diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ee179f1f92..d5efd1a8d1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: repository: boundary version: ${{ needs.set-product-version.outputs.product-version }} product: ${{ env.PKG_NAME }} - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: metadata.json path: ${{ steps.generate-metadata-file.outputs.filepath }} @@ -279,12 +279,12 @@ jobs: echo "RPM_PACKAGE=$(basename out/*.rpm)" >> "$GITHUB_ENV" echo "DEB_PACKAGE=$(basename out/*.deb)" >> "$GITHUB_ENV" - name: Upload RPM package - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: ${{ env.RPM_PACKAGE }} path: out/${{ env.RPM_PACKAGE }} - name: Upload DEB package - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: ${{ env.DEB_PACKAGE }} path: out/${{ env.DEB_PACKAGE }} diff --git a/.github/workflows/enos-run.yml b/.github/workflows/enos-run.yml index 65aae3851a..4428ef96a7 100644 --- a/.github/workflows/enos-run.yml +++ b/.github/workflows/enos-run.yml @@ -218,7 +218,7 @@ jobs: run: | mv ${{ steps.download-docker.outputs.download-path }}/*.tar enos/support/boundary_docker_image.tar - name: Set up Node.js - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 if: contains(matrix.filter, 'e2e_ui') with: node-version: '16.x' @@ -266,7 +266,7 @@ jobs: SCENARIO=$(echo "${{ matrix.filter }}" | cut -d' ' -f1) echo fragment="${SCENARIO}" >> "$GITHUB_OUTPUT" - name: Upload e2e tests output - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: test-${{ steps.split.outputs.fragment }} path: enos/*.log @@ -279,7 +279,7 @@ jobs: docker logs database - name: Upload e2e UI tests debug info if: contains(matrix.filter, 'e2e_ui') && steps.run.outcome == 'failure' - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: test-e2e-ui-debug path: enos/support/src/boundary-ui/ui/admin/tests/e2e/artifacts/test-failures @@ -292,7 +292,7 @@ jobs: enos scenario launch --timeout 60m0s --chdir ./enos ${{ matrix.filter }} - name: Upload Debug Data if: ${{ always() && steps.run_retry.outcome == 'failure' }} - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: # The name of the artifact is the same as the matrix scenario name with the spaces replaced with underscores and colons replaced by equals. name: ${{ steps.prepare_scenario.outputs.debug_data_artifact_name }} @@ -327,7 +327,7 @@ jobs: env find ./enos -name "scenario.tf" -exec cat {} \; - name: Send Slack message if Run and Retry fails (or if something else went wrong) - uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 # steps.run.outcome reports as failure when there is an error in `Run Enos scenario` # failure() captures errors before `Run Enos scenario` # failure() does not capture errors in `Run Enos scenario` due to continue-on-error @@ -341,7 +341,7 @@ jobs: env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_TOKEN }} - name: Send Slack message if Run but Retry passes - uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 if: ${{ steps.run.outcome == 'failure' && steps.run_retry.outcome != 'failure' }} with: channel-id: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }} diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index f4ab831657..ad74a3d2cc 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -49,7 +49,7 @@ jobs: run: go test ./internal/perms -fuzz=FuzzParse -fuzztime=30s - name: Upload fuzz failure seed corpus as run artifact if: failure() - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: fuzz-corpus path: ./internal/perms/testdata/fuzz diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index eae85bd806..45fe62d03f 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -34,7 +34,7 @@ jobs: cache: false - name: Set up Python - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: 3.x @@ -79,7 +79,7 @@ jobs: repository: "$PWD" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@5c02493ebfd65b28fd3b082c65e5af2cd745d91f # codeql-bundle-v2.18.2 + uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # codeql-bundle-v2.19.0 with: sarif_file: results.sarif diff --git a/.github/workflows/test-cli-ui_oss.yml b/.github/workflows/test-cli-ui_oss.yml index 5cf9d548b9..de52043355 100644 --- a/.github/workflows/test-cli-ui_oss.yml +++ b/.github/workflows/test-cli-ui_oss.yml @@ -36,7 +36,7 @@ jobs: path: /tmp/bats-cli-ui-deps key: enos-bats-cli-ui-deps-jq-1.6-password-store-1.7.4-vault-1.12.2 - name: Set up Node for Bats install - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 with: node-version: 16 - name: Install Bats via NPM @@ -112,7 +112,7 @@ jobs: make -C internal/tests/cli test-vault-down - name: Send Slack message if: ${{ failure() }} - uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 with: channel-id: ${{ secrets.SLACK_BOUNDARY_TEST_BOT_CHANNEL_ID }} payload: | diff --git a/internal/clientcache/cmd/cache/wrapper_register.go b/internal/clientcache/cmd/cache/wrapper_register.go index 9831a60fbf..08e898bb75 100644 --- a/internal/clientcache/cmd/cache/wrapper_register.go +++ b/internal/clientcache/cmd/cache/wrapper_register.go @@ -17,6 +17,7 @@ import ( "github.com/hashicorp/boundary/internal/clientcache/internal/daemon" "github.com/hashicorp/boundary/internal/cmd/base" "github.com/hashicorp/boundary/internal/cmd/wrapper" + "github.com/hashicorp/boundary/version" "github.com/mitchellh/cli" ) @@ -33,28 +34,50 @@ func hook(ctx context.Context, baseCmd *base.Command, token string) { if baseCmd.FlagSkipCacheDaemon { return } - if startDaemon(ctx, baseCmd) { - addTokenToCache(ctx, baseCmd, token) + started, err := startDaemon(ctx, baseCmd) + if err != nil { + // Failed to start the daemon, but we don't need to tell the user + // since the function already did + return } + if !started { + // If we didn't have to start it, check that the version of the cache + // is current or newer than the CLI. + // We don't care if the cache is newer than the CLI, since we don't + // want to kill a cache started by a newer version of the CLI. + if !cacheVersionIsCurrentOrNewer(ctx, baseCmd) { + // If the cache is older than the current version, restart it + // Ignore errors stopping the daemon since it might have been stopped since + // we last tried to start the daemon. + _ = stopDaemon(ctx, baseCmd) + _, err = startDaemon(ctx, baseCmd) + if err != nil { + return + } + } + } + + // Cache successfully started and version verified, add the token to the cache + addTokenToCache(ctx, baseCmd, token) } // startDaemon attempts to start a daemon and returns true if we have attempted to start // the daemon and either it was successful or it was already running. -func startDaemon(ctx context.Context, baseCmd *base.Command) bool { +func startDaemon(ctx context.Context, baseCmd *base.Command) (started bool, _ error) { // Ignore errors related to checking if the process is already running since // this can fall back to running the process. if dotPath, err := DefaultDotDirectory(ctx); err == nil { pidPath := filepath.Join(dotPath, pidFileName) if running, _ := pidFileInUse(ctx, pidPath); running != nil { // return true since it is already running, no need to run it again. - return true + return false, nil } } cmdName, err := os.Executable() if err != nil { baseCmd.UI.Error(fmt.Sprintf("unable to find boundary binary for cache startup: %s", err.Error())) - return false + return false, err } var stdErr bytes.Buffer @@ -64,8 +87,41 @@ func startDaemon(ctx context.Context, baseCmd *base.Command) bool { // We use Run here instead of Start because the command spawns off a subprocess and returns. // We do not want to send the request to add a persona to the cache until we know the daemon // has started up. - err = cmd.Run() - return err == nil || strings.Contains(stdErr.String(), "already running") + if err := cmd.Run(); err != nil { + baseCmd.UI.Error(fmt.Sprintf("unable to start cache: %s", err.Error())) + return false, err + } + return !strings.Contains(stdErr.String(), "already running"), nil +} + +// stopDaemon makes a best effort attempt at stopping the cache daemon, if it is running +func stopDaemon(ctx context.Context, baseCmd *base.Command) error { + dotPath, err := DefaultDotDirectory(ctx) + if err != nil { + baseCmd.UI.Error(fmt.Sprintf("cannot find daemon directory: %s", err.Error())) + return err + } + pidPath := filepath.Join(dotPath, pidFileName) + running, err := pidFileInUse(ctx, pidPath) + if err != nil { + baseCmd.UI.Error(fmt.Sprintf("PID file in use: %s", err.Error())) + return err + } + if running == nil { + return nil + } + + cmdName, err := os.Executable() + if err != nil { + baseCmd.UI.Error(fmt.Sprintf("unable to find boundary binary for cache startup: %s", err.Error())) + return err + } + cmd := exec.Command(cmdName, "cache", "stop") + if err := cmd.Run(); err != nil { + baseCmd.UI.Error(fmt.Sprintf("unable to stop cache: %s", err.Error())) + return err + } + return nil } // silentUi should not be used in situations where the UI is expected to be @@ -108,6 +164,27 @@ func addTokenToCache(ctx context.Context, baseCmd *base.Command, token string) b return err == nil && apiErr == nil } +// cacheVersionIsCurrentOrNewer requests the version of the cache from the +// daemon, then compares it to the version of the CLI. If the cache version is +// greater than or equal to the CLI, it returns true. In all other cases, including +// errors, it returns false. +func cacheVersionIsCurrentOrNewer(ctx context.Context, baseCmd *base.Command) bool { + com := StatusCommand{Command: base.NewCommand(baseCmd.UI)} + // We do not want to print errors out from our background interactions with + // the daemon so use the silentUi to toss out anything that shouldn't be used + _, result, apiErr, err := com.Status(ctx) + if err != nil || apiErr != nil { + return false + } + cacheVersion := version.FromVersionString(result.Version) + if cacheVersion == nil { + return false + } + cliVersion := version.Get() + + return cacheVersion.Semver().GreaterThanOrEqual(cliVersion.Semver()) +} + // waitForDaemon continually looks for the unix socket until it is found or the // provided context is done. It returns an error if the unix socket is not found // before the context is done. diff --git a/internal/ui/VERSION b/internal/ui/VERSION index b4c97c4abb..87cf729ddb 100644 --- a/internal/ui/VERSION +++ b/internal/ui/VERSION @@ -1,4 +1,4 @@ -0d55812f647689f8c735d5c5f6aea0a524d18557 +0ff91f9182cee072d3f4658d7ff7929cda23126f # This file determines the version of the UI to embed in the boundary binary. # Update this file by running 'make update-ui-version' from the root of this repo. # Set UI_COMMITISH when running the above target to update to a specific version. diff --git a/website/content/docs/api-clients/api/index.mdx b/website/content/docs/api-clients/api/index.mdx index 7281f4f12d..613c0d738b 100644 --- a/website/content/docs/api-clients/api/index.mdx +++ b/website/content/docs/api-clients/api/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: API -description: |- - Boundary's HTTP API standards +page_title: API overview +description: >- + Learn about Boundary's HTTP API standards, status codes, path layout, methods, and headers. Understand how rate limiting helps manage system resources. --- # API diff --git a/website/content/docs/api-clients/api/pagination.mdx b/website/content/docs/api-clients/api/pagination.mdx index 1f21fd1ff7..bfd2e80c65 100644 --- a/website/content/docs/api-clients/api/pagination.mdx +++ b/website/content/docs/api-clients/api/pagination.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: API list pagination -description: Learn how the API pagination and cache works in Boundary to prevent system resources from being overwhlemed and to help you find resources. +description: >- + Learn about API pagination and how the cache works in Boundary to prevent system resources from being overwhelmed and to help you find resources. --- # API list pagination diff --git a/website/content/docs/api-clients/api/rate-limiting.mdx b/website/content/docs/api-clients/api/rate-limiting.mdx index 16d5feedaf..fdaa13293d 100644 --- a/website/content/docs/api-clients/api/rate-limiting.mdx +++ b/website/content/docs/api-clients/api/rate-limiting.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: API rate limiting -description: Learn how API rate limiting lets you configure limits on the rates of API requests in Boundary to help manage resources and prevent them from being overwhelmed. +description: >- + Learn how API rate limiting lets you configure limits on the rates of API requests in Boundary to help manage resources and prevent them from being overwhelmed. --- # Rate limiting diff --git a/website/content/docs/api-clients/client-agent.mdx b/website/content/docs/api-clients/client-agent.mdx new file mode 100644 index 0000000000..2e75365493 --- /dev/null +++ b/website/content/docs/api-clients/client-agent.mdx @@ -0,0 +1,665 @@ +--- +layout: docs +page_title: Client Agent overview +description: >- + Learn how the Boundary Client Agent intercepts DNS requests as the primary resolver on the system, allowing Boundary to proxy connections transparently. +--- + +# Boundary Client Agent + +@include 'alerts/enterprise-only.mdx' + +@include 'alerts/beta.mdx' + +The Boundary Client Agent is Boundary's DNS daemon. +When the Boundary Client Agent runs alongside an authenticated Boundary client, the agent establishes itself as the primary resolver on the system and intercepts DNS requests. + +If you enter a hostname that matches a Boundary alias that the client is authorized to establish a session to, Boundary automatically generates the session and transparently proxies the connection on your behalf. +If the Boundary Client Agent cannot find an alias, or if there are any issues with authentication, network connectivity, or latency, the Client Agent defers DNS resolution to the previously configured DNS resolvers. + +## Security + +When you successfully authorize a session on a Boundary controller, the response includes a list of any brokered credentials, which include the decoded secrets. +When the Boundary Client Agent receives a DNS request, Boundary creates a new session. +An OS user can only connect to an authorized session managed by the Boundary Client Agent daemon if they are the same OS user that added the Boundary auth token used for authorizing the session. + + + +Currently, you cannot authenticate to multiple Boundary controllers at once. +If you authenticate to a different Boundary controller, any existing sessions are terminated and any new transparent sessions would be established with the new controller. + + + +The Boundary Client Agent stores the credentials and some other information related to the session in memory. +The in-memory store removes the session information: + +- when the session ends. +- if the auth token stored in the Boundary expires. +- if the current OS user authenticates with a different Boundary user. +- if the current OS user authenticates to a new Boundary controller. +- if the Boundary Client Agent is paused. +- if the Boundary Client Agent is terminated. + +API requests are authenticated in the same way as session proxy access. + +Credential brokering is supported for transparent sessions. +A notification appears when you establish a session against a target that is configured with credential brokering. +You can retrieve the credentials later using the following command: + +```shell-session +$ boundary client-agent sessions +``` + +### Grants + +The default grants that Boundary creates for anonymous and authenticated users are sufficient to get started with the Client Agent for the public beta. +However, in a production scenario, you may want to provide the least amount of privileges necessary for users. +For a Boundary user to be able to use the Client Agent to establish a transparent session, they must: + +- be able to authenticate using an auth method. +- have read permissions for their auth token. +- have permission to establish a session to one or more targets. + +You can use the following grant strings to grant those permissions: + +``` +type=auth-method;ids=*;actions=authorize +type=target;ids=*;actions=authorize-session +type=auth-token;ids=*;actions=read:self +``` + +HashiCorp highly recommends that you also grant users the permission to list resolvable aliases, as the Client Agent periodically fetches a list of aliases to match incoming DNS requests against. +Without that permission, every DNS request on the system is sent to the Boundary controller, which can easily overwhelm it. +You can use the following grant string to grant the permission to list resolvable aliases: + +``` +type=user;ids=*;actions=list-resolvable-aliases +``` + +## Configuration + +The default configuration included with the Boundary Client Agent upon installation will be suitable for most users. If you want to make changes to the configuration, the configuration file is located in the following directory: + + + + + `/Library/Application Support/HashiCorp/Boundary/boundary-client-agent.hcl` + + + + + `C:\Program Files\Hashicorp Boundary\boundary-client-agent.hcl` + + + + +The configuration file contains the following fields: + +- `alias_refresh_interval` - Specifies how often to refresh the alias cache. The default value is 1 minute. + + Example: + ```hcl + alias_refresh_interval=60s + ``` + +- `dns_request_timeout` - Specifies for how long the Client Agent DNS request handling, including any recursion, is allowed to run before it is canceled. + + Example: + ```hcl + dns_request_timeout=300s + ``` + +- `interface_to_use` - Specifies the interface to use instead of the default. + + Example: + ```hcl + interface_to_use=en1 + ``` + +- `log_file` - Specifies where to write the Boundary Client Agent log file to. + + Example: + ```hcl + log_file="/Library/Application\ /Support/HashiCorp/Boundary/boundary-client-agent.log" + ``` + +- `log_level` - Specifies the verbosity of the Client Agent logs. + + Example: + ```hcl + log_level="DEBUG" + ``` + +- `log_to_stdout` - Logs to STDOUT in addition to the `boundary-client-agent.log` file. + + Example: + ```hcl + log_to_stdout=false + ``` + +- `override_upstream_dns_servers` - Lists the DNS servers that should be used for recursing non-Boundary requests, overriding those configured on the system. + + Example: + ```hcl + override_upstream_dns_servers = ["8.8.8.8", "8.8.4.4"] + ``` + +- `state_file` - Specifies where to write the Boundary Client Agent state file to. This is an ephemeral file which is removed on successful shutdown. + + Example: + ```hcl + state_file="/Library/Application\ /Support/HashiCorp/Boundary/boundary-client-agent-state.json" + ``` + +- `v4_prefix` - Specifies an alternate prefix to use for generating IPs. Currently must be between /8 and /16 + + Example: + ```hcl + v4_prefix=1.1.1.1/8 + ``` + +### Change the configuration + +Complete the following steps to change the configuration of the Client Agent: + + + + +1. As a privileged user, open the Boundary Client Agent configuration file in the editor of your choice. +By default, it is located in the following directory: + + `/Library/Application Support/HashiCorp/Boundary/boundary-client-agent.hcl` + +1. Change the configuration settings, and save the file. + + + + You must restart the Client Agent to update some configuration settings. + However, when you restart the Client Agent, it closes any existing sessions. + Other configuration settings can be updated by only reloading the configuration file, which does not affect any existing sessions. + + + +1. Either reload the configuration file or restart the Client Agent. + + You can change the following configuration values by reloading the configuration file, which will not disrupt any existing sessions: + + - `dns_request_timeout` + - `log_file` + - `log_level` + - `state_file` + - `override_upstream_dns_servers` + - `v4_prefix` + + Run the following command to reload the configuration file: + + ```shell-session + $ sudo pkill -1 boundary-client-agent + ``` + + If you want to update another configuration value, you can restart the Client Agent using the following commands, however it will close any existing sessions: + + ```shell-session + $ sudo launchctl stop com.hashicorp.boundary.boundary-client-agent + $ sudo launchctl start com.hashicorp.boundary.boundary-client-agent + ``` + + + + +1. As a privileged user, open the Boundary Client Agent configuration file in the editor of your choice. +By default, it is located in the following directory: + + `C:\Program Files\Hashicorp Boundary\boundary-client-agent.hcl` + +1. Change the configuration settings, and save the file. +1. Run the following commands to restart the Client Agent. + + ```shell-session + net stop BoundaryClientAgent + net start BoundaryClientAgent + ``` + + Note that when you restart the Client Agent, it closes any existing sessions. + + + + +## Manage the Client Agent + +Refer to the following sections for more information about managing the Client Agent. +You can monitor the Client Agent's status and retrieve information about any transparent sessions. +If you want to temporarily defer DNS resolution to any previously configured DNS resolvers, you can pause the Client Agent. +You can also disable the Client Agent, if you no longer want to use it for DNS resolution. + +### Monitor status and sessions + +You can check the status of the Client Agent to ensure it is running. +Use the following command to check the Client Agent's status: + +```shell-session +$ boundary client-agent status +``` + +You can retrieve information about the sessions that the Client Agent is managing. +Use the following command to list any sessions currently being managed by the Client Agent, as well as any brokered credentials for those sessions: + +```shell-session +$ boundary client-agent sessions +``` + +Note that this command does not list sessions that are not managed by the Client Agent. Use `boundary sessions list -recursive` to see all sessions. + +### Pause the Client Agent + +You can temporarily disable the Boundary Client Agent by pausing it with the following command: + +```shell-session +$ boundary client-agent pause +``` + +When the Client Agent is paused, it does not intercept any DNS requests, and you are unable to use transparent sessions. + +To resume the Client Agent, use the following command: + +```shell-session +$ boundary client-agent resume +``` + +### Disable the Client Agent + +If you want to disable the Boundary Client Agent, you can stop it with the following commands: + + + + +```shell-session +$ sudo launchctl unload -w /Library/LaunchDaemons/com.hashicorp.boundary.boundary-client-agent.plist +``` + +Unloading the Boundary Client Agent removes its launch daemon configuration. To restart the Client Agent, use: + +```shell-session +$ sudo launchctl load -w /Library/LaunchDaemons/com.hashicorp.boundary.boundary-client-agent.plist +``` + + + + +```shell-session +net stop BoundaryClientAgent +``` + + + + +## Troubleshooting + +The following sections can help you to troubleshoot the Client Agent's behavior. You should proceed through these steps from top to bottom. + +### Check the status of the Client Agent + +If you experience unexpected behavior, you should first check on the status of the Client Agent. +You can check the status using the Boundary CLI or the Desktop Client. To check the Client Agent status through the Boundary CLI, use the following command: + +```shell-session +$ boundary client-agent status + +Status: + Address: + https://boundary.corp.com + Auth Token Expiration: 167h58m9s + Auth Token Id: at_GBqZUK2ihv + Status: running + Version: 0.0.1-e561e69839cce148ee5045684bce5b7168c65026 +``` + +In the Desktop Client, you can find the status of the Client Agent by navigating to **Settings**, and then scrolling to the **Boundary Client Agent** section. + +The status command includes various information about the Client Agent, including the runtime status. +In this example, the runtime status is "running". +If the status is "paused", the Client Agent is not currently intercepting DNS requests and must be resumed. +Users can pause the Client Agent, and it will also pause itself if it detects a large number of network failures in a short period of time. + +The status also allows you to see whether the current user is authenticated. +If the response looks like the example above, including showing an auth token ID and expiration, your current user is authenticated. +If not, you may need to first authenticate to the Client Agent using the CLI or Desktop Client. + +The status also sometimes contains a list of errors that have been encountered by the Client Agent. +The list is ordered by most recent first. +These errors can help you understand why the Client Agent may not be behaving as expected. +Please see the section below on commonly seen errors to help diagnose specific errors. +Note that this list of errors will not be cleared until the next reboot, so it may not necessarily be a sign of something being wrong. + +If the status command returns an error, the Client Agent may not be running. +You can attempt to start the Client Agent using the following commands: + + + + + ```shell-session + $ sudo launchctl start com.hashicorp.boundary.boundary-client-agent + ``` + + + + + ```shell-session + net start BoundaryClientAgent + ``` + + + +### Resume the Client Agent + +You can resume the Client Agent using either the Boundary CLI or the Desktop Client. In the CLI, run the following command to resume the Client Agent: + +```shell-session +$ boundary client-agent resume +The Client Agent has been successfully resumed. +``` + +In the Desktop Client, you can resume the Client Agent by selecting the **Resume** button in the **Boundary Client Agent** section of the settings. +Once the Client Agent has resumed, test if it has started working as expected again. + +### Inspect the log file + +If you are not able to diagnose the problem by looking at the status or resuming the Client Agent, another step can be to inspect the log file produced by the Client Agent. + + + + +The log file should be located in `/Library/Application Support/HashiCorp/Boundary/boundary-client-agent.log`. + + + + +The log file should be located in `C:\Windows\Logs\boundary-client-agent.log`. + + + + +Once you have found the log file, you can look through it to see if you can understand why the Client Agent is not working as expected. +The list below provides some common errors and explanations. + +It may be necessary to increase the logging verbosity of the Client Agent. +You can increase the verbosity by setting the `log_level` option in the configuration file to `"DEBUG"`. +See the section on changing the configuration for more information. + +### Establish the behavior of the local DNS configuration + +The Client Agent works by intercepting DNS requests before they are sent to your regular DNS server. +If the DNS requests on your system are not sent to the right place, or they are not being answered appropriately, transparent sessions will not work. + +You can use the `nslookup` command to understand where the DNS requests are being sent. +Start by sending a DNS request for `hashicorp.com`: + +```shell-session +$ nslookup hashicorp.com +;; Truncated, retrying in TCP mode. +Server: 100.88.241.86 +Address: 100.88.241.86#53 + +Non-authoritative answer: +Name: hashicorp.com +Address: 76.76.21.21 +``` + +The important part here is the `Server` field, which contains an IP in the CGNAT range (from `100.64.0.0` to `100.127.255.255`). +This is a good indication that the Client Agent DNS server is being used as expected. + +Next, you can try to make a DNS request to an alias that you expect to work. The following example makes a DNS request to an alias with a value of `mytarget.boundary.dev`: + +```shell-session +$ nslookup mytarget.boundary.dev +;; Truncated, retrying in TCP mode. +Server: fc00:a20a::d7bf:c059 +Address: fc00:a20a::d7bf:c059#53 + +Name: mytarget.boundary.dev +Address: 100.84.164.9 +``` + +You can tell two things from this: +1. The Client Agent is likely able to intercept the DNS request, because the server is a local IPv6 address in the [ULA](https://en.wikipedia.org/wiki/Unique_local_address) range. + Both an IPv4 CGNAT range or IPv6 ULA range IP address are indications of this. +2. The Client Agent is able to identify `mytarget.boundary.dev` as an alias with a target that the requesting user is authorized to connect to, because it responded with a valid DNS response pointing to a local IPv4 address in the CGNAT range. + Similarly to above, the IP address in the response may also be an IPv6 address in the ULA range. + +If you do not see this kind of response, it may be that the alias you are trying to connect to doesn't exist, or your user is not authorized to connect to it. +Double check that you are using the correct alias and that your user is authorized to connect to it. + +### Flush OS DNS cache + +If you still do not see the expected behavior, it can be useful to flush the operating system's DNS cache. +The exact steps depend on the operating system you use: + + + + +```shell-session +$ sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder +``` + + + + +```shell-session +ipconfig /flushdns +``` + + + + +After you flush the DNS cache, try connecting to the alias again, or repeat the steps above. + +If you are still not able to understand what is wrong, submit a support ticket. Include the `boundary client-agent status` output and the log file in the ticket. + +### Commonly seen errors + +Refer to the following commonly seen errors for more information about their possible causes and resolutions. + +#### nodename nor servname provided, or not known / No such host is known + +This is a generic error for a failed DNS resolution. +It can mean a number of different things: +- The alias doesn't exist or is misspelled. +- Your user isn't authenticated or doesn't have permission to connect to the target. +- The Client Agent is not able to intercept DNS requests, it could shut down or paused. +- The OS DNS cache is interfering with the operation of the Client Agent. +- The Client Agent may not yet know about the alias. + It takes around 2 minutes for the Client Agent to learn about new aliases. + +Follow the troubleshooting steps above to resolve the issue. + +#### failed to listen for DNS on either IPv4 or IPv6 + +This error happens when some other application on the local machine occupies the ports used by the Boundary Client Agent. +The Client Agent requires access to port 53 for IPv4 and IPv6, both UDP and TCP. +Diagnosing what causes the error differs per operating system: + + + + +As a privileged user, you can use the `lsof` program to find what applications are occupying a port, for example: + +```shell-session +$ sudo lsof -nP | grep ":53" +``` + +If anything is occupying port 53, you may need to terminate the application before the Client Agent is able to start. + +Applications that make use of the Apple Virtualization Framework are known to sometimes occupy this port under +the name `_mdnsresponder`. If you have any virtualization software, you may need to turn it off before using +the Client Agent. + + + + +As a privileged user, you can open the **Resource Monitor** and inspect the **Network** > **Listening Ports** section to find any applications that use port 53. + + + + +Once you have identified which other software is using the port, you can stop it and try to start the Client Agent again. + +#### failed to refresh alias cache: error="fetching resolvable aliases: error performing client request during List call" + +This usually implies that there is a problem reaching the internet or the Boundary controller. +The error is related to the periodic updating of aliases used by the Client Agent to know whether a DNS request matches an alias or not. + +HashiCorp recommends that you pause the Client Agent and examine the status and logs for further errors: + +```shell-session +$ boundary client-agent pause +``` + +Follow the troubleshooting steps to understand why the Client Agent is not able to reach the controller. + +#### WARNING! Remote host indentification has changed! It is