Boundary and Vault Integration Quickstart

This directory contains an example deployment of Boundary using docker-compose and Terraform. The lab environment is meant to accompany the Hashicorp Learn Boundary Vault integration quickstart tutorial.

In this example, a demo postgres database target is deployed. A dev Vault server is then configured using the database secrets engine and policies allowing Boundary to request credentials for two roles, a DBA and an "analyst". Boundary is then run in dev mode, and the DBA and analyst targets are configured using a credential store that contains credential libraries for both targets. This enables credential brokering via Vault, which is demonstrated using the boundary connect postgres command.

1. Setup PostgreSQL Northwind demo database
2. Setup Vault
3. Setup Boundary
4. Use Boundary to connect to the Northwind demo database

Setup PostgreSQL Northwind demo database

export PG_DB="northwind";export PG_URL="postgres://postgres:secret@localhost:16001/${PG_DB}?sslmode=disable"
docker run -d -e POSTGRES_PASSWORD=secret -e POSTGRES_DB="${PG_DB}" --name ${PG_DB} -p 16001:5432 postgres
psql -d $PG_URL -f northwind-database.sql
psql -d $PG_URL -f northwind-roles.sql

Setup Vault

Run Vault in dev mode

export VAULT_ADDR="http://127.0.0.1:8200"; export VAULT_TOKEN="groot"
vault server -dev -dev-root-token-id=${VAULT_TOKEN}

Create boundary-controller policy

vault policy write boundary-controller boundary-controller-policy.hcl

Configure database secrets engine

1. Enable the database secrets engine:

   vault secrets enable database

2. Configure Vault with the proper plugin and connection information:

   vault write database/config/northwind \
        plugin_name=postgresql-database-plugin \
        connection_url="postgresql://{{username}}:{{password}}@localhost:16001/postgres?sslmode=disable" \
        allowed_roles=dba,analyst \
        username="vault" \
        password="vault-password"

3. Create the DBA role that creates credentials with dba.sql.hcl:

   vault write database/roles/dba \
         db_name=northwind \
         creation_statements=@dba.sql.hcl \
         default_ttl=3m \
         max_ttl=60m

   Request DBA credentials from Vault to confirm:

   vault read database/creds/dba

4. Create the analyst role that creates credentials with analyst.sql.hcl:

   vault write database/roles/analyst \
         db_name=northwind \
         creation_statements=@analyst.sql.hcl \
         default_ttl=3m \
         max_ttl=60m

   Request analyst credentials from Vault to confirm:

   vault read database/creds/analyst

Create northwind-database policy

vault policy write northwind-database northwind-database-policy.hcl

Create vault token for Boundary credential store

vault token create \
  -no-default-policy=true \
  -policy="boundary-controller" \
  -policy="northwind-database" \
  -orphan=true \
  -period=20m \
  -renewable=true

Setup Boundary

Run Boundary in dev mode

boundary dev

Authenticate to Boundary

boundary authenticate password \
  -auth-method-id=ampw_1234567890 \
  -login-name=admin \
  -password=password

Configure Database Target

Option 1: Edit existing target

boundary targets update tcp -id=ttcp_1234567890 -default-port=16001

Option 2: Create new target

1. Create target for analyst

   boundary targets create tcp \
     -scope-id "p_1234567890" \
     -default-port=16001 \
     -session-connection-limit=-1 \
     -name "Northwind Analyst Database"

   ID: ttcp_MugI59YN6b

2. Create target for DBA

   boundary targets create tcp \
     -scope-id "p_1234567890" \
     -default-port=16001 \
     -session-connection-limit=-1 \
     -name "Northwind DBA Database"

   ID: ttcp_4J24foaobT

3. Add host set to both

   boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_MugI59YN6b
   boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_4J24foaobT

Connect to Database

boundary connect postgres -target-id ttcp_1234567890 -username postgres

Password is secret.

Create Vault Credential Store

boundary credential-stores create vault -scope-id "p_1234567890" \
  -vault-address "http://127.0.0.1:8200" \
  -vault-token "s.kGa7MXH1YXvrFWNunGgppnnk"

Create Credential Libraries

1. Create library for analyst credentials

   boundary credential-libraries create vault \
     -credential-store-id ${CS_ID} \
     -vault-path "database/creds/analyst" \
     -name "northwind analyst"

   Analyst Library ID: clvlt_3zCNiY66lG

2. Create library for DBA credentials

   boundary credential-libraries create vault \
     -credential-store-id ${CS_ID} \
     -vault-path "database/creds/dba" \
     -name "northwind dba"

   DBA Library ID: clvlt_vaaDNUTZmi

Add Credential Libraries to Targets

1. Analyst target

   boundary targets add-credential-libraries \
     -id=ttcp_MugI59YN6b \
     -application-credential-library=clvlt_3zCNiY66lG

2. DBA target

   boundary targets add-credential-libraries \
     -id=ttcp_4J24foaobT \
     -application-credential-library=clvlt_vaaDNUTZmi

Use Boundary to connect to the Northwind demo database

1. Analyst target

   boundary connect postgres -target-id ttcp_MugI59YN6b -dbname northwind