXpW3B
Expiration Time: Thu, 15 Aug 2023 12:35:32 MST
User ID: u_ogz79sV4sT
The token was successfully stored in the chosen keyring and is not displayed here.
Verify that the recording exists.
$ boundary session-recordings list -scope-id $ORG_ID
Session Recording information:
ID: sr_UzDy6yvXlL
Session ID: s_n9VGCnGbHT
Storage Bucket ID: sb_zAE4dX0RuV
Created Time: Tue, 13 Aug 2024 15:04:21 MDT
Updated Time: Tue, 13 Aug 2024 15:04:33 MDT
Start Time: Tue, 13 Aug 2024 15:04:21 MDT
End Time: Tue, 13 Aug 2024 15:04:33 MDT
Type: ssh
State: available
Retain Until: Forever
Authorized Actions:
download
delete
reapply-storage-policy
no-op
read
Read the recording's details.
$ boundary session-recordings read -id sr_UzDy6yvXlL
Session Recording information:
Bytes Down: 128
Bytes Up: 18
Created Time: Tue, 13 Aug 2024 15:04:21 MDT
Duration (Seconds): 11.741338
Endpoint: ssh://127.0.0.1:2222
ID: sr_UzDy6yvXlL
Retain Until: Forever
Scope ID: o_NQXs2ZNyKc
Session ID: s_n9VGCnGbHT
Start Time: Tue, 13 Aug 2024 15:04:21 MDT
State: available
Storage Bucket ID: sb_zAE4dX0RuV
Type: ssh
Updated Time: Tue, 13 Aug 2024 15:04:33 MDT
Scope:
ID: o_NQXs2ZNyKc
Name: ssh-recording-org
Parent Scope ID: global
Type: org
Authorized Actions:
reapply-storage-policy
no-op
read
download
delete
User Info:
Description: Global admin user
ID: u_7fORXeejz0
Name: admin_user
Scope:
ID: global
Name: global
Type: global
Target Info:
Default Port: 2222
Egress Worker Filter: "openssh" in "/tags/type"
ID: tssh_4B5TnVtlbb
Name: openssh-target
Session Connection Limit: -1
Session Max Seconds: 28800
Scope:
ID: p_0yVhHmWAT4
Name: ssh_recording_project
Parent Scope ID: o_NQXs2ZNyKc
Type: project
Credentials:
ID: credup_mOdG1kgB1q
Name: openssh credentials4
Purpose: injected_application
Type: username_password
Username: admin
Credential Store:
ID: csst_xNlFeo0sIb
Name: SSH Credentials
Scope ID: p_0yVhHmWAT4
Type: static
Connections Recordings:
Bytes Down: 128
Bytes Up: 18
Created Time: Tue, 13 Aug 2024 15:04:22 MDT
Duration (Seconds): 10.917253
End Time: Tue, 13 Aug 2024 15:04:33 MDT
ID: cr_DXEdEZJJve
Start Time: Tue, 13 Aug 2024 15:04:22 MDT
Updated Time: Tue, 13 Aug 2024 15:04:33 MDT
Channel Recordings:
Bytes Down: 128
Bytes Up: 18
Created Time: Tue, 13 Aug 2024 15:04:33 MDT
Duration (Seconds): 10.428897
End Time: Tue, 13 Aug 2024 15:04:33 MDT
ID: chr_Mgkj7JkB7e
Mime Types: application/x-asciicast
Start Time: Tue, 13 Aug 2024 15:04:22 MDT
Updated Time: Tue, 13 Aug 2024 15:04:33 MDT
Note the Channel Recordings
, labeled Mime Types: application/x-asciicast
(ID chr_Mgkj7JkB7e
in this example). Downloading this recording would produces a .cast
file, which can be played back locally using asciinema.
If you want to download this file, execute the following command:
$ boundary session-recordings download -id chr_Mgkj7JkB7e
BSR files
The Boundary Session Recording (BSR) file defines a hierarchical directory structure of files and a binary file format. It contains all the data transmitted between a user and a target during a single session.
Boundary stores the recordings within the external storage bucket as BSR files.
A BSR connections directory contains a summary of connections, as well as inbound and outbound requests. If you use a multiplexed protocol, there are subdirectories for the channels.
The asciicast format is well suited for the playback of interactive shell activity, but some aspects of the recording cannot be translated into asciicast. For example, if an SSH session uses the RemoteCommand
option, or is used to exec
a command, the command is not displayed in the asciicast. The output of the command may be displayed, though.
If you use SSH for something other than an interactive shell, such as for file transfer, X11 forwarding, or port forwarding, Boundary does not attempt to create an asciicast.
In all cases, the SSH session is still recorded in the BSR file and you can view the BSR file in the external storage bucket.
Cleanup and teardown
Stop the openssh-server, minio, and boundary-enterprise worker containers.
Open the Docker Desktop app and locate the containers used in this tutorial. These include:
- openssh-server
- minio
- hashicorp/boundary-enterprise
Click the trash icon next to each, and confirm to stop and remove them.
Alternatively, open a shell session and destroy each container individually:
$ docker rm -f openssh-server
Destroy the Boundary resources.
Note
Recall that Boundary storage bucket lifecycle management is still under development. In order to prevent unintentional loss of session recordings, orgs that contain storage buckets with recordings cannot currently be deleted. When destroying your Boundary resources, you will receive an error if you attempt to delete the storage bucket, or the scopes that contain the bucket, without deleting the recordings from the bucket first.
From the Admin Console Web UI, destroy the following resources:
- Session recordings
- Target
- Storage bucket
- Org (also deletes credential store)
- Boundary worker
Orgs cannot be deleted until the session recordings they contain are deleted.
To delete a recording, it must have a storage policy applied that allows deletion. By default, a recording has its retention policy set to
Forever
.Create a new session recording retention policy that allows for deletion.
Select the ssh-recording-org org from the top navigation bar.
Select Storage Policies from the left navigation panel. Click Create a new storage policy.
Fill in the form details:
- Name:
do-not-retain
- Description:
delete after 1 day
- Retention Policy:
Do not protect, allow deletion at any time
- Deletion Policy:
Custom
- Delete after:
1
days
Click Save.
- Name:
Add the storage policy to the org.
From the left navigation panel, select Org Settings.
Click Add Storage Policy.
From the Add Storage Policy page, select the do-not-retain policy. Click Save.
Re-apply the storage policy to the session recording.
Navigate back to the Global scope and select Session Recordings from the left navigation panel.
Open a recording by clicking on View next to the recording. Under the Manage dropdown, select Re-apply storage policy.
Delete the session recording.
Click the Manage dropdown again, then select Delete recording and confirm the operation by clicking OK.
Follow this process for any remaining recordings.
Delete the target resource, or disable session recording for it. A storage bucket cannot be deleted if a target is configured to save sessions to it.
Storage buckets cannot currently be cleaned up within the UI. Switch to the CLI tab to delete the storage bucket, and then use the UI to continue cleanup.
Continue deleting the other resources.
Unset the environment variables used in any active terminal windows for this tutorial.
$ unset BOUNDARY_ADDR; \
unset BOUNDARY_AUTH_METHOD_ID; \
unset BOUNDARY_USERNAME; \
unset BOUNDARY_PASSWORD; \
unset MINIO_ADDR; \
unset MINIO_BUCKET_NAME; \
unset MINIO_ACCESS_KEY_ID; \
unset MINIO_SECRET_ACCESS_KEY