possible that someone is doing something nasty! + +This error arises when you use an alias to connect to an SSH target after the first successful connection using that alias. The issue occurs because Boundary workers generate a new host key on every new SSH connection. You can safely ignore the warning using the `StrictHostKeyChecking=no` command line option: + +```shell-session +$ ssh -o StrictHostKeyChecking=no targetalias.boundary.dev +``` + +You can also remove the existing server host key from the `~/.ssh/known_hosts` file to avoid the error. + +## Conflicting software + +Some software is known to cause conflicts with the Boundary Client Agent. +The following sections are an incomplete list of potential conflicts and any available workarounds for issues. + +### Docker Desktop (MacOS) + +Docker Desktop sometimes creates a local DNS listener that prevents the Client Agent from running. +If you run Docker Desktop 4.26 or later, you must clear the `Use kernel networking for UDP` option. +Otherwise, the Client Agent refuses to start. + +### Palo Alto Networking Global Protect VPN + +If you are unable to establish a transparent session while using the Palo Alto Networking Global Protect VPN, you may need to explicitly specify a network interface and the upstream DNS server(s) to use. + +By default, the Client Agent reads the primary network interface's DNS server configuration and uses that information to resolve domains that are not configured as aliases in Boundary. +If the VPN configuration includes custom DNS servers, this information may not be available to the Client Agent, so you must explicitly specify the DNS server(s) to use. + +To configure the DNS server(s) to use, use the `override_upstream_dns_servers` configuration option: + +```hcl +# The DNS servers must be specified as an IP, or an IP:Port. +# If no port is provided, port 53 is assumed. +# The order of the entries specifies the priority. +# We recommended providing both the VPN DNS servers +# and the default DNS servers, so that DNS requests can +# be resolved even when the VPN is not active. +override_upstream_dns_servers = [ + "10.0.0.1", # Example primary VPN DNS server + "10.0.0.2", # Example secondary VPN DNS server + "8.8.8.8", # Fallback default DNS server + "8.8.4.4:53", # Fallback default DNS server with a custom port +] +``` + + + +The `override_upstream_dns_servers` is used for all non-Boundary DNS requests. +If you only provide the VPN DNS servers, the Client Agent will not be able to resolve any DNS requests when the VPN is not active. + + + +#### Primary network interfaces + +By default, the Client Agent creates IPs on the primary network interface to serve its DNS server. +Refer to the tabs below for possible conflicts for each supported operating system. + + + + +When you run the Client Agent alongside the PAN-GP VPN, the primary network interface will likely be set to a `tun` type interface, which the Client Agent cannot use for its IP addresses. +You may see errors such as the following in the `boundary-client-agent.log` file or the `boundary client-agent status` command response: + +``` +[ERROR] macos.addIP: error adding ipv4 address: ifconfig: ioctl (SIOCAIFADDR): Destination address required +``` + +To work around the default `tun` interface, you must provide an explicit network interface using the `interface_to_use` configuration option. For example: + +```hcl +interface_to_use=en0 +``` + +The `interface_to_use` option allows the Client Agent to create the IPs it needs to serve the DNS server and proxy traffic. +You must restart the Client Agent for it to update its configuration with the new setting. + + + + +On Windows, the Client Agent may be able to create the IPs that it needs on the primary network interface, but it fails to establish any transparent sessions. You may see the following message: + +``` +[INFO] default route change detected, restarting +``` + +You must explicitly specify a network interface to use other than the primary one. You can list available network interfaces using the Powershell command `Get-NetAdapter`, or the older `route print` command. You must find the index of the interface you would normally use to connect to the internet. In this example, the interface index is `11`: + +``` +PS C:\> Get-NetAdapter +Name InterfaceDescription ifIndex Status MacAddress LinkSpeed +---- -------------------- ------- ------ ---------- --------- +Ethernet Parallels VirtIO Ethernet Adapter 11 Up 00-1C-42-B3-F2-75 10 Gbps +Ethernet 2 PANGP Virtual Ethernet Adapter Secure 24 Up 02-50-41-00-00-01 2 Gbps +``` + +Alternatively, if you use `route print`, refer to the following example: + +``` +PS C:\> route print +=========================================================================== +Interface List + 24...02 50 41 00 00 01 ......PANGP Virtual Ethernet Adapter Secure + 11...00 1c 42 b3 f2 75 ......Parallels VirtIO Ethernet Adapter + 1...........................Software Loopback Interface 1 +=========================================================================== +```` + +Your configuration should look like this: + +```hcl +interface_to_use=11 +``` + +You must restart the Client Agent for it to update its configuration with the new setting. + + + + +### Cloudflare WARP client + +The Cloudflare WARP client uses a local DNS server to direct traffic. +It has built-in checks to prevent it from being run alongside other software that uses the same mechanism. +This includes the Boundary Client Agent. +If you try to use the Client Agent with the Cloudflare WARP client, it may work, or you may see an error like this one: + +``` +Status: Unable to Connect +Error reason: DNS Proxy Failure +Error code: CF_DNS_PROXY_FAILURE +Error description: The WARP Agent must be the only process responsible for DNS resolution on the device. One or more processes are already bound to port 53: boundary-client-agent. +Learn more: https://cfl.re/CF_DNS_PROXY_FAILURE +``` + +You can still install both the Cloudflare WARP client and the Boundary Client Agent on the same machine. +As long as you don't run both at the same time, they should work as expected. + +## Uninstall the Client Agent on Mac + +If you used the Mac installer, you can run `/Library/Application Support/HashiCorp/Boundary Uninstaller.app` to uninstall Boundary. +The uninstaller removes any installed components, including the Desktop client, CLI, and the Boundary Client Agent. + +## More information + +Refer to the following topics for more information: + +- [Aliases](/boundary/docs/concepts/aliases) +- [Transparent sessions](/boundary/docs/concepts/transparent-sessions) diff --git a/website/content/docs/api-clients/client-cache.mdx b/website/content/docs/api-clients/client-cache.mdx index fcbe7b4911..ce8daae1ed 100644 --- a/website/content/docs/api-clients/client-cache.mdx +++ b/website/content/docs/api-clients/client-cache.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Client cache -description: |- - Learn how the client cache enables Boundary to quickly retrieve local information about session and target resources. +page_title: Client cache overview +description: >- + Learn how the client cache enables Boundary to quickly retrieve local information about session and target resources. Manage startup and other cache functions. --- # Client cache diff --git a/website/content/docs/api-clients/desktop.mdx b/website/content/docs/api-clients/desktop.mdx index e87acccbcc..ba74487f21 100644 --- a/website/content/docs/api-clients/desktop.mdx +++ b/website/content/docs/api-clients/desktop.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Boundary Desktop -description: |- - Get up and running with Boundary Desktop +page_title: Boundary Desktop overview +description: >- + Learn how to install the Boundary Desktop application to browse and connect to targets. --- # Boundary Desktop diff --git a/website/content/docs/api-clients/go-sdk.mdx b/website/content/docs/api-clients/go-sdk.mdx index d71f39cb47..b1d6232ee9 100644 --- a/website/content/docs/api-clients/go-sdk.mdx +++ b/website/content/docs/api-clients/go-sdk.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Go SDK -description: |- - Boundary's Go SDK +page_title: Go SDK overview +description: >- + Learn about Boundary's Go SDK. Use the Go SDK to authenticate to Boundary with an auth method or a recovery KMS workflow. --- # Go SDK diff --git a/website/content/docs/api-clients/index.mdx b/website/content/docs/api-clients/index.mdx index b5e9dd6361..a78d5c5b38 100644 --- a/website/content/docs/api-clients/index.mdx +++ b/website/content/docs/api-clients/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: API/Clients -description: |- - An introduction to Boundary's API and clients. +description: >- + Discover resources to learn more about Boundary's API and clients. --- # API and clients diff --git a/website/content/docs/common-workflows/manage-roles.mdx b/website/content/docs/common-workflows/manage-roles.mdx index 0c0781928c..f45f162be9 100644 --- a/website/content/docs/common-workflows/manage-roles.mdx +++ b/website/content/docs/common-workflows/manage-roles.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Manage roles and permissions -description: How to manage roles, permissions, and grants. +description: >- + Use roles to manage permissions assigned to users and groups. Create roles and assign principals and grants to them. Add grant scopes and configure inheritance. --- # Manage roles and permissions diff --git a/website/content/docs/concepts/aliases.mdx b/website/content/docs/concepts/aliases.mdx index 71a294f215..5df5666c93 100644 --- a/website/content/docs/concepts/aliases.mdx +++ b/website/content/docs/concepts/aliases.mdx @@ -1,263 +1,64 @@ --- layout: docs page_title: Aliases -description: |- - Aliases let you associate a string with a Boundary resource. Learn how to use an alias instead of a target ID when you connect. +description: >- + Aliases let you associate a string with a resource. Learn how to use an alias instead of an ID when you connect to a target. --- # Aliases -An alias is a globally unique, DNS-like string that is associated with a destination resource. -You can establish a session to a target by referencing its alias, instead of having to provide a target ID or target name and scope ID. +An alias is a globally unique, DNS-like string that is associated with a destination resource. You can establish a session to a target by referencing its alias, instead of having to provide a target ID or target name and scope ID. + For example, if you have an alias `boundary.dev`, you can use it to connect to a target with the following command: `boundary connect ssh boundary.dev`. ## Background -When you create a resource in Boundary, it assigns the resource a randomly generated identifier. -You must use those IDs to perform actions in Boundary. +When you create a resource in Boundary, it assigns the resource a randomly generated identifier. You must use those IDs to perform actions in Boundary. When you connect to a target using the terminal, you must reference the target ID or target name and scope name. -When you connect to a target using the terminal, you must reference the target ID or target name and scope name. As an example, to SSH to a target, you can execute the command `boundary connect ssh -target-id ttcp_123456789`. + Since it can be difficult to remember the unique IDs, users frequently have to look up the identifiers for any resources they want to operate on. -Aliases simplify this process. -When you create an alias and associate it with a target, you can later use the alias `value` instead of the target ID in commands. -Boundary automatically resolves to the target that the alias references. +Aliases simplify this process. When you create an alias and associate it with a target, you can later use the alias `value` instead of the target ID in commands. Boundary automatically resolves to the target that the alias references. ## Permissions -The existence of an alias for a Boundary resource does not change how permissions function. -Anyone can attempt to use an alias to access a target, but if you do not have permission to access the target, the attempt fails. -You can create an alias for a target, even if you do not have permission to access the target. +The existence of an alias for a Boundary resource does not change how permissions function. Anyone can attempt to use an alias to access a target, but if you do not have permission to access the target, the attempt fails. You can create an alias for a target, even if you do not have permission to access the target. -Separating the permissions from aliases and destination resources means a different set of people can manage the aliases than the people who have permission to operate on targets. -For example, you may have a project with a sensitive set of targets. -You can configure Boundary to allow a select few users to manage those targets, while a different group of users manage the aliases. +Separating the permissions from aliases and destination resources means a different set of people can manage the aliases than the people who have permission to operate on targets. For example, you may have a project with a sensitive set of targets. You can configure Boundary to allow a select few users to manage those targets, while a different group of users manage the aliases. ## Naming conventions An alias is a globally unique, DNS-like string that is associated with a destination resource. The alias `value` parameter does not have to be delimited by a suffix, and can be just a hostname. -Examples of valid aliases include `webserver` and `webserver.boundary`. - -## Scopes - -You can only create aliases in the `global` scope. -However, you can associate aliases with targets or hosts from any scope. -Support for additional resource types may be added in the future. +Examples of valid aliases include `database.boundary` and `webserver.boundary`. -If you delete a project, Boundary clears the `destination_id` parameter for any aliases that resolve to targets in that project, so that they no longer function. +### Single word aliases and transparent sessions -## Connect to a target using an alias +HashiCorp recommends that you do not use single-word aliases such as `webserver` as opposed to `webserver.boundary`, because single-word aliases do not work intuitively on Windows. -Whenever you could use the `-id` flag or `-target` flag in the CLI, you can substitute an alias. +Windows DNS resolution does not support resolving unqualified single word DNS hostnames. You can make the hostname fully qualified, but is not intuitive to most users. -For example, you can use the following command to connect to an SSH target with the ID `ttcp_1234567890`: +For example the following hostname works: -```shell-session -$ boundary connect ssh -target -id ttcp_1234567890 ``` - -If you configured an alias named `example.alias.boundary` for the target, you could alternatively use the following command to connect to the target: - -```shell-session -$ boundary connect ssh example.alias.boundary +ssh mytarget. ``` -## Create aliases - -There are multiple ways that you can create aliases and associate them with targets in Boundary. - -You can: - -- [Create an alias for an existing target](#create-an-alias-for-an-existing-target) -- [Create an alias during target creation](#create-an-alias-during-target-creation) -- [Associate an existing alias with a target](#associate-an-existing-alias-with-a-target) - -### Create an alias for an existing target - -You can create a new alias and associate it with an existing target at the same time. -Complete the following steps to create a new alias and associate it with a target: - - - - -1. Log in to Boundary. -1. Select **Aliases** in the navigation pane. -1. Click **New Alias**. -1. Complete the following fields: - - **Name**: (Optional) Enter an optional name for the alias to use for identification purposes. - - **Description**: (Optional) Enter an optional description for the alias to use for identification purposes. - - **Type**: Select **Target**. - At this time, targets are the only Boundary resources that supports aliasing. - - **Alias Value**: Enter the string that you want to use as the alias to represent the target. - An alias's value can be a hostname or a DNS-like string. - - **Target ID**: (Optional) Specify any targets you want to associate with the alias. - - **Host ID**: (Optional) Enter an optional host ID, if you would like to specify that the alias always uses the same host when you use it to connect to a target. -1. Click **Save**. - - - - -1. Log in to Boundary. -1. Use the following command to create an alias: - - ```shell-session - $ boundary aliases create target \ - -description 'This is an example alias for target tcp_1234567890' \ - -destination-id tcp_1234567890 \ - -name Example Boundary alias \ - -scope-id global \ - -value example.alias.boundary \ - -authorize-session-host-id hst_1234567890 - ``` - - You can use any of the following [attributes](/boundary/docs/concepts/domain-model/aliases) when you create an alias: - - - `-description=` - Specifies the optional description you want to use for identification purposes. - - `-destination-id=` - Specifies the ID of the target that the alias references. - - `-name=` - Specifies the optional name you want to use to describe the alias for identification purposes. - - `-scope-id=` - Scope in which to create the alias. The default is `global`. - You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable. - At this time, aliases are only supported for the global scope. - - `-value=` - Specifies the string that you want to use as the alias to represent the target. - The alias `value` can be a hostname or a DNS-like string. - - `-authorize-session-host-id=` - Optionally indicates the host ID to use when you use the alias to authorize a session. +But this hostname does not work: - - - -### Create an alias during target creation - -You can create a new target and new alias at the same time and associate the two. - -Complete the following steps to create a new target and new alias at the same time: - - - - -1. Log in to Boundary. -1. Select **Targets** in the navigation pane. -1. Click **New Target**. -1. Complete the following fields: - - **Name**: Enter the target name for identification purposes. - - **Description**: (Optional) Enter an optional description for identification purposes. - - **Type**: Select the target type. - You can create SSH or TCP targets. - - **Target Address**: (Optional) Enter a valid IP address or DNS name. - Alternatively, you can configure host catalogs and host sets. - - **Default Port**: (Optional) Enter an optional default port for the target to use for connections. - - **Default Client Port**: (Optional) Enter an optional local proxy port on which to listen when a session is started on a client. - - **Maximum Duration**: (Optional) Enter an optional maximum duration for sessions on this target, in seconds. - - **Maximum Connection**: (Optional) Enter the maximum number of connections allowed per session on this target. - For unlimited connections, enter `-1`. - - **Workers**: (Optional) Select whether you want the worker to function as an ingress and/or egress worker. - - **Aliases**: (Optional) Enter the value fpr any aliases you want to associate with this target, and then click **Add**. - An alias's value can be a hostname or a DNS-like string. - You can associate multiple aliases with a target. -1. Click **Save**. - - - - -1. Log in to Boundary. -1. Use the following command to create a target: - - ```shell-session - $ boundary targets create ssh \ - -description 'This is an example ssh target' \ - -name Example Boundary SSH target \ - -scope-id global \ - -with-alias-authorize-session-host-id hst_1234567890 \ - -with-alias-scope-id global \ - -with-alias-value example.alias.boundary - ``` - - You can use any of the following [attributes](/boundary/docs/concepts/domain-model/targets) when you create a target: - - - `description` - (optional) - An optional description that you can use for identification purposes. - - `name` - (required) - The `name` must be unique within the target's project. - - `scope-id` - (required) - The scope in which to create the target. - The default is `global`. - You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable. - - `-address=` - An optional valid network address for the target to connect to. - You cannot use an address alongside host sources. - - `-default-client-port=` - The default client port on the target. - - `-default-port=` - The default port on the target. - If you do not specify a default port, Boundary uses port 22. - - `-egress-worker-filter=` - A Boolean expression that filters which egress workers can process sessions for the target. - - `-enable-session-recording=` - A Boolean expression you can use to enable session recording for the target. - - `-ingress-worker-filter=` - A Boolean expression that filters which ingress workers can process sessions for the target. - - `-session-connection-limit=` - The maximum number of connections allowed for a session. -A value of `-1` means the connections are unlimited. - - `-session-max-seconds=` - The maximum lifetime of the session, including all connections. - You can specify an integer number of seconds or a duration string. - - `-storage-bucket-id=` - The public ID of the storage bucket to associate with the target. - - `-with-alias-authorize-session-host-id=` - The host ID that an alias uses to authorize sessions for the target. - - `-with-aliasscope-id=` - The scope ID that you want to create the target and alias in. - The default is `global`. - At this time, aliases are only supported for the global scope. - - `-with-alias-value=` - The value of the alias that you want to use to represent the target. - Use this parameter to create the alias and target, and associate them with each other, at the same time. - - Note that you can create SSH or TCP [target types](/boundary/docs/concepts/domain-model/targets#target-types). - The example command in this section creates an SSH target. - - - - -### Associate an existing alias with a target - -If you already created an alias, you can update it with an existing target. -Complete the following steps to add an alias to a target: - - - - -1. Log in to Boundary. -1. Select **Targets** in the navigation pane. -1. Select the target you want to add an alias to. -1. Under the **Aliases** heading in the right sidebar, click **Add an alias**. -1. Complete the following fields: - - **Name**: (Optional) Enter an optional name for the alias to use for identification purposes. - - **Description**: (Optional) Enter an optional description for the alias to use for identification purposes. - - **Type**: Select **Target**. - At this time, targets are the only Boundary resources that supports aliasing. - - **Alias Value**: Enter the alias value you want to use in commands to represent the target. - An alias's value can be a hostname or a DNS-like string. - - **Target ID**: This field contains the ID of the target you selected to add an alias to. - It is read only. - - **Host ID**: (Optional) Enter an optional host ID, if you would like to specify that the alias always uses the same host when you use it to connect to a target. -1. Click **Save**. +``` +ssh mytarget +``` - - +For this reason, if you expect any Windows users to use an alias, it should contain a dot (`.`) anywhere in the value. -1. Log in to Boundary. -1. Use the following command to create an alias: +Refer to the [transparent sessions](/boundary/docs/concepts/transparent-sessions) documentation for more information. - ```shell-session - $ boundary aliases update target \ - -destination-id tcp_1234567890 \ - -id alt_1234567890 \ - -authorize-session-host-id hst_1234567890 - ``` +## Scopes - You can use any of the following [attributes](/boundary/docs/concepts/domain-model/aliases) when you update an alias: +You can only create aliases in the `global` scope. However, you can associate aliases with targets or hosts from any scope. Support for additional resource types may be added in the future. - - `-description=` - Specifies the optional description you want to use for identification purposes. - - `-destination-id=` - Specifies the ID of the target that the alias references. - - `id=` - Specifies the ID of the alias you want to update. - - `-name=` - Specifies the optional name you want to use to describe the alias for identification purposes. - - `-scope-id=` - Scope in which to create the alias. The default is `global`. - You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable. - At this time, aliases are only supported for the global scope. - - `-value=` - Specifies the string that you want to use as the alias to represent the target. - The alias `value` must comply with DNS naming rules. - - `-authorize-session-host-id=` - Optionally indicates the host ID to use when you use the alias to authorize a session. +If you delete a project, Boundary clears the `destination_id` parameter for any aliases that resolve to targets in that project, so that they no longer function. - - \ No newline at end of file +Refer to the [Configure aliases and transparent sessions](/boundary/docs/configuration/target-aliases) pages to learn more. diff --git a/website/content/docs/concepts/auditing.mdx b/website/content/docs/concepts/auditing.mdx index 6f72970528..a31912e7fc 100644 --- a/website/content/docs/concepts/auditing.mdx +++ b/website/content/docs/concepts/auditing.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Auditing -description: |- - An overview of using Boundary to audit for compliance and threat management +description: >- + Learn how Boundary can help improve compliance and threat management by using session recording to audit user access and actions. Understand the BSR format. --- # Auditing diff --git a/website/content/docs/concepts/connection-workflows/connect-helpers.mdx b/website/content/docs/concepts/connection-workflows/connect-helpers.mdx index a1611f0b05..5b5dfb16b7 100644 --- a/website/content/docs/concepts/connection-workflows/connect-helpers.mdx +++ b/website/content/docs/concepts/connection-workflows/connect-helpers.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Connect helpers -description: Learn how connect helpers enable Boundary to automatically accept host key prompts to facilitate connections for HTTP, Kubernetes, PostgreSQL, RDP, and SSH. +description: >- + Learn how to use connect helpers to automatically accept host key prompts and facilitate connections for HTTP, Kubernetes, PostgreSQL, RDP, and SSH. --- # Connect helpers diff --git a/website/content/docs/concepts/connection-workflows/exec-flag.mdx b/website/content/docs/concepts/connection-workflows/exec-flag.mdx index 4593a1b1c0..1d79e1cd07 100644 --- a/website/content/docs/concepts/connection-workflows/exec-flag.mdx +++ b/website/content/docs/concepts/connection-workflows/exec-flag.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: -exec flag -description: |- - Learn how the `-exec` flag enables you to execute Boundary TCP sessions using your preferred client, even when there is no built-in support for it. +description: >- + Learn how to use the `-exec` flag to execute TCP sessions or pass flags using your preferred client. --- # Exec flag diff --git a/website/content/docs/concepts/connection-workflows/index.mdx b/website/content/docs/concepts/connection-workflows/index.mdx index cef6aa4e68..fae371eef5 100644 --- a/website/content/docs/concepts/connection-workflows/index.mdx +++ b/website/content/docs/concepts/connection-workflows/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Connection workflows -description: |- - Workflows that you can use to connect to targets. Learn how connect helpers, the `-exec` flag, and SSH ProxyCommand can help facilitate connections to targets. +description: >- + Learn how transparent sessions, connect helpers, the `-exec` flag, SSH ProxyCommand, and multi-hop sessions can help facilitate connections to targets. --- # Connection workflows @@ -17,6 +17,18 @@ Refer to the [`boundary connect`](/boundary/docs/commands/connect) documentation To practice using the `boundary connect` command in a development environment, refer to the **Connect to your first target** tutorial for either [HCP Boundary](/boundary/tutorials/hcp-getting-started/hcp-getting-started-connect) or the [self-managed versions](/boundary/tutorials/oss-getting-started/oss-getting-started-connect) of Boundary. +## Transparent sessions + +@include 'alerts/enterprise-only.mdx' + +@include 'alerts/beta.mdx' + +Transparent sessions shift Boundary from an active connection model to a passive connection model. +Instead of interacting with the Boundary CLI or Desktop client and having to remember specific IDs or ephemeral ports to connect to targets, Boundary operates in the background. +If a user is authenticated and authorized, Boundary intercepts DNS calls and routes traffic through a session automatically. + +Refer to the [transparent sessions](/boundary/docs/concepts/transparent-sessions) documentation for more information. + ## Connect helpers Boundary features connect helpers that assist with making connections to targets using certain protocols. @@ -52,7 +64,7 @@ Refer to the [SSH ProxyCommand](/boundary/docs/concepts/connection-workflows/wor ## Multi-hop sessions -This feature requires HCP Boundary or Boundary Enterprise +@include 'alerts/enterprise-only.mdx' Most organizations want to provide access to infrastructure without exposing private networks. Many organizations also have complex network topologies requiring inbound traffic to route through multiple network enclaves to reach the target system. diff --git a/website/content/docs/concepts/connection-workflows/multi-hop.mdx b/website/content/docs/concepts/connection-workflows/multi-hop.mdx index cfb3d6863b..84d6889e1e 100644 --- a/website/content/docs/concepts/connection-workflows/multi-hop.mdx +++ b/website/content/docs/concepts/connection-workflows/multi-hop.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Multi-hop sessions -description: |- - Learn how multi-hop sessions enable you to chain together two or more Boundary workers across multiple networks. +description: >- + Learn how multi-hop sessions let you chain together two or more workers across multiple networks to reach a target without exposing private networks. --- # Multi-hop sessions @@ -14,6 +14,16 @@ inbound traffic to route through multiple network enclaves to reach the target s Multi-hop sessions allow you to chain together two or more workers across multiple networks to form reverse proxy connections between the user and the target, even in complex networks with strict outbound-only policies. +## Inbound network rules + +With a multi-hop deployment, all connections are initiated outbound from the most downstream worker in the chain. After Boundary establishes the initial connection between the workers, it uses the established connection for any subsequent connections. +These persistent TCP connections result in the requirement for only outbound connectivity. + +If you have one or more firewalls sitting between the ingress and egress workers, you do not need to create additional inbound networking rules to facilitate a Boundary multi-hop deployment. This not only helps to +simplify your infrastructure configuration, but also ensures that your security posture is not weakened or compromised. + +## Multi-hop worker types + In multi-hop scenarios, there are typically three types of workers: 1. **Ingress worker** - An ingress worker is a worker that is accessible by the client. The client initiates the connection to the ingress worker. 1. **Intermediary worker** - An optional intermediary worker sits between ingress and egress workers as part of a multi-hop chain. There can be multiple intermediary workers as part of a multi-hop chain. @@ -59,6 +69,63 @@ traffic to a target. Ingress worker filters determine which workers you connect with to initiate a session, and egress worker filters determine which workers are used to access targets. +## Use HCP-managed workers as ingress workers + +Many organizations have strict network policies that prohibit all inbound traffic into their networks. In these scenarios, you can use HCP-managed workers as the ingress workers. To establish a connection into the network, a self-managed worker configured as an egress worker initiates an outbound connection to the HCP-managed worker, creating a persistent connection. As a result, when end users connect to a target, the end user's connection would hop from the Boundary client to the HCP-managed worker (ingress worker) to the self-managed worker (egress worker) to the target (or other intermediary workers if needed). + +### Configure HCP-managed workers for ingress + +To configure end user traffic to ingress through HCP-managed workers, you must configure the self-managed worker (enterprise version). On your self-managed worker that you use for egress to the HCP-managed worker, set the configuration file with the following parameters: +- `hcp_boundary_cluster_id` - The HCP Boundary cluster ID, which can be found in the HCP Boundary cluster's URL. +- Omit the `public_addr` parameter. A public address is not needed since the self-managed worker initiates the connection to HCP-managed workers. +- Omit the `initial_upstreams` parameter. This is not needed because the `hcp_boundary_cluster_id` parameter is sufficent to indicate the HCP-managed workers as the upstream. +- Include a [worker tag](/boundary/docs/concepts/filtering/worker-tags#target-worker-filtering) in the `worker` stanza which will be used to select multi-hop routes for each target. + +### Example self-managed worker configuration: +``` +hcp_boundary_cluster_id = "7acdefe2c-1234-4ff1-b710-123456789876" + +listener "tcp" { + address = "0.0.0.0:9202" + purpose = "proxy" +} + +worker { + auth_storage_path = "/home/ubuntu/boundary/worker1" + tags { + tag = ["multihop"] + } + recording_storage_path = "/tmp/worker1" +} +``` +### Allow-list outbound network traffic to HCP-managed workers + +Some organizations require explicit destination addresses set in their network firewall rules for any outbound traffic. In this scenario, you should use the fully qualified domain name (FQDN) of the HCP-managed workers: + +``` +.proxy.boundary.hashicorp.cloud +``` + +where the `cluster_uuid` is the HCP Boundary cluster ID. You can find your HCP Boundary cluster ID in the HCP Boundary cluster's URL. + + + + The Boundary cluster ID is derived from the Boundary address. For example, if + your cluster URL is: + + `https://abcd1234-e567-f890-1ab2-cde345f6g789.boundary.hashicorp.cloud` + + Then your cluster id is `abcd1234-e567-f890-1ab2-cde345f6g789`. + + + +### Route end user traffic to targets through HCP-managed workers + +To route traffic through the HCP-managed workers, you should set the egress filters of each target to match the tag set in the self-managed worker's configuration file. You do not need to set additional ingress filters on the targets. + +![Multi-hop egress worker filter](/img/ui/multi-hop-egress-filter_light.png#light-theme-only) +![Multi-hop egress worker filter](/img/ui/multi-hop-egress-filter_dark.png#dark-theme-only) + ## Multi-hop worker requirements When you configure multi-hop sessions, there is an "ingress" worker, an "egress" @@ -68,9 +135,9 @@ intermediary workers have the following requirements. ### Ingress worker requirements To proxy target connections, ingress workers require outbound access to the -Boundary control plane and inbound access from clients. +Boundary control plane and inbound access from clients. -HCP Boundary clusters automatically deploy HCP-managed workers which can be used as ingress workers. Using HCP-managed workers as ingress workers is helpful when organizations have strict networks security policies that prohibit any inbound access. In this scenario, intermediary or egress workers within the private network can establish a reverse proxy connection to the HCP-managed ingress worker. +HCP Boundary clusters automatically deploy HCP-managed workers which can be used as ingress workers. Using HCP-managed workers as ingress workers is helpful when organizations have strict networks security policies that prohibit any inbound access. In this scenario, intermediary or egress workers within the private network can establish a reverse proxy connection to the HCP-managed ingress worker. ### Intermediary worker requirements diff --git a/website/content/docs/concepts/connection-workflows/workflow-ssh-proxycommand.mdx b/website/content/docs/concepts/connection-workflows/workflow-ssh-proxycommand.mdx index 0823c47263..75378a02d6 100644 --- a/website/content/docs/concepts/connection-workflows/workflow-ssh-proxycommand.mdx +++ b/website/content/docs/concepts/connection-workflows/workflow-ssh-proxycommand.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: SSH ProxyCommand -description: Learn how SSH ProxyCommand enables you to proxy an SSH connection in Boundary using a configuration file. Configure connections using the target's ID or domain. +description: >- + Learn how to use SSH ProxyCommand to proxy an SSH connection using a configuration file. Configure hosts using the target's ID or domain. --- # SSH ProxyCommand diff --git a/website/content/docs/concepts/credential-management.mdx b/website/content/docs/concepts/credential-management.mdx index 9a7f934277..a35dfb6c43 100644 --- a/website/content/docs/concepts/credential-management.mdx +++ b/website/content/docs/concepts/credential-management.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Credential management -description: |- - An overview of credential management in Boundary +description: >- + Learn about using credential brokering or credential injection to authenticate users. Understand the benefits and security considerations of each method. --- # Credential management diff --git a/website/content/docs/concepts/domain-model/accounts.mdx b/website/content/docs/concepts/domain-model/accounts.mdx index d2b1ce4660..d527d5bde6 100644 --- a/website/content/docs/concepts/domain-model/accounts.mdx +++ b/website/content/docs/concepts/domain-model/accounts.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - accounts -description: |- - The anatomy of a Boundary account +page_title: Account resource +description: >- + Learn about using the accounts resource to establish the identities of users. Understand how to configure general, password, and LDAP account attributes. --- # Accounts diff --git a/website/content/docs/concepts/domain-model/aliases.mdx b/website/content/docs/concepts/domain-model/aliases.mdx index 5f9d4569aa..248fe91f6b 100644 --- a/website/content/docs/concepts/domain-model/aliases.mdx +++ b/website/content/docs/concepts/domain-model/aliases.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - aliases -description: |- - The anatomy of a Boundary alias +page_title: Alias resource +description: >- + Learn about using the alias resource to transparently connect to targets without having to provide the target ID or target name and scope ID. --- # Aliases diff --git a/website/content/docs/concepts/domain-model/auth-methods.mdx b/website/content/docs/concepts/domain-model/auth-methods.mdx index b030fefc3c..02f88eb1b1 100644 --- a/website/content/docs/concepts/domain-model/auth-methods.mdx +++ b/website/content/docs/concepts/domain-model/auth-methods.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - auth methods -description: |- - Use auth methods to authenticate users to Boundary. Learn which attributes you can configure for password, OIDC, and LDAP auth methods in Boundary. +page_title: Auth method resource +description: >- + Learn about using the auth method resource to authenticate users. Understand which attributes you can configure for password, OIDC, and LDAP auth methods. --- # Auth methods diff --git a/website/content/docs/concepts/domain-model/credential-libraries.mdx b/website/content/docs/concepts/domain-model/credential-libraries.mdx index b0599552ef..b521822588 100644 --- a/website/content/docs/concepts/domain-model/credential-libraries.mdx +++ b/website/content/docs/concepts/domain-model/credential-libraries.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - credential libraries -description: |- - The anatomy of a Boundary credential library +page_title: Credential library resource +description: >- + Learn about using the credential library resource to provide credentials from a credential store. Understand the credential library attributes you can configure. --- # Credential libraries diff --git a/website/content/docs/concepts/domain-model/credential-stores.mdx b/website/content/docs/concepts/domain-model/credential-stores.mdx index 02f78565ee..ac803c9000 100644 --- a/website/content/docs/concepts/domain-model/credential-stores.mdx +++ b/website/content/docs/concepts/domain-model/credential-stores.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - credential stores -description: |- - The anatomy of a Boundary credential store +page_title: Credential store resource +description: >- + Learn about using the credential store resource to store and retrieve credentials. Understand the Vault and static credential store attributes you can configure. --- # Credential stores diff --git a/website/content/docs/concepts/domain-model/credentials.mdx b/website/content/docs/concepts/domain-model/credentials.mdx index 55bad83262..99fefbbcb8 100644 --- a/website/content/docs/concepts/domain-model/credentials.mdx +++ b/website/content/docs/concepts/domain-model/credentials.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - credentials -description: |- - The anatomy of a Boundary credential +page_title: Credential resource +description: >- + Learn about using the credential resource to define secrets for a host. Understand username password, SSH private key, SSH certificate, and JSON credential types. --- # Credentials diff --git a/website/content/docs/concepts/domain-model/groups.mdx b/website/content/docs/concepts/domain-model/groups.mdx index 7c0045333e..5da4dfb2bb 100644 --- a/website/content/docs/concepts/domain-model/groups.mdx +++ b/website/content/docs/concepts/domain-model/groups.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - groups -description: |- - The anatomy of a Boundary group +page_title: Group resource +description: >- + Learn about using the group resource to create collections of users with the same access control. Any role assigned to a group is assigned to the group's users. --- # Groups diff --git a/website/content/docs/concepts/domain-model/host-catalogs.mdx b/website/content/docs/concepts/domain-model/host-catalogs.mdx index f10d505419..883af093cc 100644 --- a/website/content/docs/concepts/domain-model/host-catalogs.mdx +++ b/website/content/docs/concepts/domain-model/host-catalogs.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - host catalogs -description: |- - The anatomy of a Boundary host catalog +page_title: Host catalog resource +description: >- + Learn about using the host catalog resource to organize and manage hosts and host sets within a project based on their function, environment, or other criteria. --- # Host catalogs diff --git a/website/content/docs/concepts/domain-model/host-sets.mdx b/website/content/docs/concepts/domain-model/host-sets.mdx index 551d60ad48..e8d01513b7 100644 --- a/website/content/docs/concepts/domain-model/host-sets.mdx +++ b/website/content/docs/concepts/domain-model/host-sets.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - host sets -description: |- - The anatomy of a Boundary host set +page_title: Host set resource +description: >- + Learn about using the host set resource to organize and manage hosts that have the same level of access control and belong to the same host catalog. --- # Host sets diff --git a/website/content/docs/concepts/domain-model/hosts.mdx b/website/content/docs/concepts/domain-model/hosts.mdx index e4c493ba14..d2f53a9103 100644 --- a/website/content/docs/concepts/domain-model/hosts.mdx +++ b/website/content/docs/concepts/domain-model/hosts.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - hosts -description: |- - The anatomy of a Boundary host +page_title: Host resource +description: >- + Learn about using host resources to represent computing elements that are reachable from Boundary. You can organize hosts in host sets and host catalogs. --- # Hosts diff --git a/website/content/docs/concepts/domain-model/index.mdx b/website/content/docs/concepts/domain-model/index.mdx index 81baa342c1..40cd8d7eb7 100644 --- a/website/content/docs/concepts/domain-model/index.mdx +++ b/website/content/docs/concepts/domain-model/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model index -description: |- - Reference documentation for Boundary's domain model. +page_title: Domain model overview +description: >- + Learn about using the domain model to organize identity and access management and target resources for secure access. Understand how resources work together. --- # Overview diff --git a/website/content/docs/concepts/domain-model/managed-groups.mdx b/website/content/docs/concepts/domain-model/managed-groups.mdx index 9309f07785..e845a129b0 100644 --- a/website/content/docs/concepts/domain-model/managed-groups.mdx +++ b/website/content/docs/concepts/domain-model/managed-groups.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - managed groups -description: |- - The anatomy of a Boundary managed group +page_title: Managed group resource +description: >- + Learn about using the managed group resource to organize identity provider accounts and assign them grants. Understand how to configure OIDC and LDAP attributes. --- # Managed groups diff --git a/website/content/docs/concepts/domain-model/roles.mdx b/website/content/docs/concepts/domain-model/roles.mdx index 42164cffb6..5da68d81b2 100644 --- a/website/content/docs/concepts/domain-model/roles.mdx +++ b/website/content/docs/concepts/domain-model/roles.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - roles -description: |- - The anatomy of a Boundary role +page_title: Role resource +description: >- + Learn about using the role resource to group permissions which are then granted to any principal assigned to the role. Understand role attributes. --- # Roles diff --git a/website/content/docs/concepts/domain-model/scopes.mdx b/website/content/docs/concepts/domain-model/scopes.mdx index 134fd4eb6b..92fbd39916 100644 --- a/website/content/docs/concepts/domain-model/scopes.mdx +++ b/website/content/docs/concepts/domain-model/scopes.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - scopes -description: |- - Use scopes to group and manage resources in Boundary. Learn how to configure global scopes, org scopes, and projects to logically group resources. +page_title: Scope resource +description: >- + Learn about using the scope resource to organize and manage resources. Understand how to configure global, org, and project scopes to logically group resources. --- # Scopes diff --git a/website/content/docs/concepts/domain-model/session-connections.mdx b/website/content/docs/concepts/domain-model/session-connections.mdx index cbf3b20a0e..a5f9c555e3 100644 --- a/website/content/docs/concepts/domain-model/session-connections.mdx +++ b/website/content/docs/concepts/domain-model/session-connections.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - session connections -description: |- - The anatomy of a Boundary session connection +page_title: Session connection resource +description: >- + Learn how the session connection resource represents the proxy Boundary creates between user and host. Understand how connections are established and terminated. --- # Session connections diff --git a/website/content/docs/concepts/domain-model/session-recordings.mdx b/website/content/docs/concepts/domain-model/session-recordings.mdx index d0f00eb602..33f74a0500 100644 --- a/website/content/docs/concepts/domain-model/session-recordings.mdx +++ b/website/content/docs/concepts/domain-model/session-recordings.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - session recordings -description: |- - Use session recordings to audit user sessions in Boundary. Learn how to configure session recordings to monitor usage. +page_title: Session recording resource +description: >- + Learn about using the session recording resource to audit user sessions. Understand how storage policy retention periods help you meet your compliance needs. --- # Session recordings diff --git a/website/content/docs/concepts/domain-model/sessions.mdx b/website/content/docs/concepts/domain-model/sessions.mdx index a328fc0723..ba3d99e5dd 100644 --- a/website/content/docs/concepts/domain-model/sessions.mdx +++ b/website/content/docs/concepts/domain-model/sessions.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - sessions -description: |- - The anatomy of a Boundary session +page_title: Session resource +description: >- + Learn how the session resource is a set of connections between users and hosts that may include credentials. Understand how sessions are created and terminated. --- # Sessions diff --git a/website/content/docs/concepts/domain-model/storage-buckets.mdx b/website/content/docs/concepts/domain-model/storage-buckets.mdx index b759328321..7b3240cd6f 100644 --- a/website/content/docs/concepts/domain-model/storage-buckets.mdx +++ b/website/content/docs/concepts/domain-model/storage-buckets.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - storage bucket -description: |- - The anatomy of a Boundary storage bucket +page_title: Storage bucket resource +description: >- + Learn how to use the storage bucket resource to retain session recordings for compliance. Understand storage bucket attributes and how scopes affect storage. --- # Storage buckets diff --git a/website/content/docs/concepts/domain-model/storage-policy.mdx b/website/content/docs/concepts/domain-model/storage-policy.mdx index 5729d8848b..4f7c19eeb3 100644 --- a/website/content/docs/concepts/domain-model/storage-policy.mdx +++ b/website/content/docs/concepts/domain-model/storage-policy.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - storage policies -description: |- - Use storage policies to manage session recording retention in Boundary. Learn how to configure policies for global and org scopes, and specify retention periods. +page_title: Storae policy resource +description: >- + Learn about using the storage policy resource to manage session recording retention. Understand how to configure policies for scopes and specify retention. --- # Storage policies @@ -12,6 +12,7 @@ description: |- A resource known as a storage policy is used to codify how long [session recordings][] must be kept and when they should be deleted. A storage policy's name is optional, but it must be unique if you define one. Storage policies can only be assigned to the global [scope][] or an org scope. +You must [attach][] storage policies to a scope (global or a specific org) to take effect. A storage policy exists in either the global scope or an org scope. Storage policies that are created in the global scope can be associated with any org scope. @@ -55,5 +56,6 @@ The following services are relevant to this resource: - [Scope Service](/boundary/api-docs/scope-service) - [Policy Service](/boundary/api-docs/policy-service) +[attach]: /boundary/docs/configuration/session-recording/configure-storage-policy#attach-storage-policies-to-a-scope [session recordings]: /boundary/docs/concepts/domain-model/session-recordings -[scope]: /boundary/docs/concepts/domain-model/scopes \ No newline at end of file +[scope]: /boundary/docs/concepts/domain-model/scopes diff --git a/website/content/docs/concepts/domain-model/targets.mdx b/website/content/docs/concepts/domain-model/targets.mdx index e1796e7149..1c66b78b85 100644 --- a/website/content/docs/concepts/domain-model/targets.mdx +++ b/website/content/docs/concepts/domain-model/targets.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - targets -description: |- - The anatomy of a Boundary target +page_title: Target resource +description: >- + Learn about using the target resource to configure a networked service a user can connect to. Understand the TCP and SSH target type requirements and attributes. --- # Targets diff --git a/website/content/docs/concepts/domain-model/users.mdx b/website/content/docs/concepts/domain-model/users.mdx index 0750e105da..8a7753f9fc 100644 --- a/website/content/docs/concepts/domain-model/users.mdx +++ b/website/content/docs/concepts/domain-model/users.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Domain model - users -description: |- - The anatomy of a Boundary user +page_title: User resource +description: >- + Learn how the user resource identifies a person or entity for access control purposes. Understand how to assign groups and roles so users inherit permissions. --- # Users diff --git a/website/content/docs/concepts/filtering/events.mdx b/website/content/docs/concepts/filtering/events.mdx index bf7833fe35..7f7b1e8b94 100644 --- a/website/content/docs/concepts/filtering/events.mdx +++ b/website/content/docs/concepts/filtering/events.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Filtering - events -description: |- - How to filter events emitted by Boundary. +description: >- + Learn how to filter audit, observation, system, and telemetry events to find information written to any event sinks you configured. --- # Filter events diff --git a/website/content/docs/concepts/filtering/index.mdx b/website/content/docs/concepts/filtering/index.mdx index 3d63b32853..ad6d473d35 100644 --- a/website/content/docs/concepts/filtering/index.mdx +++ b/website/content/docs/concepts/filtering/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Filtering -description: |- - An introduction to the filtering syntax used in Boundary. +description: >- + Learn how to use filters to match and find data. Understand how to create filter expressions using matching operators composed with selectors and values. --- # Filter expressions diff --git a/website/content/docs/concepts/filtering/managed-groups.mdx b/website/content/docs/concepts/filtering/managed-groups.mdx index 98e1d0fa79..3298e1bf42 100644 --- a/website/content/docs/concepts/filtering/managed-groups.mdx +++ b/website/content/docs/concepts/filtering/managed-groups.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Filtering - managed groups -description: |- - How to configure filters for managed groups within the OIDC or LDAP auth methods. +description: >- + Learn how to configure filters for managed groups. View search filter attributes and examples of filters for OIDC and LDAP managed groups. --- [filter syntax]: /boundary/docs/concepts/filtering diff --git a/website/content/docs/concepts/filtering/resource-listing.mdx b/website/content/docs/concepts/filtering/resource-listing.mdx index 527fad7872..e53af6bd52 100644 --- a/website/content/docs/concepts/filtering/resource-listing.mdx +++ b/website/content/docs/concepts/filtering/resource-listing.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Filtering - resource listing -description: |- - How to use filter list responses coming back from Boundary. +description: >- + Learn how to use filters to reduce the set of resources returned when you perform a list operation. Filtering list results helps you find information. --- # Filter resource listings diff --git a/website/content/docs/concepts/filtering/worker-tags.mdx b/website/content/docs/concepts/filtering/worker-tags.mdx index d09ba13434..da3a94a96e 100644 --- a/website/content/docs/concepts/filtering/worker-tags.mdx +++ b/website/content/docs/concepts/filtering/worker-tags.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Filtering - worker tags -description: |- - How to use worker tags to control which workers can handle a given resource. +description: >- + Learn about using worker tags to designate worker roles. Examples include serving specific regions or functions, such as credential stores or storage buckets. --- # Worker tags diff --git a/website/content/docs/concepts/host-discovery/aws.mdx b/website/content/docs/concepts/host-discovery/aws.mdx index 36d88d65d0..0a25143c4a 100644 --- a/website/content/docs/concepts/host-discovery/aws.mdx +++ b/website/content/docs/concepts/host-discovery/aws.mdx @@ -1,15 +1,15 @@ --- layout: docs page_title: AWS dynamic host catalogs -description: |- - An overview of AWS host discovery in Boundary +description: >- + Use dynamic host catalogs to automatically discover AWS EC2 instances and add them as hosts. Create a host catalog and host set for AWS resources. --- # AWS dynamic host catalogs Boundary uses dynamic host catalogs to automatically discover AWS EC2 instances and add them as hosts. ## Create a host catalog to connect with AWS Boundary uses plugins to integrate with a variety of providers. To use -a dynamic host catalog to integrate with AWS, you create a host catalog of the `plugin` type +a dynamic host catalog to integrate with AWS, you create a host catalog of the `plugin` type and set the `plugin-name` value to `aws`. You must also provide the specific fields needed for Boundary to authenticate with AWS. @@ -57,6 +57,10 @@ The fields following the `attr` and `secret` flags are specific to AWS and are r - `disable_credential_rotation`: When set to `true`, Boundary will not rotate the credentials with AWS automatically. - `region`: The region to configure the host catalog for. All host sets in this catalog will be configured for this region. +- `role_arn`: The AWS role ARN used for `AssumeRole` authentication. If you provide a `role_arn` value, you must also set `disable_credential_rotation` to `true`. +- `role_external_id`: The external ID that you configured for the `AssumeRole` provider. +- `role_session_name`: The session name that you configured for the `AssumeRole` provider. +- `role_tags`: The key-value pair tags that you configured for the `AssumeRole` provider. - `access_key_id`: The access key ID for the IAM user to use with this host catalog. - `secret_access_key`: The secret access key for the IAM user to use with this diff --git a/website/content/docs/concepts/host-discovery/azure.mdx b/website/content/docs/concepts/host-discovery/azure.mdx index c401237528..397e212351 100644 --- a/website/content/docs/concepts/host-discovery/azure.mdx +++ b/website/content/docs/concepts/host-discovery/azure.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Azure dynamic host catalogs -description: |- - An overview of Azure host discovery in Boundary +description: >- + Use dynamic host catalogs to automatically discover Azure resources and add them as hosts. Create a host catalog and host set for Azure resources. --- # Azure dynamic host catalogs Boundary uses dynamic host catalogs to automatically discover Azure resources available through Azure Resource Manager (ARM) and add them as hosts. @@ -10,7 +10,7 @@ Boundary uses dynamic host catalogs to automatically discover Azure resources av ## Create a host catalog to connect with Azure Boundary uses plugins to integrate with a variety of providers. To use a dynamic host catalog to integrate with Azure, you create a host catalog of the -`plugin` type and set the `plugin-name` value to `azure`. You must also provide the +`plugin` type and set the `plugin-name` value to `azure`. You must also provide the specific fields needed for Boundary to authenticate with Azure. diff --git a/website/content/docs/concepts/host-discovery/index.mdx b/website/content/docs/concepts/host-discovery/index.mdx index 121c27872f..543aa6672c 100644 --- a/website/content/docs/concepts/host-discovery/index.mdx +++ b/website/content/docs/concepts/host-discovery/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Host discovery -description: |- - An overview of host discovery in Boundary +description: >- + Learn how host discovery workflows let Boundary discover and onboard new resources. Understand how dynamic host catalogs enable automated host discovery. --- # Host discovery diff --git a/website/content/docs/concepts/iam.mdx b/website/content/docs/concepts/iam.mdx index 565fab08d8..e117143394 100644 --- a/website/content/docs/concepts/iam.mdx +++ b/website/content/docs/concepts/iam.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Identity and access management (IAM) -description: |- - Identity and access management in Boundary +description: >- + Learn how scopes, auth methods, accounts, users, groups, and roles make up the identity and access management (IAM) system. View examples of grant strings. --- # Identity and access management (IAM) diff --git a/website/content/docs/concepts/index.mdx b/website/content/docs/concepts/index.mdx index 0bfc944f89..6b1890569e 100644 --- a/website/content/docs/concepts/index.mdx +++ b/website/content/docs/concepts/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Concepts -description: |- - An introduction to Boundary concepts and architecture. +description: >- + Discover resources to help you understand Boundary concepts and architecture. --- # Concepts diff --git a/website/content/docs/concepts/security/connections-tls.mdx b/website/content/docs/concepts/security/connections-tls.mdx index 9336b5afd8..3ec5dfa06a 100644 --- a/website/content/docs/concepts/security/connections-tls.mdx +++ b/website/content/docs/concepts/security/connections-tls.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Connections/TLS -description: |- - How Boundary secures its connections +description: >- + Learn how Boundary uses transport layer security (TLS) to secure connections and establish sessions. Understand how workers authenticate to resources. --- # TLS in Boundary diff --git a/website/content/docs/concepts/security/data-encryption.mdx b/website/content/docs/concepts/security/data-encryption.mdx index d21fc2f115..d066779635 100644 --- a/website/content/docs/concepts/security/data-encryption.mdx +++ b/website/content/docs/concepts/security/data-encryption.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Data encryption -description: |- - How Boundary secures data at rest +description: >- + Learn how key management services protect the encryption keys used for securing data. Understand key lifecycle management best practices. --- # Data security in Boundary @@ -15,7 +15,7 @@ Boundary supports and how they are used within the system. ## The `worker-auth-storage` KMS key -The `worker-auth-storage` KMS key can be used by [Workers registered using worker-led or controller-led +The `worker-auth-storage` KMS key can be used by [Workers registered using worker-led or controller-led methods](/boundary/docs/configuration/worker/worker-configuration) for storage of authentication keys. It is optional for workers; if not specified the authentication keys will not be encrypted on disk. This can not used by workers registered using an external KMS. diff --git a/website/content/docs/concepts/security/index.mdx b/website/content/docs/concepts/security/index.mdx index 7332c6745f..ded4fb5da9 100644 --- a/website/content/docs/concepts/security/index.mdx +++ b/website/content/docs/concepts/security/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Security -description: |- - Boundary security overview. +description: >- + Discover resources to help you understand Boundary's security. --- # Security diff --git a/website/content/docs/concepts/transparent-sessions.mdx b/website/content/docs/concepts/transparent-sessions.mdx new file mode 100644 index 0000000000..f774fd3b1d --- /dev/null +++ b/website/content/docs/concepts/transparent-sessions.mdx @@ -0,0 +1,48 @@ +--- +layout: docs +page_title: Transparent sessions +description: >- + Learn how transparent sessions enable you to connect to target resources without entering resource IDs or port numbers. +--- + +# Transparent sessions + +@include 'alerts/enterprise-only.mdx' + +@include 'alerts/beta.mdx' + +Transparent sessions shift Boundary from an active connection model to a passive connection model. Boundary operates in the background instead of requiring you to remember specific resource IDs or ephemeral ports to connect to targets. + +As long as Boundary authenticates a user and the user is authorized to access the target, Boundary intercepts the DNS call and routes traffic through a session automatically. + +Transparent sessions require [aliases](/boundary/docs/concepts/aliases) and the [Boundary Client Agent](/boundary/docs/api-clients/client-agent). + +The Boundary Desktop client facilitates quick target discovery and session establishment using your preferred client. If you configure aliases for your targets, install the Boundary Client Agent, and ensure you are authenticated to the cluster, connections are transparent to the user. Boundary provides OS notifications to make it clear when you connect to a target using a transparent session. + +Boundary supports Windows and MacOS for the transparent sessions public beta. + +Refer to the [Configure transparent sessions](/boundary/docs/configuration/target-aliases/transparent-sessions) page to get started. + +## Known issues + +Refer to the following table for known issues that may affect the public beta: + +| Issue | Description | +| ----- | ----------- | +| Connection is reset when trying to reconnect | If you use an SSH transparent session and then cancel the connection, you may have trouble reconnecting until Boundary cleans up the session. | +| SSH connection fails with man-in-the-middle warning | On Ubuntu systems, the initial transparent session may be successful, but any subsequent connections prompt a warning that you may be experiencing a man-in-the-middle attack. | +| Boundary Client Agent authentication does not persist across restarts | When you reboot, you are required to re-authenticate to the Client Agent before you can use transparent sessions. | +| Windows shortcuts are mandatory | The Windows installer always installs Desktop and Start menu shortcuts. This is a known issue. Shortcuts will be optional in a future version of the installer. | +| Windows installer prompts for restart | When you install Boundary, the Windows installer occasionally prompts you to restart your computer, however it is not necessary. | +| Boundary Client Agent resumes on reboot | If the Client Agent is paused and the machine is rebooted, the Client Agent will be resumed after the reboot. | +| Single-word aliases do not work on Windows | If you create an alias consisting of a single word without a dot (`.`), the alias will not work on Windows. | +| Windows installer does not support partial installations | The Windows installer fails to start the Client Agent if the Desktop client is not installed at the same time. | +| Alias connection failures inside containers/VMs | Using transparent sessions rely on network access to the local network of the computer the Client Agent is running on. Network enclaves such as those created by Docker containers and VMs cannot reach this network. | + +## More information + +Refer to the following topics for more information: + +- [Aliases](/boundary/docs/concepts/aliases) +- [Boundary Client Agent](/boundary/docs/api-clients/client-agent) +- [Configure transparent sessions](/boundary/docs/configuration/target-aliases/transparent-sessions) \ No newline at end of file diff --git a/website/content/docs/concepts/workers.mdx b/website/content/docs/concepts/workers.mdx index 06f49674fc..969c485785 100644 --- a/website/content/docs/concepts/workers.mdx +++ b/website/content/docs/concepts/workers.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Workers -description: |- - Introduction to Boundary workers +description: >- + Workers let you proxy traffic to private targets. Learn about worker capabilities, using tags to filter tasks, worker health, and best practices for deployment. --- # Workers diff --git a/website/content/docs/configuration/controller.mdx b/website/content/docs/configuration/controller.mdx index 0f29811505..7388608448 100644 --- a/website/content/docs/configuration/controller.mdx +++ b/website/content/docs/configuration/controller.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Controller - configuration -description: |- - The controller stanza configures controller-specifc parameters. +page_title: Controller configuration +description: >- + Learn about configuring controller-specific parameters. Understand how to configure the required KMS stanzas, and view a complete configuration example. --- # `controller` stanza @@ -81,7 +81,7 @@ description will be read. bind a publicly accessible IP to a NIC on the host directly, such as an Amazon EIP. This value can be a direct address string, can refer to a file on disk (file://) from which an address will be read; an env var (env://) from which the - address will be read; or a [go-sockaddr template](https://godoc.org/github.com/hashicorp/go-sockaddr/template). + address will be read; or a [go-sockaddr template](https://godoc.org/github.com/hashicorp/go-sockaddr/template). Note that the address should not include the protocol prefixes like `http://` or `https://`. - `auth_token_time_to_live` - Maximum time to live (TTL) for all auth tokens globally (pertains diff --git a/website/content/docs/configuration/credential-management/configure-credential-brokering.mdx b/website/content/docs/configuration/credential-management/configure-credential-brokering.mdx index 3829f99981..b5c9f9f76a 100644 --- a/website/content/docs/configuration/credential-management/configure-credential-brokering.mdx +++ b/website/content/docs/configuration/credential-management/configure-credential-brokering.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Configure targets with credential brokering -description: |- +description: >- Configure credential brokering workflows so that Boundary centrally manages credentials and returns them to users when they successfully connect to a target. --- diff --git a/website/content/docs/configuration/credential-management/configure-credential-injection.mdx b/website/content/docs/configuration/credential-management/configure-credential-injection.mdx index 6c76b3868a..70bbdeb22f 100644 --- a/website/content/docs/configuration/credential-management/configure-credential-injection.mdx +++ b/website/content/docs/configuration/credential-management/configure-credential-injection.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Configure targets with credential injection -description: |- +description: >- Configure credential injection so Boundary provides users with a passwordless experience when connecting to targets. Availabile exclusively for Enterprise users. --- diff --git a/website/content/docs/configuration/credential-management/index.mdx b/website/content/docs/configuration/credential-management/index.mdx index e0ab55b775..d77b714928 100644 --- a/website/content/docs/configuration/credential-management/index.mdx +++ b/website/content/docs/configuration/credential-management/index.mdx @@ -1,7 +1,7 @@ --- layout: docs -page_title: Configure credentials with Boundary -description: |- +page_title: Credential management with Boundary +description: >- Credential stores let you store and manage credentials in Boundary. Learn about configuring user workflows with credential management or credential injection. --- diff --git a/website/content/docs/configuration/credential-management/static-cred-boundary.mdx b/website/content/docs/configuration/credential-management/static-cred-boundary.mdx index 3f3c719235..26cf542ba3 100644 --- a/website/content/docs/configuration/credential-management/static-cred-boundary.mdx +++ b/website/content/docs/configuration/credential-management/static-cred-boundary.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Manage static credentials with Boundary -description: |- - Create a static credential store to manage static credentials in Boundary. Credential stores let you configure targets for credential brokering or injection. +description: >- + Create a static credential store to manage static credentials. Credential stores let you configure targets for credential brokering or injection. --- # Create a static credential store diff --git a/website/content/docs/configuration/credential-management/static-cred-vault.mdx b/website/content/docs/configuration/credential-management/static-cred-vault.mdx index ab4101f9a7..6cb82cff08 100644 --- a/website/content/docs/configuration/credential-management/static-cred-vault.mdx +++ b/website/content/docs/configuration/credential-management/static-cred-vault.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Manage static credentials with Vault -description: |- - Create a Vault credential store to manage credentials in Boundary. Credential stores let you configure targets for credential brokering or credential injection. +description: >- + Create a Vault credential store to manage credentials. Credential stores let you configure targets for credential brokering or credential injection. --- # Create a Vault credential store diff --git a/website/content/docs/configuration/identity-access-management/assignable-permissions.mdx b/website/content/docs/configuration/identity-access-management/assignable-permissions.mdx index a7100acc29..ad38c10135 100644 --- a/website/content/docs/configuration/identity-access-management/assignable-permissions.mdx +++ b/website/content/docs/configuration/identity-access-management/assignable-permissions.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Assignable permissions -description: |- - Assignable permissions +description: >- + Learn about using actions and output fields to grant users permissions to any resources that are identified by ID or Type. --- # Assignable permissions diff --git a/website/content/docs/configuration/identity-access-management/index.mdx b/website/content/docs/configuration/identity-access-management/index.mdx index db15d7abe3..8eedea3e57 100644 --- a/website/content/docs/configuration/identity-access-management/index.mdx +++ b/website/content/docs/configuration/identity-access-management/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Permissions index -description: |- - Boundary's permissions model +description: >- + Learn about Boundary's RBAC (Role-based access control), allow-only permissions model. Understand how permissions are configured using grant strings and roles. --- # Permissions in Boundary diff --git a/website/content/docs/configuration/identity-access-management/permission-grant-formats.mdx b/website/content/docs/configuration/identity-access-management/permission-grant-formats.mdx index d7ad3599f6..1a6d1ee56d 100644 --- a/website/content/docs/configuration/identity-access-management/permission-grant-formats.mdx +++ b/website/content/docs/configuration/identity-access-management/permission-grant-formats.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Permission grant formats -description: |- - Permission grant formats +description: >- + Learn how to construct grant strings that map resources and permissions. Understand ID, Type, Pinned, and Wildcard grant formats. View possible grant templates. --- # Permission grant formats diff --git a/website/content/docs/configuration/identity-access-management/resource-table.mdx b/website/content/docs/configuration/identity-access-management/resource-table.mdx index 87ce7b6309..39bee9e133 100644 --- a/website/content/docs/configuration/identity-access-management/resource-table.mdx +++ b/website/content/docs/configuration/identity-access-management/resource-table.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Resource table -description: |- - Resource table +description: >- + View a list of resources and their available permissions parameters and actions to help you configure and manage permissions. --- # Resource tables diff --git a/website/content/docs/configuration/index.mdx b/website/content/docs/configuration/index.mdx index 13c8939ce4..99b31e0d07 100644 --- a/website/content/docs/configuration/index.mdx +++ b/website/content/docs/configuration/index.mdx @@ -1,7 +1,8 @@ --- layout: docs -page_title: Overview/top-level parameters -description: Boundary configuration reference. +page_title: Top-level configuration parameters +description: >- + Learn about the parameters that make up the Boundary HCL configuration file. View parameters for HCP and self-managed installations. --- # Configuration diff --git a/website/content/docs/configuration/kms/aead.mdx b/website/content/docs/configuration/kms/aead.mdx index d17e51d8d3..d6e29dd4bf 100644 --- a/website/content/docs/configuration/kms/aead.mdx +++ b/website/content/docs/configuration/kms/aead.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: AEAD - configuration -description: |- - The AEAD KMS configures AEAD-specific parameters. +page_title: AEAD KMS configuration +description: >- + Learn about using the Authenticated Encryption with Associated Data (AEAD) KMS for key management. AEAD is typically used for development workflows or testing. --- # `aead` KMS diff --git a/website/content/docs/configuration/kms/alicloudkms.mdx b/website/content/docs/configuration/kms/alicloudkms.mdx index 08d52f3731..5c941ef8fa 100644 --- a/website/content/docs/configuration/kms/alicloudkms.mdx +++ b/website/content/docs/configuration/kms/alicloudkms.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: AliCloud KMS - KMSs - configuration +page_title: AliCloud KMS configuration description: >- - The AliCloud KMS configures Boundary to use AliCloud KMS for key management. + Learn about using the AliCloud KMS for key management and configuring parameters and authentication. View an example alicloudkms configuration. --- # `alicloudkms` KMS diff --git a/website/content/docs/configuration/kms/awskms.mdx b/website/content/docs/configuration/kms/awskms.mdx index 96d75320da..4b97367930 100644 --- a/website/content/docs/configuration/kms/awskms.mdx +++ b/website/content/docs/configuration/kms/awskms.mdx @@ -1,9 +1,8 @@ --- layout: docs -page_title: AWS KMS - KMSs - Configuration -description: |- - The AWS KMS configures Boundary to use AWS KMS for key management. - mechanism. +page_title: AWS KMS Configuration +description: >- + Learn about using the AWS KMS for key management, configuring parameters and authentication, and best practices for key rotation. View an example configuration. --- # `awskms` diff --git a/website/content/docs/configuration/kms/azurekeyvault.mdx b/website/content/docs/configuration/kms/azurekeyvault.mdx index 889b69996f..66b9275f16 100644 --- a/website/content/docs/configuration/kms/azurekeyvault.mdx +++ b/website/content/docs/configuration/kms/azurekeyvault.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Azure Key Vault - seals - configuration +page_title: Azure Key Vault configuration description: >- - The Azure Key Vault seal configures Boundary to use Azure Key Vault for key management. + Learn about using the Azure Key Vault KMS for key management and configuring parameters and authentication. View an example azurekeyvault configuration. --- # `azurekeyvault` KMS diff --git a/website/content/docs/configuration/kms/gcpckms.mdx b/website/content/docs/configuration/kms/gcpckms.mdx index 23056c896e..5ff0f21ab5 100644 --- a/website/content/docs/configuration/kms/gcpckms.mdx +++ b/website/content/docs/configuration/kms/gcpckms.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: GCP Cloud KMS - KMSs - configuration +page_title: GCP Cloud KMS configuration description: >- - The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management. + Learn about using the GCP Cloud KMS for key management and configuring parameters and authentication. View an example gcpkms configuration. --- # `gcpckms` KMS diff --git a/website/content/docs/configuration/kms/index.mdx b/website/content/docs/configuration/kms/index.mdx index 13238667f5..685146deb6 100644 --- a/website/content/docs/configuration/kms/index.mdx +++ b/website/content/docs/configuration/kms/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: KMS - configuration -description: |- - The KMS stanza configures KMS-specific parameters. +page_title: KMS configuration +description: >- + Learn about using the kms stanza to configure key management system parameters. Discover resources for learning about specific KMS technologies. --- # `kms` stanza diff --git a/website/content/docs/configuration/kms/ocikms.mdx b/website/content/docs/configuration/kms/ocikms.mdx index 95da4158cc..9b2656a7a7 100644 --- a/website/content/docs/configuration/kms/ocikms.mdx +++ b/website/content/docs/configuration/kms/ocikms.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: OCI KMS - KMSs - configuration -description: |- - The OCI KMS configures Boundary to use OCI KMS for key management. +page_title: OCI KMS configuration +description: >- + Learn about using the OCI KMS for key management and configuring parameters and authentication. View an example configuration. Understand OCI KMS key rotation. --- # `ocikms` KMS diff --git a/website/content/docs/configuration/kms/transit.mdx b/website/content/docs/configuration/kms/transit.mdx index b6e59940df..891ea9b16a 100644 --- a/website/content/docs/configuration/kms/transit.mdx +++ b/website/content/docs/configuration/kms/transit.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Vault Transit - seals - configuration -description: |- - The Transit configures Boundary to use Vault's Transit Secret Engine for key management. +page_title: Vault Transit configuration +description: >- + Learn about using the Vault transit secrets engine for key management and configuring parameters and authentication. View an example Transit KMS configuration. --- # `transit` seal diff --git a/website/content/docs/configuration/listener/index.mdx b/website/content/docs/configuration/listener/index.mdx index c7042eb260..2f5b93347a 100644 --- a/website/content/docs/configuration/listener/index.mdx +++ b/website/content/docs/configuration/listener/index.mdx @@ -1,9 +1,8 @@ --- layout: docs -page_title: Listeners - configuration -description: |- - The listener stanza configures the addresses and ports on which Boundary will - respond to requests. +page_title: Listener configuration +description: >- + Learn about TCP and Unix listener configuration settings. Understand where to change the default addresses and ports on which Boundary responds to requests. --- # `listener` stanza diff --git a/website/content/docs/configuration/listener/tcp.mdx b/website/content/docs/configuration/listener/tcp.mdx index 566a9de0fc..849ca97f2f 100644 --- a/website/content/docs/configuration/listener/tcp.mdx +++ b/website/content/docs/configuration/listener/tcp.mdx @@ -1,9 +1,8 @@ --- layout: docs -page_title: TCP - listeners - configuration -description: |- - The TCP listener configures Boundary to listen on the specified TCP address and - port. +page_title: TCP listener configuration +description: >- + Learn about using the TCP listener on a TCP address and port, and view configurable parameters. Understand custom response headers. View example configurations. --- # `tcp` listener diff --git a/website/content/docs/configuration/listener/unix.mdx b/website/content/docs/configuration/listener/unix.mdx index c080d304db..4f60862598 100644 --- a/website/content/docs/configuration/listener/unix.mdx +++ b/website/content/docs/configuration/listener/unix.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Unix domain socket - listeners - configuration -description: |- - The Unix listener configures Boundary to listen on the specified Unix domain socket. +page_title: Unix domain socket listener configuration +description: >- + Learn about using the Unix listener on a specified Unix domain socket, and view configurable parameters. View example Unix listener configurations. --- # `unix` listener diff --git a/website/content/docs/configuration/plugins.mdx b/website/content/docs/configuration/plugins.mdx index 1c4e5d1485..67d5a00db4 100644 --- a/website/content/docs/configuration/plugins.mdx +++ b/website/content/docs/configuration/plugins.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Plugins - configuration -description: |- - The plugins stanza configures plugin-specific parameters. +page_title: Plugin configuration +description: >- + Learn about the plugin-specific parameter that configures a directory for Boundary to use for writing and executing its built-in plugins. --- # `plugin` stanza diff --git a/website/content/docs/configuration/session-recording/configure-storage-policy.mdx b/website/content/docs/configuration/session-recording/configure-storage-policy.mdx index 6b924097d0..6e9ddfd72e 100644 --- a/website/content/docs/configuration/session-recording/configure-storage-policy.mdx +++ b/website/content/docs/configuration/session-recording/configure-storage-policy.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Configure storage bucket policies -description: |- - How to configure storage bucket lifecycle policies for session recording in Boundary +description: >- + Configure storage bucket policies to manage the lifecycles of session recordings. Specify retention and deletion policies to codify compliance periods. --- # Configure storage bucket policies @@ -50,7 +50,7 @@ Complete the following steps to create a storage policy in Boundary for session 1. Complete the following fields to create the Boundary storage policy: - **Name**: (Optional) The name field is optional, but if you enter a name it must be unique. - **Description**: (Optional) An optional description of the Boundary storage policy for identification purposes. - - **Retention Policy**: (Required) Specifies how long a recording must be stored, in days. + - **Retention Policy**: (Required) Specifies how long a recording must be stored, in days. Policy values include: - `Forever`: If enabled, the **Deletion Policy** field is disabled. - `Custom`: Specify a custom retention policy in days. @@ -186,7 +186,7 @@ In this example, recordings stored within the global scope must be retained for - Boundary does not support an undo action. Storage policies are meant to enforce compliance to a specific law or regulation. Updating the storage policy of a session recording can have immediate and possibly unexpected results such as the immediate deletion of session recordings. + Boundary does not support an undo action. Storage policies are meant to enforce compliance to a specific law or regulation. Updating the storage policy of a session recording can have immediate and possibly unexpected results such as the immediate deletion of session recordings. @@ -216,7 +216,7 @@ The following example applies the policy created above to an org named `prod-dat ```shell-session $ boundary policies list - Policy information: + Policy information: ID: pst_WZ3SQSSYJY Version: 1 Type: storage @@ -382,12 +382,12 @@ Check that the storage policy was successfully attached to the `prod-databases` Storage Policy ID: pst_WZ3SQSSYJY Updated Time: Thu, 25 Jan 2024 22:00:27 MST Version: 7 - + Scope (parent): ID: global Name: global Type: global - + Authorized Actions: detach-storage-policy no-op @@ -503,7 +503,7 @@ New session recordings under the `prod-databases` scope should now show a `retai 1. Create a new session recording on a target within the `prod-databases` org. 1. Log in to Boundary. -1. Click **Session Recordings** in the navigation panel. +1. Click **Session Recordings** in the navigation panel. 1. Click **View** for a new recording that was made after the storage policy was attached to the `prod-databases` scope. 1. Under **Session details**, verify that the *Retain until* and *Delete after* dates match the durations defined in the `soc2-policy`. @@ -564,7 +564,7 @@ New session recordings under the `prod-databases` scope should now show a `retai Storage Bucket ID: sb_DC8SPb9uc2 Type: ssh Updated Time: Mon, 29 Jan 2024 23:25:53 MST - + ... ... More Output ... ... @@ -581,18 +581,18 @@ New session recordings under the `prod-databases` scope should now show a `retai 1. The following API call is an example of reading the details of a session recording with the `soc2-policy` storage policy applied to the `prod-databases` scope. List the available session recordings. This example recursively lists all recordings within the global scope. - + ```shell-session $ curl --header "Content-Type: application/json" \ --header "Authorization: Bearer $(boundary config get-token)" \ --request GET \ $BOUNDARY_ADDR/v1/session-recordings?recursive=true&scope_id=global | jq ``` - + **Example output:** - + - + ```plaintext { "items": [ diff --git a/website/content/docs/configuration/session-recording/configure-worker-storage.mdx b/website/content/docs/configuration/session-recording/configure-worker-storage.mdx index 09a5c18848..6c00f1301b 100644 --- a/website/content/docs/configuration/session-recording/configure-worker-storage.mdx +++ b/website/content/docs/configuration/session-recording/configure-worker-storage.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Configure workers for local storage -description: |- - How to configure Boundary workers for session recording. +description: >- + Configure workers for session recording storage. View requirements and an example configuration. Understand possible storage states for local and remote storage. --- # Configure workers for session recording @@ -68,7 +68,7 @@ Boundary uses the permission states to determine the remote storage state of a w Boundary periodically checks the states of any workers that use the external storage, and then reports them back to the controller. -You can check the remote storage state of a worker using the `boundary worker read -id $WORKER_ID` command. +You can check the remote storage state of a worker using the `boundary workers read -id $WORKER_ID` command. ``` Worker information: diff --git a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx index 0be073b73c..7fa84683c8 100644 --- a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx +++ b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Create a storage bucket -description: |- - How to create a storage bucket for session recording in Boundary +description: >- + Create a storage bucket in an external storage provider to store recorded sessions. You can review recorded sessions later for compliance and threat management. --- # Create a storage bucket @@ -61,7 +61,7 @@ Complete the following steps to create a storage bucket in Boundary. - **Access key ID**: (Required) The access key ID that AWS generates for the IAM user to use with the storage bucket. - **Secret access key**: (Required) The secret access key that AWS generates for the IAM user to use with this storage bucket. - - **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - **Worker filter**: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - **Disable credential rotation**: (Optional) Prevents the AWS plugin from automatically rotating credentials. Although credentials are stored encrypted in Boundary, by default the [AWS plugin](https://github.com/hashicorp/boundary-plugin-aws) attempts to rotate the credentials you provide. The given credentials are used to create a new credential, and then the original credential is revoked. @@ -79,7 +79,7 @@ Complete the following steps to create a storage bucket in Boundary. For more information, refer to the AWS documentation for [Logging IAM and AWS STS API calls with AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html). - **Role tags**: An object with key-value pair attributes that is passed when you assume an IAM role. For more information, refer to the AWS documentation for [Passing session tags in AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html). - - **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - **Worker filter**: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - **Disable credential rotation**: (Required) Prevents the AWS plugin from automatically rotating credentials. This option is required if you use dynamic credentials. @@ -110,7 +110,7 @@ The required fields for creating a storage bucket depend on whether you configur -bucket-name mybucket1 \ -plugin-name aws \ -scope-id o_1234567890 \ - -worker-filter ‘“dev” in “/tags/type”’ \ + -worker-filter ‘“aws-worker” in “/tags/type”’ \ -secret ‘{“access_key_id”: “123456789” , “secret_access_key” : “123/456789/12345678”}’ \ -attributes ‘{“region”:”us-east-1”,”disable_credential_rotation”:true}’ ``` @@ -121,7 +121,7 @@ The required fields for creating a storage bucket depend on whether you configur - `bucket-name`: (Required) The name of the AWS bucket you want to associate with the Boundary storage bucket. - `plugin-name`: (Required) The name of the Boundary storage plugin. - `scope_id`: (Required) A storage bucket can belong to the Global scope or an Org scope. - - `worker-filter`: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - `worker-filter`: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - `secret`: (Required) The AWS credentials to use. - `access_key_id`: (Required) The AWS access key to use. - `secret_access_key_id`: (Required) The AWS secret access key to use. @@ -155,7 +155,7 @@ The required fields for creating a storage bucket depend on whether you configur - `bucket-name`: (Required) The name of the AWS bucket you want to associate with the Boundary storage bucket. - `plugin-name`: (Required) The name of the Boundary storage plugin. - `scope_id`: (Required) A storage bucket can belong to the Global scope or an Org scope. - - `worker-filter`: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - `worker-filter`: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - `attributes` or `-attr`: Attributes of the Amazon S3 storage bucket. - `role_arn`: (Required) The ARN (Amazon Resource Name) role that is attached to the EC2 instance that the self-managed worker runs on. - `role_external_id`: (Optional) A required value if you delegate third party access to your AWS resources. @@ -173,7 +173,11 @@ The required fields for creating a storage bucket depend on whether you configur -The HCL code for creating a storage bucket is different depending on whether you configured the AWS S3 bucket with static or dynamic credentials. +The HCL code for creating a storage bucket is different depending on whether you configured the AWS S3 bucket with static or dynamic credentials. This page provides example configurations for a generic Terraform deployment. + +Refer to the [Boundary Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs) to learn about the requirements for the following example attributes. + +Support for Amazon S3 storage providers leverages the [Boundary AWS plugin](https://github.com/hashicorp/boundary-plugin-aws). @@ -201,7 +205,7 @@ resource "boundary_storage_bucket" "aws_static_credentials_example" { "access_key_id" = "aws_access_key_id_value", "secret_access_key" = "aws_secret_access_key_value" }) - worker_filter = "\"dev\" in \"/tags/type\"" + worker_filter = "\"aws-worker\" in \"/tags/type\"" } output "storage_bucket_id" { @@ -229,7 +233,7 @@ resource "boundary_storage_bucket" "aws_dynamic_credentials_example" { "role_arn" = "arn:aws:iam::123456789012:role/S3Access" "disable_credential_rotation" = true }) - worker_filter = "\"dev\" in \"/tags/type\"" + worker_filter = "\"s3-worker\" in \"/tags/type\"" } output "storage_bucket_id" { @@ -271,7 +275,7 @@ Complete the following steps to create a storage bucket in Boundary. - **Region**: (Optional) The region to configure the storage bucket for. - **Access key ID** (Required): The MinIO service account's access key to use with this storage bucket. - **Secret access key** (Required): The MinIO service account's secret key to use with this storage bucket. - - **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - **Worker filter**: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - **Disable credential rotation**: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new MinIO service account. If this attribute is set to false, or not provided, the plugin will rotate the incoming credentials, using them to create a new MinIO service account, then delete the incoming credentials. 1. Click **Save**. @@ -288,7 +292,7 @@ Complete the following steps to create a storage bucket in Boundary. -plugin-name minio \ -scope-id o_1234567890 \ -bucket-prefix="foo/bar/zoo" \ - -worker-filter '"minio" in "/tags/type"' \ + -worker-filter '"minio-worker" in "/tags/type"' \ -attr endpoint_url="https://my-minio-instance.dev:9000" \ -attr region="REGION" \ -attr disable_credential_rotation=true \ @@ -301,7 +305,7 @@ Complete the following steps to create a storage bucket in Boundary. - `bucket-name`: (Required) Name of the MinIO bucket you want to associate with the Boundary storage bucket. - `plugin-name`: (Required) The name of the Boundary storage plugin. - `scope_id`: (Required) A storage bucket can belong to the Global scope or an Org scope. - - `worker-filter`: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - `worker-filter`: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - `secret`: (Required) The MinIO credentials to use. - `access_key_id` (Required): The MinIO service account's access key to use with this storage bucket. - `secret_access_key` (Required): The MinIO service account's secret key to use with this storage bucket. @@ -313,10 +317,45 @@ Complete the following steps to create a storage bucket in Boundary. This option must be set to `true` if you use dynamic credentials. - + + +This page provides example configurations for a generic Terraform deployment. + +Refer to the [Boundary Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs) to learn about the requirements for the following example attributes. + +Support for MinIO storage providers leverages the [Boundary MinIO plugin](https://github.com/hashicorp/boundary-plugin-minio). + +Apply the following Terraform policy: + +```hcl +resource "boundary_storage_bucket" "minio_credentials_example" { + name = "My MinIO storage bucket" + description = "My first storage bucket" + scope_id = "o_1234567890" + plugin_name = "minio" + bucket_name = "mybucket1" + + attributes_json = jsonencode({ + "endpoint_url" = "minio_access_key_id_value", + "disable_credential_rotation" = true + }) + + secrets_json = jsonencode({ + "access_key_id" = "minio_access_key_id_value", + "secret_access_key" = "minio_secret_access_key_value" + }) + worker_filter = "\"minio-worker\" in \"/tags/type\"" +} + +output "storage_bucket_id" { + value = boundary_storage_bucket.minio_credentials_example.id +} +``` + + Complete the following steps to create a storage bucket in Boundary using an S3-compliant storage provider. Hitachi Content Platform is used as an example below. @@ -345,7 +384,7 @@ Complete the following steps to create a storage bucket in Boundary using an S3- - **Region**: (Optional) The region to configure the storage bucket for. - **Access key ID** (Required): The storage provider's service account's access key to use with this storage bucket. - **Secret access key** (Required): The storage provider's service account's secret key to use with this storage bucket. - - **Worker filter**: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - **Worker filter**: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - **Disable credential rotation**: (Optional) Controls whether the plugin will rotate the incoming credentials and manage a new storage service account. If this attribute is set to false, or not provided, the plugin will rotate the incoming credentials, using them to create a new storage service account, then delete the incoming credentials. Note that credential rotation is not supported for Hitachi Content Platform, and it may not function for other S3-compatible providers. @@ -364,7 +403,7 @@ Complete the following steps to create a storage bucket in Boundary using an S3- -plugin-name minio \ -scope-id o_1234567890 \ -bucket-prefix="foo/bar/zoo" \ - -worker-filter '"dev" in "/tags/type"' \ + -worker-filter '"storage-worker" in "/tags/type"' \ -attr endpoint_url="https://my-hitachi-instance.dev:9000" \ -attr region="REGION" \ -attr disable_credential_rotation=true \ @@ -378,7 +417,7 @@ Complete the following steps to create a storage bucket in Boundary using an S3- - `plugin-name`: (Required) The name of the Boundary storage plugin. Use the `minio` plugin for S3-compatible storage. - `scope_id`: (Required) A storage bucket can belong to the Global scope or an Org scope. - - `worker-filter`: (Required) A filter that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. + - `worker-filter`: (Required) A filter expression that indicates which Boundary workers have access to the storage. The filter must match an existing worker in order to create a Boundary storage bucket. Refer to [filter examples](/boundary/docs/concepts/filtering/worker-tags#example-worker-filter-for-storage-buckets) to learn about worker tags and filters. - `secret`: (Required) The storage provider's credentials to use. - `access_key_id` (Required): The storage provider's service account's access key to use with this storage bucket. - `secret_access_key` (Required): The storage provider's service account's secret key to use with this storage bucket. @@ -389,6 +428,42 @@ Complete the following steps to create a storage bucket in Boundary using an S3- Note that credential rotation is not supported for Hitachi Content Platform, and it may not function for other S3-compatible providers. + + + +This page provides example configurations for a generic Terraform deployment. + +Refer to the [Boundary Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs) to learn about the requirements for the following example attributes. + +Support for S3-compliant storage providers leverages the [Boundary MinIO plugin](https://github.com/hashicorp/boundary-plugin-minio). + +Apply the following Terraform policy: + +```hcl +resource "boundary_storage_bucket" "storage_credentials_example" { + name = "My storage bucket" + description = "My first storage bucket" + scope_id = "o_1234567890" + plugin_name = "minio" + bucket_name = "mybucket1" + + attributes_json = jsonencode({ + "endpoint_url" = "minio_access_key_id_value", + "disable_credential_rotation" = true + }) + + secrets_json = jsonencode({ + "access_key_id" = "storage_access_key_id_value", + "secret_access_key" = "storage_secret_access_key_value" + }) + worker_filter = "\"storage-worker\" in \"/tags/type\"" +} + +output "storage_bucket_id" { + value = boundary_storage_bucket.storage_credentials_example.id +} +``` + diff --git a/website/content/docs/configuration/session-recording/enable-session-recording.mdx b/website/content/docs/configuration/session-recording/enable-session-recording.mdx index 5934d9054f..56e310a71b 100644 --- a/website/content/docs/configuration/session-recording/enable-session-recording.mdx +++ b/website/content/docs/configuration/session-recording/enable-session-recording.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Enable session recording on a target -description: |- - How to enable session recording on a target in Boundary +description: >- + Enable session recording for targets so that user sessions are recorded for compliance and threat management. --- # Enable session recording on a target @@ -23,6 +23,7 @@ Refer to [Create the controller configuration](/boundary/docs/install-boundary/c - The targets must be configured with an ingress or egress worker filter that includes a worker with access to the storage bucket you created. Refer to [SSH target attributes](/boundary/docs/concepts/domain-model/targets#ssh-target-attributes) for more information. - You must enable injected application credentials on any target that you want to use for session recording. +Refer to [Configure targets with credential injection](/boundary/docs/configuration/credential-management/configure-credential-injection) for more information about injecting application credentials. Complete the following steps to enable session recording on a target. diff --git a/website/content/docs/configuration/session-recording/index.mdx b/website/content/docs/configuration/session-recording/index.mdx index d1aaaf67cf..f0202502e8 100644 --- a/website/content/docs/configuration/session-recording/index.mdx +++ b/website/content/docs/configuration/session-recording/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Overview -description: |- - An overview of session recording in Boundary +page_title: Session recording overview +description: >- + Learn about using session recording to audit user sessions for compliance and threat management. Understand considerations for local and remote storage. --- # Overview diff --git a/website/content/docs/configuration/session-recording/storage-providers/configure-minio.mdx b/website/content/docs/configuration/session-recording/storage-providers/configure-minio.mdx index 781139d3c5..35add2959e 100644 --- a/website/content/docs/configuration/session-recording/storage-providers/configure-minio.mdx +++ b/website/content/docs/configuration/session-recording/storage-providers/configure-minio.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Configure MinIO -description: |- - How to configure MinIO as a storage provider for Boundary session recording. +page_title: Configure MinIO storage +description: >- + Configure MinIO as a storage provider for recorded sessions. Understand session recording and MinIO requirements. View an example configuration. --- # Configure MinIO as a storage provider @@ -30,6 +30,9 @@ When you determine storage requirements for the external bucket, you should cons You must associate the Boundary storage bucket with a MinIO storage bucket. A Boundary MinIO storage bucket contains the bucket name, endpoint URL, optional region, optional prefix, and the service account credentials needed to access the bucket. To enable credential rotation, you cannot add a Boundary storage bucket without a MinIO service account. You can disable credential rotation when you create the Boundary storage bucket. + At the time of the 0.18.0 release, the latest tested and supported MinIO version is `RELEASE.2024-10-02T17-50-4Z`. + Newer versions may work as well, but they have not been tested. + At this time, the NetBSD operating system is not supported for the MinIO storage bucket. diff --git a/website/content/docs/configuration/session-recording/storage-providers/configure-s3-compliant.mdx b/website/content/docs/configuration/session-recording/storage-providers/configure-s3-compliant.mdx index a7f4b39958..1b5fc358db 100644 --- a/website/content/docs/configuration/session-recording/storage-providers/configure-s3-compliant.mdx +++ b/website/content/docs/configuration/session-recording/storage-providers/configure-s3-compliant.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Configure S3-compliant storage -description: |- - How to configure an S3-compliant storage provider for Boundary session recording. +description: >- + Configure an S3-compliant storage provider for recorded sessions. Understand session recording and storage provider requirements. View an example configuration. --- # Configure an S3-compliant storage provider @@ -11,13 +11,22 @@ description: |- The [MinIO plugin](https://github.com/hashicorp/boundary-plugin-minio/) lets you configure S3-compliant storage providers for session recording. + HashiCorp has tested and confirmed that you can configure the following S3-compliant storage products for session recording using the MinIO plugin: -- [Hitachi Content Platform](#hitachi-content-platform-configuration) +- [Hitachi Content Platform](https://trycontent.hitachivantara.com) + + At the time of the 0.18.0 release, the latest tested and supported Hitachi Content Platform version is `2.6.0.0`. + Newer versions may work as well, but they have not been tested. + +- [Backblaze B2](https://www.backblaze.com/cloud-storage) You can also configure other providers' S3-compliant storage products for session recording storage. We will update the list of providers as we test them. +The process for [configuring the Hitachi Content Platform](#hitachi-content-platform-configuration) is included below as an example. +Configuring other S3-compliant storage products for use with session recording should be a similar process. + ## Requirements Before you can create a storage bucket in Boundary, you must ensure that your environment meets certain requirements. @@ -40,11 +49,10 @@ When you determine storage requirements for the external bucket, you should cons - A service account and access keys for the storage provider You must provide service account access keys when you configure a Boundary storage bucket later on. - Refer to your storage provider's documentation to learn how to set up a service account. - The storage bucket must be configured with R/W access. If you use a - restricted IAM user policy, the following policy actions must be allowed at a minimum. + restricted IAM user policy, you must allow the following policy actions at a minimum. ```json { @@ -73,7 +81,7 @@ When you determine storage requirements for the external bucket, you should cons HashiCorp has tested and confirmed that you can configure the Hitachi Content Platform for external session recording storage using the MinIO plugin. It is included as an example in this topic. -You should be able to configure other S3-compliant storage providers to work for session recording storage as well, but we have not tested other providers. +You should be able to configure other S3-compliant storage providers to work for session recording storage as well, but we have only tested a [limited number of providers](#providers). You must have an account with Hitachi Content Platform to create storage buckets. You can sign up for an account at the following URL: diff --git a/website/content/docs/configuration/session-recording/storage-providers/configure-s3.mdx b/website/content/docs/configuration/session-recording/storage-providers/configure-s3.mdx index 9df0154281..afdd30db4b 100644 --- a/website/content/docs/configuration/session-recording/storage-providers/configure-s3.mdx +++ b/website/content/docs/configuration/session-recording/storage-providers/configure-s3.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Configure Amazon S3 -description: |- - How to configure Amazon S3 as a storage provider for Boundary session recording. +page_title: Configure Amazon S3 storage +description: >- + Configure Amazon S3 as a storage provider for recorded sessions. Understand session recording and AWS requirements. View an example configuration. --- # Configure Amazon S3 as a storage provider diff --git a/website/content/docs/configuration/session-recording/update-storage-policy.mdx b/website/content/docs/configuration/session-recording/update-storage-policy.mdx index febda9084e..8096accc7e 100644 --- a/website/content/docs/configuration/session-recording/update-storage-policy.mdx +++ b/website/content/docs/configuration/session-recording/update-storage-policy.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Update storage bucket policies -description: |- - How to update a storage bucket policy for session recordings in Boundary +description: >- + Update storage bucket policies to manage the lifecycles of session recordings. Understand how changing a policy affects existing and new recorded sessions. --- # Update storage bucket policies diff --git a/website/content/docs/configuration/target-aliases/connect-target-alias.mdx b/website/content/docs/configuration/target-aliases/connect-target-alias.mdx new file mode 100644 index 0000000000..de3227e636 --- /dev/null +++ b/website/content/docs/configuration/target-aliases/connect-target-alias.mdx @@ -0,0 +1,30 @@ +--- +layout: docs +page_title: Overview +description: >- + Learn how to connect to a target configured with an alias. +--- + +After you [Create a target alias](/boundary/docs/configuration/target-aliases/create-target-alias), you can refer to the alias when you establish sessions. + +With aliases, you don't have to specify the target ID, target name, or scope when you connect with Boundary. Target aliases are also required to use [transparent sessions](/boundary/docs/configuration/target-aliases/transparent-sessions). + +# Connect to a target using an alias + +You can substitute an alias whenever you could use the `-id` flag or `-target` flag in the CLI. + +For example, you can use the following command to connect to an SSH target with the ID `ttcp_1234567890`: + +```shell-session +$ boundary connect ssh -target -id ttcp_1234567890 +``` + +If you configured an alias named `example.alias.boundary` for the target, you can now use the alias to connect to the target: + +```shell-session +$ boundary connect ssh example.alias.boundary +``` + +Aliases are globally unique, so you don't need to specify the scope to connect to the target. + +After you verify that you can connect to the target using an alias, you can try to connect to the target using [transparent sessions](/boundary/docs/configuration/target-aliases/transparent-sessions). HCP/ENT \ No newline at end of file diff --git a/website/content/docs/configuration/target-aliases/create-target-alias.mdx b/website/content/docs/configuration/target-aliases/create-target-alias.mdx new file mode 100644 index 0000000000..a2c2304812 --- /dev/null +++ b/website/content/docs/configuration/target-aliases/create-target-alias.mdx @@ -0,0 +1,545 @@ +--- +layout: docs +page_title: Create target aliases +description: >- + Learn how to create a target alias for an existing target, or assign one during target creation. +--- + +# Create target aliases + +You can create aliases and associate them with targets using the following methods: + +- [Create an alias for an existing target](#create-an-alias-for-an-existing-target) +- [Create an alias during target creation](#create-an-alias-during-target-creation) +- [Associate an existing alias with a target](#associate-an-existing-alias-with-a-target) +- [Create multiple target aliases: An example](#create-multiple-aliases-for-a-single-target) + +## Create an alias for an existing target + +You can create a new alias and associate it with an existing target at the same time. + +When you create the target alias, you can choose from the following methods: + +- Create the alias without adding a target +- Create the alias for one or more targets +- Create the alias with an optional host ID + +Complete the following steps to create a new alias and associate it with a target: + + + + +1. Log in to Boundary. +1. Select **Aliases** in the navigation pane. +1. Click **New Alias**. +1. Complete the following fields: + - **Name**: (Optional) Enter an optional name for the alias to use for identification purposes. + - **Description**: (Optional) Enter an optional description for the alias to use for identification purposes. + - **Type**: Select **Target**. + At this time, targets are the only Boundary resources that supports aliasing. + - **Alias Value**: Enter the string that you want to use as the alias to represent the target. + An alias's value can be a hostname or a DNS-like string. + - **Target ID**: (Optional) Specify any targets you want to associate with the alias. + - **Host ID**: (Optional) Enter an optional host ID, if you would like to specify that the alias always uses the same host when you use it to connect to a target. +1. Click **Save**. + + + + +1. Log in to Boundary. +1. Use the following command to create an alias: + + ```shell-session + $ boundary aliases create target \ + -description 'This is an example alias for target tcp_1234567890' \ + -destination-id tcp_1234567890 \ + -name Example Boundary alias \ + -scope-id global \ + -value example.alias.boundary \ + -authorize-session-host-id hst_1234567890 + ``` + + You can use any of the following [attributes](/boundary/docs/concepts/domain-model/aliases) when you create an alias: + + - `-description=` - Specifies the optional description you want to use for identification purposes. + - `-destination-id=` - Specifies the ID of the target that the alias references. + - `-name=` - Specifies the optional name you want to use to describe the alias for identification purposes. + - `-scope-id=` - Scope in which to create the alias. The default is `global`. + You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable. + At this time, aliases are only supported for the global scope. + - `-value=` - Specifies the string that you want to use as the alias to represent the target. + The alias `value` can be a hostname or a DNS-like string. + - `-authorize-session-host-id=` - Optionally indicates the host ID to use when you use the alias to authorize a session. + + + + +## Create an alias during target creation + +You can create a new target and new alias at the same time and associate the two. + +Complete the following steps to create a new target and new alias at the same time: + + + + +1. Log in to Boundary. +1. Select **Targets** in the navigation pane. +1. Click **New Target**. +1. Complete the following fields: + - **Name**: Enter the target name for identification purposes. + - **Description**: (Optional) Enter an optional description for identification purposes. + - **Type**: Select the target type. + You can create SSH or TCP targets. + - **Target Address**: (Optional) Enter a valid IP address or DNS name. + Alternatively, you can configure host catalogs and host sets. + - **Default Port**: (Optional) Enter an optional default port for the target to use for connections. + - **Default Client Port**: (Optional) Enter an optional local proxy port on which to listen when a session is started on a client. + - **Maximum Duration**: (Optional) Enter an optional maximum duration for sessions on this target, in seconds. + - **Maximum Connection**: (Optional) Enter the maximum number of connections allowed per session on this target. + For unlimited connections, enter `-1`. + - **Workers**: (Optional) Select whether you want the worker to function as an ingress and/or egress worker. + - **Aliases**: (Optional) Enter the value fpr any aliases you want to associate with this target, and then click **Add**. + An alias's value can be a hostname or a DNS-like string. + You can associate multiple aliases with a target. +1. Click **Save**. + + + + +1. Log in to Boundary. +1. Use the following command to create a target: + + ```shell-session + $ boundary targets create ssh \ + -description 'This is an example ssh target' \ + -name Example Boundary SSH target \ + -scope-id global \ + -with-alias-authorize-session-host-id hst_1234567890 \ + -with-alias-scope-id global \ + -with-alias-value example.alias.boundary + ``` + + You can use any of the following [attributes](/boundary/docs/concepts/domain-model/targets) when you create a target: + + - `description` - (optional) + An optional description that you can use for identification purposes. + - `name` - (required) + The `name` must be unique within the target's project. + - `scope-id` - (required) + The scope in which to create the target. + The default is `global`. + You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable. + - `-address=` - An optional valid network address for the target to connect to. + You cannot use an address alongside host sources. + - `-default-client-port=` - The default client port on the target. + - `-default-port=` - The default port on the target. + If you do not specify a default port, Boundary uses port 22. + - `-egress-worker-filter=` - A Boolean expression that filters which egress workers can process sessions for the target. + - `-enable-session-recording=` - A Boolean expression you can use to enable session recording for the target. + - `-ingress-worker-filter=` - A Boolean expression that filters which ingress workers can process sessions for the target. + - `-session-connection-limit=` - The maximum number of connections allowed for a session. +A value of `-1` means the connections are unlimited. + - `-session-max-seconds=` - The maximum lifetime of the session, including all connections. + You can specify an integer number of seconds or a duration string. + - `-storage-bucket-id=` - The public ID of the storage bucket to associate with the target. + - `-with-alias-authorize-session-host-id=` - The host ID that an alias uses to authorize sessions for the target. + - `-with-aliasscope-id=` - The scope ID that you want to create the target and alias in. + The default is `global`. + At this time, aliases are only supported for the global scope. + - `-with-alias-value=` - The value of the alias that you want to use to represent the target. + Use this parameter to create the alias and target, and associate them with each other, at the same time. + + Note that you can create SSH or TCP [target types](/boundary/docs/concepts/domain-model/targets#target-types). + The example command in this section creates an SSH target. + + + + +## Associate an existing alias with a target + +If you [created an alias](#create-an-alias-for-an-existing-target) without associating it with a target, you can update it with an existing target at a later time. Complete the following steps to add an alias to a target: + + + + +1. Log in to Boundary. +1. Select **Targets** in the navigation pane. +1. Select the target you want to add an alias to. +1. Under the **Aliases** heading in the right sidebar, click **Add an alias**. +1. Complete the following fields: + - **Name**: (Optional) Enter an optional name for the alias to use for identification purposes. + - **Description**: (Optional) Enter an optional description for the alias to use for identification purposes. + - **Type**: Select **Target**. + At this time, targets are the only Boundary resources that supports aliasing. + - **Alias Value**: Enter the alias value you want to use in commands to represent the target. + An alias's value can be a hostname or a DNS-like string. + - **Target ID**: This field contains the ID of the target you selected to add an alias to. + It is read only. + - **Host ID**: (Optional) Enter an optional host ID, if you would like to specify that the alias always uses the same host when you use it to connect to a target. +1. Click **Save**. + + + + +1. Log in to Boundary. +1. Use the following command to create an alias: + + ```shell-session + $ boundary aliases update target \ + -destination-id tcp_1234567890 \ + -id alt_1234567890 \ + -authorize-session-host-id hst_1234567890 + ``` + + You can use any of the following [attributes](/boundary/docs/concepts/domain-model/aliases) when you update an alias: + + - `-description=` - Specifies the optional description you want to use for identification purposes. + - `-destination-id=` - Specifies the ID of the target that the alias references. + - `id=` - Specifies the ID of the alias you want to update. + - `-name=` - Specifies the optional name you want to use to describe the alias for identification purposes. + - `-scope-id=` - Scope in which to create the alias. The default is `global`. + You can also specify the scope using the BOUNDARY_SCOPE_ID environment variable. + At this time, aliases are only supported for the global scope. + - `-value=` - Specifies the string that you want to use as the alias to represent the target. + The alias `value` must comply with DNS naming rules. + - `-authorize-session-host-id=` - Optionally indicates the host ID to use when you use the alias to authorize a session. + + + + +## Create multiple aliases for a single target + +Target aliases point directly to the target they are associated with. You can assign targets a host set or a direct target address. + +[Host sets](/boundary/docs/concepts/domain-model/host-sets) are sets of functionally equivalent hosts, and are commonly used for deployments at scale. When Boundary authorizes a session, a target assigned a host set will select a host from the host set at random to use for all connections for the session. + +You assign [direct target addresses](/boundary/docs/concepts/domain-model/targets#address) directly to the target. They refer to a specific network resource, like an IP address. Boundary only connects to the direct target address when it establishes a connection to the associated target. + +When you create a target alias, you can also assign it to a specific host. Assigning an alias to a specific host is useful if you want to avoid creating multiple targets for specific hosts using direct target addresses. + +For example, you could create two aliases for the same target that has been assigned a host set. One alias could refer to the target itself, and would allow Boundary to randomly select a host to connect to for a session. Another alias could point to the same target, but you could assign a host ID that Boundary should use for a session. + +### Example + +You may want to create aliases that point to the same target, but that specify which host Boundary should use when it establishes a session. + +In this example, you set up three aliases for the same target: + +1. A target alias without a host specified +1. A target alias with a host ID specified +1. A target alias with a different host ID specified + + + + This example uses SSH target types, which are only available in HCP Boundary and Boundary Enterprise. This process also works for any other target type, including the TCP target type available in Boundary Community Edition. + + + +For this example, assume that the following scopes exist: + +- Org: `engineering`, ID `o_2drCWvp3Oc` +- Project: `app-servers`, ID `p_3ECODJDbXV` + +And the following host set and hosts exist: + +- Host set: `linux-dev-servers`, ID `hsst_56oiL0WaKu` +- Host: `dev-040`, ID `hst_7wGXkF8e0Q` +- Host: `dev-041`, ID `hst_zlRwMMPKwp` + +Because the `linux-dev-servers` hosts are functionally equivalent, you can create a single target for the host set, and create an alias for the target. + +We recommend creating DNS-like aliases to ensure consistent naming conventions. In this example, an alias pattern might be: + +`hostname.host-set.project.org` + +For the `linux-dev-servers` target, create the alias `linux-dev.app-servers.eng`. + + + + +Create the `linux-dev-servers` target. + +1. Log in to Boundary. +1. Select the 'engineering' org and the `app-servers` project. +1. Select **Targets** in the navigation pane. +1. Click **New Target**. +1. Complete the following fields: + - **Name**: `linux-dev-servers` + - **Description**: `linux-dev.app-servers.eng target` + - **Type**: SSH + - **Default Port**: `22` + - **Aliases**: `linux-dev.app-servers.eng` +1. Click **Save**. + +Then add the `linux-dev-servers` host set to the new `linux-dev-servers` target. + +1. Click on the **Host Sources** tab. +1. Click **Add Host Sources**. +1. Select the `linux-dev-servers` host set. +1. Click **Add Host Sources**. + + + + +Create the `linux-dev-servers` target. + +1. Log in to Boundary. +1. Use the following command to create the `linux-dev-servers` target with alias `linux-dev.app-servers.eng`: + + ```shell-session + $ boundary targets create ssh \ + -description 'linux-dev.app-servers.eng target' \ + -name linux-dev-servers \ + -scope-id p_3ECODJDbXV \ + -default-port 22 \ + -with-alias-scope-id global \ + -with-alias-value linux-dev.app-servers.eng + ``` + + Example output: + + + + ```shell-session + $ boundary targets create ssh \ + -description 'linux-dev.app-servers.eng target' \ + -name linux-dev-servers \ + -scope-id p_pj6UUPVJT3 \ + -default-port 22 \ + -with-alias-scope-id global \ + -with-alias-value linux-dev.app-servers.eng + + Target information: + Created Time: Thu, 14 Nov 2024 13:39:36 MST + Description: linux-dev.app-servers.eng target + ID: tssh_lhH5pa425G + Name: linux-dev-servers + Session Connection Limit: -1 + Session Max Seconds: 28800 + Type: ssh + Updated Time: Thu, 14 Nov 2024 13:39:36 MST + Version: 1 + + Scope: + ID: p_3ECODJDbXV + Name: app-servers + Parent Scope ID: o_2drCWvp3Oc + Type: project + + Authorized Actions: + remove-host-sources + remove-credential-sources + authorize-session + delete + set-credential-sources + no-op + read + update + add-host-sources + set-host-sources + add-credential-sources + + Aliases: + ID: alt_CkC6wGKLWW + Value: linux-dev.app-servers.eng + + Attributes: + Default Port: 22 + Enable Session Recording: false + ``` + + + +Then add the `linux-dev-servers` host set (ID `hsst_56oiL0WaKu`) to the new `linux-dev-servers` target (ID `tssh_lhH5pa425G`). + +```shell-session +$ boundary targets add-host-sources -id tssh_lhH5pa425G -host-sourchsst_56oiL0WaKu +``` + + + + +Next, create two more aliases for the target. + +Create the `dev-040.linux-dev.app-servers.eng` alias for the host `dev-040`: + + + + +1. Log in to Boundary. Navigate to the `global` scope. +1. Select **Aliases** in the navigation pane. +1. Click **New Alias**. +1. Complete the following fields: + - **Name**: `dev-040` + - **Description**: `Target alias for dev-040.linux-dev.app-servers.eng` + - **Type**: `Target` + - **Alias Value**: `dev-040.linux-dev.app-servers.eng` + - **Target ID**: `tssh_lhH5pa425G` + - **Host ID**: `hst_7wGXkF8e0Q` +1. Click **Save**. + + + + +1. Log in to Boundary. +1. Use the following command to create an alias for host `dev-040: + + ```shell-session + $ boundary aliases create target \ + -description 'Target alias for dev-040.linux-dev.app-servers.eng' \ + -destination-id tssh_lhH5pa425G \ + -name dev-040 \ + -scope-id global \ + -value dev-040.linux-dev.app-servers.eng \ + -authorize-session-host-id hst_7wGXkF8e0Q + ``` + + Example output: + + + + ```shell-session + $ boundary aliases create target \ + -description 'Target alias for dev-040.linux-dev.app-servers.eng' \ + -destination-id tssh_lhH5pa425G \ + -name dev-040 \ + -scope-id global \ + -value dev-040.linux-dev.app-servers.eng \ + -authorize-session-host-id hst_7wGXkF8e0Q + + Alias information: + Created Time: Thu, 14 Nov 2024 13:55:41 MST + Description: Target alias for dev-040.linux-dev.app-servers.eng + Destination ID: tssh_lhH5pa425G + ID: alt_QeCGTcvlq2 + Name: dev-040 + Type: target + Updated Time: Thu, 14 Nov 2024 13:55:41 MST + Value: dev-040.linux-dev.app-servers.eng + Version: 1 + + Scope: + ID: global + Name: global + Type: global + + Authorized Actions: + no-op + read + update + delete + + Attributes: + authorize_session_arguments: + { + "host_id": "hst_7wGXkF8e0Q" + } + ``` + + + + + + +Then create the `dev-041.linux-dev.app-servers.eng` alias for the host `dev-041`. + + + + +1. Log in to Boundary. Navigate to the `global` scope. +1. Select **Aliases** in the navigation pane. +1. Click **New Alias**. +1. Complete the following fields: + - **Name**: `dev-041` + - **Description**: `Target alias for dev-041.linux-dev.app-servers.eng` + - **Type**: `Target` + - **Alias Value**: `dev-041.linux-dev.app-servers.eng` + - **Target ID**: `tssh_lhH5pa425G` + - **Host ID**: `hst_7wGXkF8e0Q` +1. Click **Save**. + + + + +1. Log in to Boundary. +1. Use the following command to create an alias for host `dev-041`: + + ```shell-session + $ boundary aliases create target \ + -description 'Target alias for dev-041.linux-dev.app-servers.eng' \ + -destination-id tssh_lhH5pa425G \ + -name dev-041 \ + -scope-id global \ + -value dev-041.linux-dev.app-servers.eng \ + -authorize-session-host-id hst_zlRwMMPKwp + ``` + + Example output: + + + + ```shell-session + $ boundary aliases create target \ + -description 'Target alias for dev-041.linux-dev.app-servers.eng' \ + -destination-id tssh_lhH5pa425G \ + -name dev-041 \ + -scope-id global \ + -value dev-041.linux-dev.app-servers.eng \ + -authorize-session-host-id hst_zlRwMMPKwp + + Alias information: + Created Time: Thu, 14 Nov 2024 14:00:13 MST + Description: Target alias for dev-040.linux-dev.app-servers.eng + Destination ID: tssh_lhH5pa425G + ID: alt_X5MRXRSi7t + Name: dev-041 + Type: target + Updated Time: Thu, 14 Nov 2024 14:00:13 MST + Value: dev-041.linux-dev.app-servers.eng + Version: 1 + + Scope: + ID: global + Name: global + Type: global + + Authorized Actions: + no-op + read + update + delete + + Attributes: + authorize_session_arguments: + { + "host_id": "hst_zlRwMMPKwp" + } + ``` + + + + + + +You can now use the aliases to connect to the targets in different contexts. + +The Boundary Desktop Client lists the `linux-dev-servers` target and its aliases under the **Aliases** column. + +When you click **Connect**, a list of the hosts available for the connection appears in the **Quick Connect** box. + +To establish a connection to any `linux-dev` host using the CLI, use the `linux-dev.app-servers.eng` alias: + +```shell-session +$ boundary connect ssh linux-dev.app-servers.eng +``` + +This command randomly selects a host from the `linux-dev-servers` host set attached to the `linux-dev-servers` target. + +To establish a connection to a specific host, connect to its target alias instead: + +```shell-session +$ boundary connect ssh dev-041.linux-dev.app-servers.eng +``` + +This alias still points to the `linux-dev-servers` target, but will only create a session with the `dev-041` host. \ No newline at end of file diff --git a/website/content/docs/configuration/target-aliases/index.mdx b/website/content/docs/configuration/target-aliases/index.mdx new file mode 100644 index 0000000000..634156276a --- /dev/null +++ b/website/content/docs/configuration/target-aliases/index.mdx @@ -0,0 +1,35 @@ +--- +layout: docs +page_title: Overview +description: >- + Learn how to configure aliases and transparent sessions to enhance end-user workflows and simplify target access. +--- + +# Overview + +Target aliases simplify the connection workflow for end users by allowing them to reference targets using a globally unique DNS-like string. + +Without aliases, connecting to an end target requires you to reference the target ID, or a combination of target name and scope: + +```shell-session +$ boundary connect ssh -target-id ttcp_1234567890 +``` + +```shell-session +$ boundary connect ssh -target-name sql-database -target-scope-name -staging +``` + +With target aliases, a single globally referenced value is assigned to a target, simplifying connection workflows and enabling transparent sessions for Enterprise and HCP end users. + +```shell-session +$ boundary connect ssh sql-database-staging +``` + +## Configure target aliases + +To set up a target alias: + +1. [Create a target alias](/boundary/docs/configuration/target-aliases/create-target-alias) +1. [Connect to a target using an alias](/boundary/docs/configuration/target-aliases/connect-target-alias) + +After you set up a target alias, you can optionally [Configure transparent sessions for end users](/boundary/docs/configuration/target-aliases/transparent-sessions). HCP/ENT \ No newline at end of file diff --git a/website/content/docs/configuration/target-aliases/transparent-sessions.mdx b/website/content/docs/configuration/target-aliases/transparent-sessions.mdx new file mode 100644 index 0000000000..c5bca90060 --- /dev/null +++ b/website/content/docs/configuration/target-aliases/transparent-sessions.mdx @@ -0,0 +1,98 @@ +--- +layout: docs +page_title: Configure transparent sessions +description: >- + Learn how to configure transparent sessions to enhance end-user workflows and simplify target access. +--- + +# Configure transparent sessions + +@include 'alerts/enterprise-only.mdx' + +@include 'alerts/beta.mdx' + +## Requirements + +Before you configure transparent sessions, you must: + +- Ensure that the Boundary CLI and Boundary Desktop are not installed in the environment in which you want to run the transparent sessions beta. +- Download the appropriate Boundary installer for your Windows or MacOS environment from the [Install Boundary](/boundary/install#installer) page or the [releases](https://releases.hashicorp.com/boundary-installer) page. + +## Install the Boundary clients + +Complete the following steps to install the Boundary Client Agent, CLI, and Desktop client: + +1. Install Boundary using the installer. +Make sure to select the options **Boundary Client Agent**, **CLI**, and **Desktop**. +1. Open the CLI and type the following command to confirm that the version is 0.18.0: + ```shell-session + $ boundary version + ``` +1. In the CLI, run the status command to confirm that the Boundary Client Agent has started: + + ```shell-session + $ boundary client-agent status + ``` + +## Configure targets + +The following section details how to configure targets and test the transparent sessions public beta feature. + + + + If you use a cluster that was created earlier than release 0.16.0, you must add the grant `list-resolvable-aliases` so that the client agent can populate the local alias cache. + + As an example, you could add the grant: + + `type=user;actions=list-resolvable-aliases;ids=*`. + + + +Complete the following steps to configure targets and test transparent sessions: + +1. Authenticate to Boundary using the CLI or Desktop client. +1. [Create a new target with an alias](/boundary/docs/concepts/aliases#create-an-alias-during-target-creation) or [create an alias for an existing target](/boundary/docs/concepts/aliases#create-an-alias-for-an-existing-target). +Ensure that you have authorization to establish a session to the target. +1. Open the client of your choice and [connect to your target using the alias](/boundary/docs/concepts/aliases#connect-to-a-target-using-an-alias). + + Boundary routes your session using the Boundary Client Agent. + You can validate that Boundary routed the session by looking at the **Sessions** page in the Desktop client, by typing `boundary sessions list -recursive` in the CLI, or by looking at sessions managed by the Client Agent using `boundary client-agent sessions`. + + + + The Client Agent periodically requests an updated list of aliases from the controller, so the alias may not work immediately after you create it. + The alias should be updated in the Client Agent within 2 minutes. If you still see connection issues after 2 minutes, follow the troubleshooting steps in [the Client Agent troubleshooting guide](/boundary/docs/api-clients/client-agent#troubleshooting). + + + +When you have validated that transparent sessions work, you can create and establish transparent sessions to other services. + +To establish transparent sessions to other services: + +1. Make a list of the services you use. +1. Create workers as needed for network partitions. +1. Add the services to Boundary as targets. +1. [Create aliases for the targets](/boundary/docs/configuration/target-aliases/create-target-alias). +1. Connect to the target using your client of choice. + +## Connect using transparent sessions + +Without transparent sessions, you must use the [Boundary connect helpers](/boundary/docs/concepts/connection-workflows) to establish a session: + +```shell-session +$ boundary connect ssh -target-name sql-database -target-scope-name -staging +``` + +Alternatively, you can use the Boundary Desktop Client to start a session, and connect on a local port supplied by Boundary: + +```shell-session +$ ssh 127.0.0.1 -p 55374 +``` + +With transparent sessions, you use the target alias as the address to establish a session. If the [client agent is running](#install-the-boundary-clients) and you have authenticated using the CLI or Boundary Desktop Client, you can use the alias to start a session: + +```shell-session +$ ssh my.alias.name +``` + +Boundary starts the session as usual, and brokers or injects any credentials you have configured. \ No newline at end of file diff --git a/website/content/docs/configuration/worker/index.mdx b/website/content/docs/configuration/worker/index.mdx index 24aff48b9b..e8fcb12563 100644 --- a/website/content/docs/configuration/worker/index.mdx +++ b/website/content/docs/configuration/worker/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Worker - configuration -description: |- - The worker stanza configures worker-specific parameters. +page_title: Worker configuration overview +description: >- + Learn about worker configuration for proxies, storage, and tags. Understand how multi-hop configurations let you chain workers together in private networks. --- # Worker stanza @@ -11,19 +11,19 @@ The `worker` stanza configures Boundary worker-specific parameters. All workers within Boundary use certificates and encryption keys to identify themselves and protect data in transit. However, there are three different -ways to register them so that registration of workers can fit into any workflow; controller-led, worker-led, and via external KMS. +ways to register them so that registration of workers can fit into any workflow: controller-led, worker-led, and via external KMS. The differences in how they are configured are in the sub-pages linked at the bottom of this page. -Workers registered via the worker-led or controller-led methods must be registered in -the system via an API call, and require storage on disk to store the current set -of credentials. Workers registering via an external KMS auto-register after successful authentication, making them an easy mechanism to +Workers registered using the worker-led or controller-led methods must be registered in +the system using an API call, and require storage on disk to store the current set +of credentials. Workers registering using an external KMS auto-register after successful authentication, making them an easy mechanism to use for automatic scaling. This also means they are not required to store credentials locally; each time they connect the KMS is used to reauthenticate them. -~> Prior to version 0.15 of Boundary, there were two different types of workers, PKI & KMS workers. +~> Prior to version 0.15 of Boundary, there were two different types of workers, PKI & KMS workers. If you are using pre-0.15 workers, with pre-0.15 upstreams please be sure to switch the documentation version to `0.13.x` - `0.14.x` for correct information. @@ -87,7 +87,7 @@ worker { Session recordings are stored in the local storage while they are in progress. When the session is complete, Boundary moves the local session recording to remote storage and deletes the local copy. -- `recording_storage_minimum_available_capacity` - A value measured in bytes that defines the worker's local storage state. +- `recording_storage_minimum_available_capacity` - A value measured in bytes that defines the worker's local storage state. Boundary compares this value with the available local disk space found in the `recording_storage_path` to determine if a worker can be used for session recording operations. The supported suffixes are kb, kib, mb, mib, gb, gib, tb, tib, which are not case sensitive. Example: 2GB, 2gb, 2GiB, 2gib. The possible storage states based on the `recording_storage_minimum_available_capacity` are: diff --git a/website/content/docs/configuration/worker/worker-configuration.mdx b/website/content/docs/configuration/worker/worker-configuration.mdx index 0adf359952..a741aabeb9 100644 --- a/website/content/docs/configuration/worker/worker-configuration.mdx +++ b/website/content/docs/configuration/worker/worker-configuration.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Worker configuration -description: |- - Worker-specific parameters. +description: >- + Learn about authorizing workers to the controller and configuring workers for session recording storage. View a complete worker configuration example. --- # Worker configuration diff --git a/website/content/docs/developing/building.mdx b/website/content/docs/developing/building.mdx index 9c323fce8f..5b81627f51 100644 --- a/website/content/docs/developing/building.mdx +++ b/website/content/docs/developing/building.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Build Boundary -description: Build Boundary from source +description: >- + Learn how to build Boundary from the source. Discover resources to compile a cross-platform build and troubleshoot UI assets. --- # Build Boundary diff --git a/website/content/docs/developing/index.mdx b/website/content/docs/developing/index.mdx index e9c285505e..465106acc0 100644 --- a/website/content/docs/developing/index.mdx +++ b/website/content/docs/developing/index.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Develop Boundary -description: Develop Boundary +description: >- + Discover resources to help you build and develop Boundary. --- # Develop Boundary diff --git a/website/content/docs/developing/ui.mdx b/website/content/docs/developing/ui.mdx index 2a92cbeabc..55de5173d7 100644 --- a/website/content/docs/developing/ui.mdx +++ b/website/content/docs/developing/ui.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Develop the UI -description: Develop the Boundary user interface +description: >- + Learn how to develop the Boundary user interface locally for testing. Use dev mode to run a local fork of the UI without building it into the binary. --- # Develop the Boundary user interface diff --git a/website/content/docs/enterprise/automated-license-reporting.mdx b/website/content/docs/enterprise/automated-license-reporting.mdx index 25ac7db968..8ea41e81f8 100644 --- a/website/content/docs/enterprise/automated-license-reporting.mdx +++ b/website/content/docs/enterprise/automated-license-reporting.mdx @@ -2,7 +2,7 @@ layout: docs page_title: Automated license utilization reporting description: >- - Learn what data HashiCorp collects to meter Enterprise license utilization. Enable or disable reporting. Review sample payloads and logs. + Learn what data HashiCorp collects to meter Enterprise license utilization. Enable reporting or opt out. Review sample payloads and logs. --- # Automated license utilization reporting diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 3116a77779..0be3561872 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Boundary Enterprise -description: |- - An overview of Boundary Enterprise +page_title: Boundary Enterprise overview +description: >- + Learn about Boundary Enterprise. Discover resources to upgrade from Community Edition or request assistance. --- # Boundary Enterprise diff --git a/website/content/docs/enterprise/licensing.mdx b/website/content/docs/enterprise/licensing.mdx index 4cec6da668..191187e753 100644 --- a/website/content/docs/enterprise/licensing.mdx +++ b/website/content/docs/enterprise/licensing.mdx @@ -2,7 +2,7 @@ layout: docs page_title: License Boundary Enterprise description: >- - How to license Boundary Enterprise. + Learn how to enable Boundary Enterprise with a valid license. Request access from an account team to enable enterprise features. --- # License Boundary Enterprise diff --git a/website/content/docs/enterprise/supported-versions.mdx b/website/content/docs/enterprise/supported-versions.mdx index 9b75612642..d4d4360d06 100644 --- a/website/content/docs/enterprise/supported-versions.mdx +++ b/website/content/docs/enterprise/supported-versions.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Boundary Enterprise supported versions +page_title: Boundary Enterprise supported version policies description: >- - The supported versions policy for Boundary Enterprise. Includes information about support periods, control plane and worker compatibility, and Postgres database version support. + Learn about Enterprise support policies. Includes information about support periods, control plane and worker compatibility, and PostgreSQL database versions. --- # Boundary Enterprise supported versions policy @@ -31,13 +31,29 @@ Customers are recommended to run the latest versions of Boundary in order to lev ## Control plane and client/cli compatibility -The supported version compatibility between Boundary's control plane and Boundary clients/cli is the same as control plane and worker compatibility. Within a Boundary Enterprise deployment API backwards compatibility is only supported between the control plane and clients from the prior “major release”. Using clients on newer versions than the control plane they are registered with is not supported. +The supported version compatibility between Boundary's control plane and Boundary clients/CLI is the same as control plane and worker compatibility. Within a Boundary Enterprise deployment API backwards compatibility is only supported between the control plane and clients from the prior “major release”. Using clients on newer versions than the control plane they are registered with is not supported. For example, Boundary clients version 0.14.0 are compatible with Boundary control plane running Boundary 0.15.0. However, they will not have compatibility once the control plane is updated to version 0.16.0 or above. Boundary clients version 0.16.0 are not compatible with Boundary control plane running Boundary 0.15.0 or lower. Customers are recommended to run the latest versions of Boundary in order to leverage the newest features and bug fixes. +The Desktop client uses a different numbering scheme than the CLI and control plane. +Refer to the table for the Desktop version that corresponds to the control plane version. + +| Desktop version | Control plane version | +| --------------- | ----------- | +| 2.1.0 | 0.17.0 | +| 2.0.3 | 0.16.0 | +| 2.0.2 | 0.15.3 | +| 2.0.1 | 0.15.1 | +| 2.0.0 | 0.15.0 | + +For example, the Desktop version 2.0.3 is compatible with version 0.17.0 of the control plane. +But when the control plane is upgraded to 0.18.0, version 2.0.3 will no longer be officially supported. + +To view the Desktop version along with the corresponding CLI and control plane version, click **Boundary**, and then click **About Boundary** in the Desktop client. + ## PostgreSQL support policy Boundary Enterprise will only support PostgreSQL version 13 and above at launch. diff --git a/website/content/docs/getting-started/dev-mode/connect-to-dev-target.mdx b/website/content/docs/getting-started/dev-mode/connect-to-dev-target.mdx index 6c0ec219e5..ff14b80048 100644 --- a/website/content/docs/getting-started/dev-mode/connect-to-dev-target.mdx +++ b/website/content/docs/getting-started/dev-mode/connect-to-dev-target.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Connect to your first target -description: |- - Connecting to your first target +description: >- + Learn how to connect to targets using Boundary, and optionally use connect helpers, exec flag, SSH ProxyCommand, and Desktop Client features. --- # Connect to your first target diff --git a/website/content/docs/getting-started/dev-mode/dev-mode.mdx b/website/content/docs/getting-started/dev-mode/dev-mode.mdx index ba20075db6..a42c98132e 100644 --- a/website/content/docs/getting-started/dev-mode/dev-mode.mdx +++ b/website/content/docs/getting-started/dev-mode/dev-mode.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: What is dev mode? -description: Getting started with Boundary Community Edition in dev mode +description: >- + Learn about Boundary's dev mode and how it enables you to quickly deploy a temporary, pre-configured Boundary environment for testing and learning purposes. --- # What is dev mode? diff --git a/website/content/docs/getting-started/dev-mode/run-and-login.mdx b/website/content/docs/getting-started/dev-mode/run-and-login.mdx index 80f57c6a58..93c212ea30 100644 --- a/website/content/docs/getting-started/dev-mode/run-and-login.mdx +++ b/website/content/docs/getting-started/dev-mode/run-and-login.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Run and log in to Boundary -description: |- - How to run Boundary services in dev mode and log in for the first time. +description: >- + Run and authenticate to Boundary in dev mode using pre-configured credentials. Dev mode lets you try Boundary in an environment with ephemeral sample resources. --- # Run and log in to Boundary diff --git a/website/content/docs/getting-started/index.mdx b/website/content/docs/getting-started/index.mdx index 1497cb28e8..074caf2ddb 100644 --- a/website/content/docs/getting-started/index.mdx +++ b/website/content/docs/getting-started/index.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Get started -description: Get started with Boundary +description: >- + Understand the difference between HCP Boundary, Boundary Enterprise, and Boundary Community Edition to determine which is best for your needs. --- # Get started diff --git a/website/content/docs/hcp/get-started/connect-to-target.mdx b/website/content/docs/hcp/get-started/connect-to-target.mdx index 4674ae7802..fa905474e8 100644 --- a/website/content/docs/hcp/get-started/connect-to-target.mdx +++ b/website/content/docs/hcp/get-started/connect-to-target.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Connect to target -description: |- - Connecting to your first target +page_title: Connect to a target +description: >- + Understand how to connect to targets using HCP Boundary. Learn how to select targets and use your choice of client and connect helpers to facilitate connections. --- # Connect to your first target diff --git a/website/content/docs/hcp/get-started/deploy-and-login.mdx b/website/content/docs/hcp/get-started/deploy-and-login.mdx index 9d731b266c..c22dbebf3f 100644 --- a/website/content/docs/hcp/get-started/deploy-and-login.mdx +++ b/website/content/docs/hcp/get-started/deploy-and-login.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Deploy and log in -description: |- - How to deploy HCP Boundary services and log in for the first time. +description: >- + Learn about the requirements for using HCP Boundary. Deploy a cluster, and log in for the first time. Discover resources to learn more. --- # Deploy HCP Boundary and log in diff --git a/website/content/docs/hcp/index.mdx b/website/content/docs/hcp/index.mdx index b92aef3d66..d1018de1e0 100644 --- a/website/content/docs/hcp/index.mdx +++ b/website/content/docs/hcp/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: HCP Boundary -description: |- - An overview of HCP Boundary +page_title: HCP Boundary overview +description: >- + Discover resources to learn about and try HCP Boundary. --- # HCP Boundary diff --git a/website/content/docs/install-boundary/architecture/fault-tolerance.mdx b/website/content/docs/install-boundary/architecture/fault-tolerance.mdx index b7aef8a779..e5f1d7127b 100644 --- a/website/content/docs/install-boundary/architecture/fault-tolerance.mdx +++ b/website/content/docs/install-boundary/architecture/fault-tolerance.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Fault tolerance recommendations -description: |- - Boundary fault tolerance characteristics +description: >- + Understand Boundary fault tolerance recommendations to increase availability, reduce risk. Minimize the impact of node, availability zone, and regional failures. --- # Fault tolerance recommendations diff --git a/website/content/docs/install-boundary/architecture/high-availability.mdx b/website/content/docs/install-boundary/architecture/high-availability.mdx index 8d50d94feb..0f54c1d7be 100644 --- a/website/content/docs/install-boundary/architecture/high-availability.mdx +++ b/website/content/docs/install-boundary/architecture/high-availability.mdx @@ -1,8 +1,9 @@ --- layout: docs page_title: High availability installation -description: |- - How to install Boundary as a high availability service +description: >- + Learn about network requirements and architecture to set up Boundary for high availability, including database, load balancer, and configuration best practices. + --- # High availability installation diff --git a/website/content/docs/install-boundary/architecture/recommended-architecture.mdx b/website/content/docs/install-boundary/architecture/recommended-architecture.mdx index 96e1e2af58..30784d7a5c 100644 --- a/website/content/docs/install-boundary/architecture/recommended-architecture.mdx +++ b/website/content/docs/install-boundary/architecture/recommended-architecture.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Recommended architecture -description: |- - Boundary architecture recommendations +description: >- + Learn about the recommended architectures for two main Boundary user workflows: an administrator configuring Boundary and an end user connecting to a target. --- # Recommended architecture diff --git a/website/content/docs/install-boundary/architecture/system-requirements.mdx b/website/content/docs/install-boundary/architecture/system-requirements.mdx index e479bba4d2..e404a52f64 100644 --- a/website/content/docs/install-boundary/architecture/system-requirements.mdx +++ b/website/content/docs/install-boundary/architecture/system-requirements.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: System requirements -description: |- - Boundary system requirements +description: >- + Learn about Boundary system requirements including recommendations for hardware sizing, network connectivity, traffic encryption, databases, and load balancers. --- # System requirements diff --git a/website/content/docs/install-boundary/configure-controllers.mdx b/website/content/docs/install-boundary/configure-controllers.mdx index a6aef8785e..afc4af1711 100644 --- a/website/content/docs/install-boundary/configure-controllers.mdx +++ b/website/content/docs/install-boundary/configure-controllers.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Configure controllers -description: |- - Configure Boundary controllers +description: >- + Configure Boundary controllers for a self-managed deployment, including TLS, KMS, and database parameters. Start the service, authenticate, and manage resources. --- # Configure controllers @@ -339,3 +339,9 @@ This allows you to configure targets within those scopes and manage them. HashiCorp recommends that you use the [KMS recovery workflow](/boundary/docs/install-boundary/initialize#log-in-with-recovery-kms) to log in to Boundary for the first time. Refer to [Creating your first login account](/boundary/docs/install-boundary/initialize#create-your-first-login-account) to learn about setting up your first auth method, user, account, and role to log in to Boundary going forward without the recovery KMS workflow. + +After configuring the controller, you should: + +- [Configure Boundary workers](/boundary/docs/install-boundary/configure-workers) +- [Initialize Boundary](/boundary/docs/install-boundary/initialize) +- [Install the Boundary Clients](/boundary/docs/install-boundary/install-clients) \ No newline at end of file diff --git a/website/content/docs/install-boundary/configure-workers.mdx b/website/content/docs/install-boundary/configure-workers.mdx index 2e856857bb..d4f8f188b2 100644 --- a/website/content/docs/install-boundary/configure-workers.mdx +++ b/website/content/docs/install-boundary/configure-workers.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Configure workers -description: |- - Configure Boundary workers +description: >- + Configure Boundary workers for a self-managed deployment, including environment files and KMS keys. Set up ingress, intermediary, and egress roles for multi-hop. --- # Configure workers @@ -535,3 +535,8 @@ name, and admin password when prompted. + +After configuring workers, you should: + +- [Initialize Boundary](/boundary/docs/install-boundary/initialize) +- [Install the Boundary Clients](/boundary/docs/install-boundary/install-clients) \ No newline at end of file diff --git a/website/content/docs/install-boundary/install.mdx b/website/content/docs/install-boundary/deploy.mdx similarity index 82% rename from website/content/docs/install-boundary/install.mdx rename to website/content/docs/install-boundary/deploy.mdx index 2d1aa86423..25dedec7a0 100644 --- a/website/content/docs/install-boundary/install.mdx +++ b/website/content/docs/install-boundary/deploy.mdx @@ -1,11 +1,16 @@ --- layout: docs -page_title: Install Boundary -description: |- - Install a self-managed version of Boundary +page_title: Deploy Boundary +description: >- + Deploy a self-managed version of Boundary Enterprise or Community Edition on Ubuntu/Debian, CentOS/RHEL, or Amazon Linux by installing the binary file. --- -# Install Boundary +# Deploy Boundary + +To deploy a self-managed Boundary environment you should: + +1. Deploy and configure Boundary controllers and workers +2. Install end-user clients This guide outlines the required steps to manually install and configure a single HashiCorp Boundary cluster as defined in the [Recommended @@ -13,6 +18,8 @@ architecture](/boundary/docs/install-boundary/recommended-architecture) topic. It assumes you install Boundary on virtual machines (VMs) or bare-metal servers running a Debian or Red Hat-based Linux distribution. +To learn about installing end-user clients, refer to the [Install Boundary clients](/boundary/docs/install-boundary/install-clients) page. + This document includes general guidance as well as specific recommendations for popular cloud infrastructure platforms. These recommendations have also been encoded into official Terraform reference architectures for @@ -27,11 +34,15 @@ In addition to installing the Boundary binary, the official package also provides a systemd service unit, and a local `boundary` user account under which the service runs. + + You must complete the following steps for each Boundary controller and worker node that you want to deploy. The binary operates as either a worker or -controller, depending on the subsequent configuration that you generate for the +controller, depending on the configuration that you generate for the Boundary binary. + + The steps vary by Linux distribution. Select your distribution of Boundary, and complete the steps to install the @@ -39,6 +50,7 @@ binary: + @@ -189,4 +201,13 @@ binary: - \ No newline at end of file + + +You should install the binary on the controller and worker instances you configure to run in your Boundary environments. + +Next, you should: + +- [Configure Boundary controllers](/boundary/docs/install-boundary/configure-controllers) +- [Configure Boundary workers](/boundary/docs/install-boundary/configure-workers) +- [Initialize Boundary](/boundary/docs/install-boundary/initialize) +- [Install the Boundary Clients](/boundary/docs/install-boundary/install-clients) \ No newline at end of file diff --git a/website/content/docs/install-boundary/index.mdx b/website/content/docs/install-boundary/index.mdx index 6cd5b05259..e6ce233474 100644 --- a/website/content/docs/install-boundary/index.mdx +++ b/website/content/docs/install-boundary/index.mdx @@ -1,14 +1,28 @@ --- layout: docs page_title: Overview -description: |- - Deploying a self-managed version of Boundary +description: >- + Discover resources for deploying a self-managed version of Boundary Enterprise or Boundary Community Edition. --- # Overview -This section details installing Boundary in a self-managed environment. +This section details deploying Boundary in a self-managed environment. You can use the topics in this section to install the Community Edition or the Enterprise version of Boundary. The section also includes reference architecture, system requirement recommendations, and best practices. -To deploy HCP Boundary instead, refer to the [HCP Boundary Get Started section](/boundary/docs/hcp/get-started/deploy-and-login). \ No newline at end of file +To deploy HCP Boundary instead, refer to the [HCP Boundary Get Started section](/boundary/docs/hcp/get-started/deploy-and-login). + +This section outlines the following topics for deploying your self-managed environment: + +- Architectural considerations + - [System requirements](/boundary/docs/install-boundary/architecture/system-requirements) + - [Recommended architecture](/boundary/docs/install-boundary/architecture/recommended-architecture) + - [Fault tolerance](/boundary/docs/install-boundary/architecture/fault-tolerance) + - [High availability](/boundary/docs/install-boundary/architecture/high-availability) +- [Deploy Boundary](/boundary/docs/install-boundary/deploy) +- [Configure controllers](/boundary/docs/install-boundary/configure-controllers) +- [Configure workers](/boundary/docs/install-boundary/configure-workers) +- [Initialize Boundary](/boundary/docs/install-boundary/initialize) +- [Install Boundary clients](/boundary/docs/install-boundary/install-clients) +- [Terraform patterns](/boundary/docs/install-boundary/terraform-patterns) \ No newline at end of file diff --git a/website/content/docs/install-boundary/initialize.mdx b/website/content/docs/install-boundary/initialize.mdx index db0adce394..d128316871 100644 --- a/website/content/docs/install-boundary/initialize.mdx +++ b/website/content/docs/install-boundary/initialize.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Initialize Boundary -description: |- - Creating your first login account +description: >- + Initialize new Boundary self-managed installations. Log in with the recovery KMS to create initial scope, auth method, login account, user, and role resources. --- # Initialize Boundary @@ -10,6 +10,8 @@ description: |- This document describes how to access Boundary for the first time and create the necessary resources to log in as a user. +You can also initialize and manage Boundary using Terraform. Refer to the [Terraform patterns](/boundary/docs/install-boundary/terraform-patterns) page to learn more. + ## Requirements Before you initialize Boundary, you should have [initialized a database](/boundary/docs/install-boundary/configure-controllers#initialize-the-database). @@ -460,3 +462,9 @@ resource "boundary_role" "project_admin" { boundary authenticate password \ -auth-method-id ``` + +After initializing Boundary, you should: + +Next, you should: + +- [Install the Boundary Clients](/boundary/docs/install-boundary/install-clients) \ No newline at end of file diff --git a/website/content/docs/install-boundary/install-clients.mdx b/website/content/docs/install-boundary/install-clients.mdx new file mode 100644 index 0000000000..c84076a36f --- /dev/null +++ b/website/content/docs/install-boundary/install-clients.mdx @@ -0,0 +1,65 @@ +--- +layout: docs +page_title: Install Boundary clients +description: >- + Install the Boundary CLI, Boundary Desktop Client app, or Boundary installer for Boundary Enterprise or Community Edition on Windows, MacOS, or Linux. +--- + +# Install Boundary clients + +Boundary end users access infrastructure targets using the Boundary Desktop Client app or the Boundary CLI. Enterprise or HCP Boundary users can use transparent sessions to proxy traffic through the Boundary Client Agent HCP/ENT. + +This guide outlines the required steps to manually install and configure a Boundary client depending on which distribution of Boundary end users access. + +To learn about installing the Boundary binary when you deploy Boundary controllers or workers, refer to the [Deploy Boundary](/boundary/docs/install-boundary/deploy) page. + +Select your Boundary distribution, and complete the steps to install the +correct clients: + + + + +@include 'alerts/enterprise-only.mdx' + + + + The Boundary installer includes the Boundary Client Agent, which is a beta feature. For production environments, consider downloading the Boundary binary and Boundary Desktop Client directly from the [Install Boundary](/boundary/install) page. + + + +The Boundary installer bundles together the following components: + +- Boundary binary (CLI) +- Boundary Desktop Client app +- Boundary Client Agent HCP/ENT BETA + +Download the appropriate Boundary installer for your Windows, MacOS, or Linux environment from the [Install Boundary](/boundary/install#installer) page or the [releases](https://releases.hashicorp.com/boundary-installer) page. You can also download the components individually, but compatibility is not guaranteed. Refer to the [Supported versions policy](/boundary/docs/enterprise/supported-versions#control-plane-and-client-cli-compatibility) to learn more. + + + + Before you launch the Boundary installer, ensure that you have uninstalled all previous versions of the Boundary binary and Boundary Desktop Client app. + + + +To learn more about installing the Boundary CLI and Boundary Desktop Client app, refer to the [Get started with HCP Boundary](/boundary/tutorials/get-started-hcp) tutorials. + + + + +We recommend the following components for end users: + +- Boundary binary (CLI) +- Boundary Desktop Client app + +Download these components for your Windows, MacOS, or Linux environment from the [Install Boundary](/boundary/install) page or the [HashiCorp releases](https://releases.hashicorp.com/) page. + + + +Client compatibility is not guaranteed. You should always ensure that your client is compatible with the version of the Boundary control plane you are connecting to. Refer to the [Supported versions policy](/boundary/docs/enterprise/supported-versions#control-plane-and-client-cli-compatibility) to learn more. + + + +To learn more about installing the Boundary CLI and Boundary Desktop Client app, refer to the [Get started with self-managed Boundary](/boundary/tutorials/get-started-community) tutorials. + + + \ No newline at end of file diff --git a/website/content/docs/install-boundary/terraform-patterns/index.mdx b/website/content/docs/install-boundary/terraform-patterns/index.mdx index 32fa38e999..700331926f 100644 --- a/website/content/docs/install-boundary/terraform-patterns/index.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Terraform patterns for Boundary -description: |- - Learn how to configure the Terraform Boundary provider so that you can use Terraform patterns to install and manage Boundary. +description: >- + Configure the Terraform Boundary provider so that you can use Terraform patterns to install and manage Boundary resources. --- # Terraform patterns for Boundary diff --git a/website/content/docs/install-boundary/terraform-patterns/terraform-credentials-and-credential-stores.mdx b/website/content/docs/install-boundary/terraform-patterns/terraform-credentials-and-credential-stores.mdx index fbf3a1d28c..40e8030e26 100644 --- a/website/content/docs/install-boundary/terraform-patterns/terraform-credentials-and-credential-stores.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/terraform-credentials-and-credential-stores.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Terraform patterns for Boundary credentials and credential stores -description: |- +description: >- Use Terraform patterns to create and manage Boundary credentials and credential stores. Learn how to create static or Vault credential stores, add credentials. --- diff --git a/website/content/docs/install-boundary/terraform-patterns/terraform-groups-and-rbac.mdx b/website/content/docs/install-boundary/terraform-patterns/terraform-groups-and-rbac.mdx index 92ac2c3227..7c9a7ada0c 100644 --- a/website/content/docs/install-boundary/terraform-patterns/terraform-groups-and-rbac.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/terraform-groups-and-rbac.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Terraform patterns for Boundary groups and RBAC -description: |- +description: >- Use Terraform patterns to create and manage Boundary groups and role-based access control (RBAC). Learn how to add users to managed groups and assign roles. --- diff --git a/website/content/docs/install-boundary/terraform-patterns/terraform-hosts-and-host-management.mdx b/website/content/docs/install-boundary/terraform-patterns/terraform-hosts-and-host-management.mdx index 5975526d92..bf41a985ec 100644 --- a/website/content/docs/install-boundary/terraform-patterns/terraform-hosts-and-host-management.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/terraform-hosts-and-host-management.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Terraform patterns for Boundary hosts and host management -description: |- +description: >- Use Terraform patterns to create and manage Boundary hosts and host catalogs. Learn how to add static or plugin-based hosts to static or dynamic host catalogs. --- diff --git a/website/content/docs/install-boundary/terraform-patterns/terraform-scopes.mdx b/website/content/docs/install-boundary/terraform-patterns/terraform-scopes.mdx index a5b905d631..e13f831781 100644 --- a/website/content/docs/install-boundary/terraform-patterns/terraform-scopes.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/terraform-scopes.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Terraform patterns for Boundary scopes -description: |- +description: >- Use Terraform patterns to create and manage Boundary scopes. Learn how to configure global, org-level, and project-level scopes using the Boundary provider. --- diff --git a/website/content/docs/install-boundary/terraform-patterns/terraform-session-recording.mdx b/website/content/docs/install-boundary/terraform-patterns/terraform-session-recording.mdx index 2ea39b48e3..a4cb08891e 100644 --- a/website/content/docs/install-boundary/terraform-patterns/terraform-session-recording.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/terraform-session-recording.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Terraform patterns for Boundary session recording -description: |- - Use Terraform patterns to enable session recording for auditing user sessions in Boundary. Learn how to configure prerequisite storage policies and buckets. +description: >- + Use Terraform patterns to enable session recording for auditing user sessions in Boundary. Learn how to configure storage policies and storage buckets. --- # Terraform patterns for Boundary session recording diff --git a/website/content/docs/install-boundary/terraform-patterns/terraform-targets.mdx b/website/content/docs/install-boundary/terraform-patterns/terraform-targets.mdx index 46ce1c9a8d..a3472896c6 100644 --- a/website/content/docs/install-boundary/terraform-patterns/terraform-targets.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/terraform-targets.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Terraform patterns for Boundary targets -description: |- +description: >- Use Terraform patterns to create and manage Boundary targets. Learn how to configure SSH and TCP targets, inject passwords, and enable session recording. --- diff --git a/website/content/docs/install-boundary/terraform-patterns/terraform-users-and-auth-methods.mdx b/website/content/docs/install-boundary/terraform-patterns/terraform-users-and-auth-methods.mdx index 0fdae66384..c72cae70ee 100644 --- a/website/content/docs/install-boundary/terraform-patterns/terraform-users-and-auth-methods.mdx +++ b/website/content/docs/install-boundary/terraform-patterns/terraform-users-and-auth-methods.mdx @@ -1,7 +1,7 @@ --- layout: docs page_title: Terraform patterns for Boundary users and auth methods -description: |- +description: >- Use Terraform patterns to create and manage Boundary users and auth methods. Learn how to configure password and LDAP auth methods, add accounts, create users. --- diff --git a/website/content/docs/integrations/index.mdx b/website/content/docs/integrations/index.mdx index efb5d34a5c..55a23b5213 100644 --- a/website/content/docs/integrations/index.mdx +++ b/website/content/docs/integrations/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Integrations -description: |- - Integrations that extend Boundary +description: >- + Discover integrations that extend Boundary's features and capabilities. --- # Overview diff --git a/website/content/docs/integrations/vault/index.mdx b/website/content/docs/integrations/vault/index.mdx index 7b4c0fd289..4a296e0004 100644 --- a/website/content/docs/integrations/vault/index.mdx +++ b/website/content/docs/integrations/vault/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Vault integration -description: |- - Describes the benefits of integrating HashiCorp Boundary and Vault. +description: >- + Understand the security benefits of integrating Boundary and Vault to manage secrets and broker or inject credentials. Set up Vault as an OIDC bridge provider. --- # Vault integration diff --git a/website/content/docs/operations/health.mdx b/website/content/docs/operations/health.mdx index 3144f5c19d..39dd46b5e5 100644 --- a/website/content/docs/operations/health.mdx +++ b/website/content/docs/operations/health.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Boundary health endpoints -description: |- - Verify the Boundary controller and worker server status using health endpoints. +description: >- + Learn about using health endpoints to verify controller and worker server status. Check their health using wget. View an example response and configuration. --- # Boundary health endpoints diff --git a/website/content/docs/operations/index.mdx b/website/content/docs/operations/index.mdx index f933601ccf..18e44f7119 100644 --- a/website/content/docs/operations/index.mdx +++ b/website/content/docs/operations/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Operating Boundary -description: |- - Operational tasks in Boundary. +page_title: Maintaining and operating Boundary +description: >- + Discover resources to help you learn more about maintaining and operating Boundary, including information about metrics and health. --- # Maintaining and operating Boundary diff --git a/website/content/docs/operations/metrics.mdx b/website/content/docs/operations/metrics.mdx index c36f9329be..9a253337a8 100644 --- a/website/content/docs/operations/metrics.mdx +++ b/website/content/docs/operations/metrics.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Boundary Metrics -description: |- - Obtain visibility of various components of a running Boundary +page_title: Boundary metrics +description: >- + Learn about using a metrics listener to monitor your Boundary components. View the available controller and worker metrics, and an example configuration. --- # Boundary metrics diff --git a/website/content/docs/operations/session-recordings/index.mdx b/website/content/docs/operations/session-recordings/index.mdx index de85c2247f..15b8bd1c1b 100644 --- a/website/content/docs/operations/session-recordings/index.mdx +++ b/website/content/docs/operations/session-recordings/index.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Recorded sessions operations -description: |- - How to work with Boundary's recorded sessions +page_title: Recorded sessions format and security +description: >- + Learn about asciicast, the recording format used for recorded sessions. Understand security concerns and discover resources for working with recorded sessions. --- # Recorded sessions operations diff --git a/website/content/docs/operations/session-recordings/manage-recorded-sessions.mdx b/website/content/docs/operations/session-recordings/manage-recorded-sessions.mdx index 1bb0f7552d..53db89f618 100644 --- a/website/content/docs/operations/session-recordings/manage-recorded-sessions.mdx +++ b/website/content/docs/operations/session-recordings/manage-recorded-sessions.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Manage recorded sessions -description: |- - How to find, download, and view Boundary's recorded sessions +page_title: Find and view recorded sessions +description: >- + Find and view recorded sessions. View a list of all recorded sessions, or search for a specific recording. Download recorded sessions to meet compliance needs. --- # Find and view recorded sessions diff --git a/website/content/docs/operations/session-recordings/validate-data-store.mdx b/website/content/docs/operations/session-recordings/validate-data-store.mdx index 142a257d63..be7f20c7b7 100644 --- a/website/content/docs/operations/session-recordings/validate-data-store.mdx +++ b/website/content/docs/operations/session-recordings/validate-data-store.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Validate the data integrity in the external object store -description: |- - How Boundary validates the data integrity of recorded sessions in the external object store +page_title: Validate data integrity in the external object store +description: >- + Learn about how Boundary validates the data integrity of the BSR file in the external data store to ensure that the file has not been tampered with. --- # How Boundary validates data integrity in the external object store diff --git a/website/content/docs/operations/session-recordings/validate-session-recordings.mdx b/website/content/docs/operations/session-recordings/validate-session-recordings.mdx index b017fddd42..35bd05b5ba 100644 --- a/website/content/docs/operations/session-recordings/validate-session-recordings.mdx +++ b/website/content/docs/operations/session-recordings/validate-session-recordings.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Validate the integrity recorded sessions -description: |- - How to validate the integrity of Boundary's recorded sessions +page_title: Validate recorded session integrity +description: >- + View the components of the Boundary Session Recording (BSR) file. Verify the integrity of the contents of a BSR cryptographically to ensure security compliance. --- # Validate the integrity of session recordings diff --git a/website/content/docs/overview/use-cases.mdx b/website/content/docs/overview/use-cases.mdx index 252f545712..377779724c 100644 --- a/website/content/docs/overview/use-cases.mdx +++ b/website/content/docs/overview/use-cases.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Use cases -description: A list of Boundary use cases +description: >- + Learn how HashiCorp Boundary can help you with zero trust access, multi-cloud access, single-sign on with integrated secrets management, and session monitoring. --- # Use cases diff --git a/website/content/docs/overview/vs/bastion-hosts.mdx b/website/content/docs/overview/vs/bastion-hosts.mdx index bd314f684d..4fbdd193ab 100644 --- a/website/content/docs/overview/vs/bastion-hosts.mdx +++ b/website/content/docs/overview/vs/bastion-hosts.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Boundary vs. bastion hosts -description: Compares Boundary to bastion hosts +description: >- + Learn how Boundary compares to bastion hosts by providing tightly controlled, just-in-time access to infrastructure using role-based access controls (RBAC). --- # Boundary vs. bastion hosts diff --git a/website/content/docs/overview/vs/other-software.mdx b/website/content/docs/overview/vs/other-software.mdx index f47b69c6c3..9bf6130c04 100644 --- a/website/content/docs/overview/vs/other-software.mdx +++ b/website/content/docs/overview/vs/other-software.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Boundary vs. other software -description: Compares Boundary to other security technologies +description: >- + Learn how HashiCorp Boundary compares to other security technologies. --- # Boundary vs. other software diff --git a/website/content/docs/overview/vs/pam.mdx b/website/content/docs/overview/vs/pam.mdx index 4d34797475..fbb05ed3e8 100644 --- a/website/content/docs/overview/vs/pam.mdx +++ b/website/content/docs/overview/vs/pam.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Boundary vs. privileged access management -description: Compares Boundary to using a privileged access management (PAM) solution +description: >- + Learn how Boundary compares to privileged access management (PAM) solutions by providing automation for user and credential management and service discovery. --- # Boundary vs. privileged access management diff --git a/website/content/docs/overview/vs/sdp.mdx b/website/content/docs/overview/vs/sdp.mdx index dc1689a730..6b8d27a2a7 100644 --- a/website/content/docs/overview/vs/sdp.mdx +++ b/website/content/docs/overview/vs/sdp.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Boundary vs. software-defined perimeter -description: Compares Boundary to using a software-defined perimeter solution +description: >- + Learn how Boundary compares to software-defined perimeter (SDP) tools using dynamic credentials, context-based access, automated host discovery, and auditing. --- # Boundary vs. software-defined perimeter diff --git a/website/content/docs/overview/vs/secrets-management.mdx b/website/content/docs/overview/vs/secrets-management.mdx index dbf8f27132..e9d0010ece 100644 --- a/website/content/docs/overview/vs/secrets-management.mdx +++ b/website/content/docs/overview/vs/secrets-management.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Boundary vs. secrets management tools (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.) -description: Compares Boundary to using secrets management tools (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.) +description: >- + Learn how Boundary compares to secrets management tools and how it can compliment them to provide identity-based access, automated host discovery, and auditing. --- # Boundary vs. secrets management tools (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.) diff --git a/website/content/docs/overview/vs/vpn.mdx b/website/content/docs/overview/vs/vpn.mdx index 40ea8f06c3..4d5fd60a2e 100644 --- a/website/content/docs/overview/vs/vpn.mdx +++ b/website/content/docs/overview/vs/vpn.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Boundary vs. VPNs -description: Compares Boundary to using a virtual private network (VPN) +description: >- + Learn how Boundary compares to VPNs by using an Identity Provider (IdP) to grant users remote access to specific permitted services, but not the entire network. --- # Boundary vs. VPNs diff --git a/website/content/docs/overview/vs/zero-trust.mdx b/website/content/docs/overview/vs/zero-trust.mdx index 7c8f2aa449..51168f9b66 100644 --- a/website/content/docs/overview/vs/zero-trust.mdx +++ b/website/content/docs/overview/vs/zero-trust.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: Boundary and zero trust -description: Describes how Boundary applies to a zero trust security approach +description: >- + Learn how Boundary enables a zero trust approach to security in which all access transactions are authenticated and authorized based on trusted identity. --- # Boundary and zero trust diff --git a/website/content/docs/overview/what-is-boundary.mdx b/website/content/docs/overview/what-is-boundary.mdx index d3d6a27d44..d2f7a454e8 100644 --- a/website/content/docs/overview/what-is-boundary.mdx +++ b/website/content/docs/overview/what-is-boundary.mdx @@ -1,7 +1,8 @@ --- layout: docs page_title: What is Boundary? -description: An introduction to Boundary +description: >- + HashiCorp Boundary is a secure remote access solution that you can use to configure least-privileged, just-in-time access to systems, services, and applications. --- # What is Boundary? diff --git a/website/content/docs/release-notes/index.mdx b/website/content/docs/release-notes/index.mdx index 6e05bfbfef..4121274893 100644 --- a/website/content/docs/release-notes/index.mdx +++ b/website/content/docs/release-notes/index.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Release notes -description: |- - Boundary release notes +description: >- + Discover more information about the important updates in each version of Boundary in the release notes. --- # Release notes diff --git a/website/content/docs/release-notes/v0_10_0.mdx b/website/content/docs/release-notes/v0_10_0.mdx index f89a43978a..631d532f31 100644 --- a/website/content/docs/release-notes/v0_10_0.mdx +++ b/website/content/docs/release-notes/v0_10_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.10.0 -description: |- - Boundary release notes for v0.10.0 +page_title: v0.10.0 release notes +description: >- + Learn more about the features included in the Boundary 0.10.0 release and discover what has changed. --- # Boundary v0.10.0 diff --git a/website/content/docs/release-notes/v0_11_0.mdx b/website/content/docs/release-notes/v0_11_0.mdx index dab7e1e4f6..c0a285a335 100644 --- a/website/content/docs/release-notes/v0_11_0.mdx +++ b/website/content/docs/release-notes/v0_11_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.11.0 -description: |- - Boundary release notes for v0.11.0 +page_title: v0.11.0 release notes +description: >- + Learn more about the features included in the Boundary 0.11.0 release and discover what has changed. --- # Boundary v0.11.0 diff --git a/website/content/docs/release-notes/v0_12_0.mdx b/website/content/docs/release-notes/v0_12_0.mdx index 423f6faf9e..de65b24d8d 100644 --- a/website/content/docs/release-notes/v0_12_0.mdx +++ b/website/content/docs/release-notes/v0_12_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.12.0 -description: |- - Boundary release notes for v0.12.0 +page_title: v0.12.0 release notes +description: >- + Learn more about the new features included in the Boundary 0.12.0 release and understand deprecations and changes. --- # Boundary v0.12.0 diff --git a/website/content/docs/release-notes/v0_13_0.mdx b/website/content/docs/release-notes/v0_13_0.mdx index 629f461f66..d873e5cafa 100644 --- a/website/content/docs/release-notes/v0_13_0.mdx +++ b/website/content/docs/release-notes/v0_13_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.13.0 -description: |- - Boundary release notes for v0.13.0 +page_title: v0.13.0 release notes +description: >- + Learn more about the new features included in the Boundary 0.13.0 release. Understand any deprecations, changes, and known issues. --- # Boundary v0.13.0 diff --git a/website/content/docs/release-notes/v0_14_0.mdx b/website/content/docs/release-notes/v0_14_0.mdx index b95db7ce6d..06befb00e7 100644 --- a/website/content/docs/release-notes/v0_14_0.mdx +++ b/website/content/docs/release-notes/v0_14_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.14.0 -description: |- - Boundary release notes for v0.14.0 +page_title: v0.14.0 release notes +description: >- + Learn more about the new features included in the Boundary 0.14.0 release. Understand any deprecations, changes, and known issues. --- # Boundary 0.14.0 release notes diff --git a/website/content/docs/release-notes/v0_15_0.mdx b/website/content/docs/release-notes/v0_15_0.mdx index 0695b47a59..55798a97f6 100644 --- a/website/content/docs/release-notes/v0_15_0.mdx +++ b/website/content/docs/release-notes/v0_15_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.15.0 -description: |- - Boundary release notes for v0.15.0 +page_title: v0.15.0 release notes +description: >- + Learn more about the new features included in the Boundary 0.15.0 release. Understand any deprecations, changes, and known issues. --- # Boundary 0.15.0 release notes diff --git a/website/content/docs/release-notes/v0_16_0.mdx b/website/content/docs/release-notes/v0_16_0.mdx index c78c61ae6c..e1faa92704 100644 --- a/website/content/docs/release-notes/v0_16_0.mdx +++ b/website/content/docs/release-notes/v0_16_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.16.0 -description: |- - Boundary release notes for v0.16.0 +page_title: v0.16.0 release notes +description: >- + Learn more about the new features included in the Boundary 0.16.0 release. Understand any deprecations, changes, and known issues. --- # Boundary 0.16.0 release notes diff --git a/website/content/docs/release-notes/v0_17_0.mdx b/website/content/docs/release-notes/v0_17_0.mdx index 0ffe2889a2..5a6add742d 100644 --- a/website/content/docs/release-notes/v0_17_0.mdx +++ b/website/content/docs/release-notes/v0_17_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.17.0 -description: |- - Boundary release notes for v0.17.0 +page_title: v0.17.0 release notes +description: >- + Learn more about the new features included in the Boundary 0.17.0 release. Understand any deprecations, changes, and known issues. --- # Boundary 0.17.0 release notes diff --git a/website/content/docs/release-notes/v0_18_0.mdx b/website/content/docs/release-notes/v0_18_0.mdx new file mode 100644 index 0000000000..8f7754237e --- /dev/null +++ b/website/content/docs/release-notes/v0_18_0.mdx @@ -0,0 +1,190 @@ +--- +layout: docs +page_title: v0.18.0 release notes +description: >- + Learn more about the new features included in the Boundary 0.18.0 release. Understand any deprecations, changes, and known issues. +--- + +# Boundary 0.18.0 release notes + +**GA date:** October 15, 2024 + +@include 'release-notes/intro.mdx' + +## Important changes + + + + + + + + + + + + + + + + + + + + +
ChangeDescription
+ Role creation + + In a future version Boundary will no longer automatically create roles when new scopes are created. This was implemented prior to multi-scope grants to ensure administrators and users had default permissions in new scopes. Since Boundary 0.15, initial roles created for new clusters provide these permissions by default to all scopes using multi-scope grants. +
+ Docker image no longer contains curl + + As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary. The image now includes wget, which you can alternatively use to check the health endpoint for a worker. If your workflow depends on having curl in the image, you can dynamically install it using apk. +

+ Learn more:  Known issues and breaking changes +
+ +## New features + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FeatureUpdateDescription
+ Transparent sessions + + BETA + + Transparent sessions allows users to eliminate steps in their current workflows using Boundary’s Client Agent, a component that operates in the background to intercept network traffic and automatically route this traffic through a session if the user is authenticated and authorized. +

+ Platform teams and access management teams that administer Boundary can now build much faster, simpler secure remote access workflows that feel more intuitive and invisible to their developer customers. +

+ Learn more: Transparent sessions and Client Agent. +
+ Backblaze B2 support for storage buckets + + GA + + Backblaze B2 is now supported as a storage provider for session recording storage buckets. +

+ Learn more: Configure an S3-compliant storage provider. +
+ AssumeRole support for AWS dynamic host catalogs + + GA + + AWS host plugins now support AssumeRole. AssumeRole returns a set of temporary security credentials that you can use to access AWS resources. +

+ Learn more: AWS dynamic host catalogs. +
+ +## Known issues and breaking changes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
VersionIssueDescription
+ 0.13.0+ + + Rotation of AWS access and secret keys during a session results in stale recordings + + In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. +

+ As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. + Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. +
+ 0.13.0+ + + Unsupported recovery workflow during worker failure + + If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. +

+ Learn more:  + Unsupported recovery workflow +
+ 0.17.1+ + + Docker image no longer contains curl + + As of version 0.17.1 and later, the curl binary is no longer included in the published Docker container image for Boundary. +

+ The image now includes wget. You can use wget to check the health endpoint for workers. +

+ Learn more:  Check the health endpoint using wget +

+ If your workflow depends on having curl in the image, you can dynamically install it using apk. Refer to the following commands for examples of using apk to install curl: +

+ <CONTAINER-ID> apk add curl +

+ or +

+ kubectl exec -ti <NAME> -- apk add curl +
+ 0.18.0 (Fixed in 0.18.1) + + Users are incorrectly removed from managed groups + + If your organization has over 10,000 managed groups, Boundary may incorrectly remove users from the managed group memberships. +

+ In version 0.18.0 and earlier, there was a maximum number of managed groups supported for an auth method. If you had over 10,000 managed groups, Boundary may have incorrectly removed a user from a group during authentication. This issue is fixed in version 0.18.1. There is no longer a maximum number of managed groups. +

+ Learn more:  Managed groups +

+ Upgrade to the latest version of Boundary +
\ No newline at end of file diff --git a/website/content/docs/release-notes/v0_1_0.mdx b/website/content/docs/release-notes/v0_1_0.mdx index 1f9e7ca359..c8cfd2ed9c 100644 --- a/website/content/docs/release-notes/v0_1_0.mdx +++ b/website/content/docs/release-notes/v0_1_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.1.0 -description: |- - Boundary release notes for v0.1.0 +page_title: v0.1.0 release notes +description: >- + Learn more about the features included in the Boundary 0.1.0 release. --- # Boundary v0.1.0 diff --git a/website/content/docs/release-notes/v0_2_0.mdx b/website/content/docs/release-notes/v0_2_0.mdx index 4823ff80a7..20585afeb1 100644 --- a/website/content/docs/release-notes/v0_2_0.mdx +++ b/website/content/docs/release-notes/v0_2_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.2.0 -description: |- - Boundary release notes for v0.2.0 +page_title: v0.2.0 release notes +description: >- + Learn more about the features included in the Boundary 0.2.0 release and discover what has changed. --- # Boundary v0.2.0 diff --git a/website/content/docs/release-notes/v0_3_0.mdx b/website/content/docs/release-notes/v0_3_0.mdx index 5d1c1cbd8b..dcb65886a3 100644 --- a/website/content/docs/release-notes/v0_3_0.mdx +++ b/website/content/docs/release-notes/v0_3_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.3.0 -description: |- - Boundary release notes for v0.3.0 +page_title: v0.3.0 release notes +description: >- + Learn more about the features included in the Boundary 0.3.0 release and discover what has changed. --- # Boundary v0.3.0 diff --git a/website/content/docs/release-notes/v0_4_0.mdx b/website/content/docs/release-notes/v0_4_0.mdx index e63a1e7a9b..870bd8b5d6 100644 --- a/website/content/docs/release-notes/v0_4_0.mdx +++ b/website/content/docs/release-notes/v0_4_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.4.0 -description: |- - Boundary release notes for v0.4.0 +page_title: v0.4.0 release notes +description: >- + Learn more about the features included in the Boundary 0.4.0 release and discover what has changed. --- # Boundary v0.4.0 diff --git a/website/content/docs/release-notes/v0_5_0.mdx b/website/content/docs/release-notes/v0_5_0.mdx index 349a9c12a0..95cb99f2dc 100644 --- a/website/content/docs/release-notes/v0_5_0.mdx +++ b/website/content/docs/release-notes/v0_5_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.5.0 -description: |- - Boundary release notes for v0.5.0 +page_title: v0.5.0 release notes +description: >- + Learn more about the features included in the Boundary 0.5.0 release and discover what has changed. --- # Boundary v0.5.0 diff --git a/website/content/docs/release-notes/v0_6_0.mdx b/website/content/docs/release-notes/v0_6_0.mdx index 1a90b38d76..6deceafdb8 100644 --- a/website/content/docs/release-notes/v0_6_0.mdx +++ b/website/content/docs/release-notes/v0_6_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.6.0 -description: |- - Boundary release notes for v0.6.0 +page_title: v0.6.0 release notes +description: >- + Learn more about the features included in the Boundary 0.6.0 release and discover what has changed. --- # Boundary v0.6.0 diff --git a/website/content/docs/release-notes/v0_7_0.mdx b/website/content/docs/release-notes/v0_7_0.mdx index 8df79dd7b9..ca0f111adc 100644 --- a/website/content/docs/release-notes/v0_7_0.mdx +++ b/website/content/docs/release-notes/v0_7_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.7.0 -description: |- - Boundary release notes for v0.7.0 +page_title: v0.7.0 release notes +description: >- + Learn more about the features included in the Boundary 0.7.0 release and discover what has changed. --- # Boundary v0.7.0 diff --git a/website/content/docs/release-notes/v0_8_0.mdx b/website/content/docs/release-notes/v0_8_0.mdx index 82b45e715a..bec2546d37 100644 --- a/website/content/docs/release-notes/v0_8_0.mdx +++ b/website/content/docs/release-notes/v0_8_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.8.0 -description: |- - Boundary release notes for v0.8.0 +page_title: v0.8.0 release notes +description: >- + Learn more about the features included in the Boundary 0.8.0 release and discover what has changed. --- # Boundary v0.8.0 diff --git a/website/content/docs/release-notes/v0_9_0.mdx b/website/content/docs/release-notes/v0_9_0.mdx index 4c72af145d..95fe9ef887 100644 --- a/website/content/docs/release-notes/v0_9_0.mdx +++ b/website/content/docs/release-notes/v0_9_0.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: v0.9.0 -description: |- - Boundary release notes for v0.9.0 +page_title: v0.9.0 release notes +description: >- + Learn more about the features included in the Boundary 0.9.0 release and discover what has changed. --- # Boundary v0.9.0 diff --git a/website/content/docs/troubleshoot/common-errors.mdx b/website/content/docs/troubleshoot/common-errors.mdx index 5540995642..eca3738a18 100644 --- a/website/content/docs/troubleshoot/common-errors.mdx +++ b/website/content/docs/troubleshoot/common-errors.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: Common error messages -description: |- - Common error messages for Boundary +description: >- + View common Boundary error messages and learn how to troubleshoot them. --- # Common error messages diff --git a/website/content/docs/troubleshoot/faq.mdx b/website/content/docs/troubleshoot/faq.mdx index 9d1c300a80..760350ec52 100644 --- a/website/content/docs/troubleshoot/faq.mdx +++ b/website/content/docs/troubleshoot/faq.mdx @@ -1,8 +1,8 @@ --- layout: docs page_title: FAQ -description: |- - FAQ for Boundary +description: >- + View frequently asked questions about Boundary --- # Frequently asked questions diff --git a/website/content/docs/troubleshoot/troubleshoot-recorded-sessions.mdx b/website/content/docs/troubleshoot/troubleshoot-recorded-sessions.mdx index 4e7b06755d..c111182d52 100644 --- a/website/content/docs/troubleshoot/troubleshoot-recorded-sessions.mdx +++ b/website/content/docs/troubleshoot/troubleshoot-recorded-sessions.mdx @@ -1,8 +1,8 @@ --- layout: docs -page_title: Manage recorded sessions -description: |- - How to troubleshoot issues with Boundary's recorded sessions +page_title: Troubleshoot session recordings +description: >- + View known issues and troubleshoot problems with Boundary's recorded sessions. --- # Troubleshoot session recordings diff --git a/website/content/partials/alerts/beta.mdx b/website/content/partials/alerts/beta.mdx new file mode 100644 index 0000000000..5cbafd7ac5 --- /dev/null +++ b/website/content/partials/alerts/beta.mdx @@ -0,0 +1,6 @@ + + +Beta functionality is stable, but possibly incomplete and subject to change. +**We strongly discourage using beta features in production deployments of Boundary.** + + \ No newline at end of file diff --git a/website/content/partials/alerts/enterprise-only.mdx b/website/content/partials/alerts/enterprise-only.mdx new file mode 100644 index 0000000000..50d3cd2a39 --- /dev/null +++ b/website/content/partials/alerts/enterprise-only.mdx @@ -0,0 +1 @@ +This feature requires HCP Boundary or Boundary Enterprise \ No newline at end of file diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index ef843117c2..cbb5d01a6a 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -108,8 +108,8 @@ ] }, { - "title": "Install Boundary", - "path": "install-boundary/install" + "title": "Deploy Boundary", + "path": "install-boundary/deploy" }, { "title": "Configure controllers", @@ -123,6 +123,10 @@ "title": "Initialize Boundary", "path": "install-boundary/initialize" }, + { + "title": "Install Boundary clients", + "path": "install-boundary/install-clients" + }, { "title": "Systemd install", "hidden": true, @@ -195,6 +199,15 @@ "title": "Aliases", "path": "concepts/aliases" }, + { + "title": "Transparent sessions", + "badge": { + "text": "HCP/ENT BETA", + "type": "outlined", + "color": "neutral" + }, + "path": "concepts/transparent-sessions" + }, { "title": "Auditing", "path": "concepts/auditing" @@ -574,6 +587,32 @@ } ] }, + { + "title": "Aliases and transparent sessions", + "routes": [ + { + "title": "Overview", + "path": "configuration/target-aliases" + }, + { + "title": "Create a target alias", + "path": "configuration/target-aliases/create-target-alias" + }, + { + "title": "Connect using a target alias", + "path": "configuration/target-aliases/connect-target-alias" + }, + { + "title": "Connect using transparent sessions", + "badge": { + "text": "HCP/ENT BETA", + "type": "outlined", + "color": "neutral" + }, + "path": "configuration/target-aliases/transparent-sessions" + } + ] + }, { "title": "Events", "routes": [ @@ -1643,6 +1682,15 @@ } ] }, + { + "title": "Client Agent", + "badge": { + "text": "HCP/ENT BETA", + "type": "outlined", + "color": "neutral" + }, + "path": "api-clients/client-agent" + }, { "title": "Go SDK", "path": "api-clients/go-sdk" @@ -1765,6 +1813,10 @@ "title": "Overview", "path": "release-notes" }, + { + "title": "v0.18.0", + "path": "release-notes/v0_18_0" + }, { "title": "v0.17.0", "path": "release-notes/v0_17_0" diff --git a/website/public/img/ui/multi-hop-egress-filter_dark.png b/website/public/img/ui/multi-hop-egress-filter_dark.png new file mode 100644 index 0000000000..7887e78226 Binary files /dev/null and b/website/public/img/ui/multi-hop-egress-filter_dark.png differ diff --git a/website/public/img/ui/multi-hop-egress-filter_light.png b/website/public/img/ui/multi-hop-egress-filter_light.png new file mode 100644 index 0000000000..0c60a55efd Binary files /dev/null and b/website/public/img/ui/multi-hop-egress-filter_light.png differ diff --git a/website/redirects.js b/website/redirects.js index b78a6fc26e..a2f00cb064 100644 --- a/website/redirects.js +++ b/website/redirects.js @@ -93,6 +93,11 @@ module.exports = [ destination: '/boundary/docs/operations/metrics', permanent: true, }, + { + source: '/boundary/docs/install-boundary/install', + destination: '/boundary/docs/install-boundary/deploy', + permanent: true, + }, { source: '/boundary/docs/install-boundary/fault-tolerance', destination: '/boundary/docs/install-boundary/architecture/fault-tolerance',