HashiConf Last chance to register for our cloud conference October 10-12. Register today
Boundary
Boundary Home

You are viewing documentation for version v0.15.x. View latest version.

Targets

A target is a resource that represents a networked service with an associated set of permissions a user can connect to and interact with through Boundary by way of a session.

A target can only be defined within a project. A target can contain references to host sets from host catalogs which belong to the same project as the target. A target can contain references to credential libraries from credential stores which belong to the same project as the target.

A target can contain an address which is used by a session to connect to a networked resource. A target cannot have an address and also reference host sources.

A user must be assigned a role with the authorize-session permission for the target to establish a session with a networked resource by way of an address, or host in any host set referenced by the target.

Attributes

A target has the following configurable attributes:

  • name - (required) The name must be unique within the target's project.

  • description - (optional)

  • address - (optional) This value represents a network resource address and is used when establishing a session. It does not accept a port, only an IP address or DNS name.

  • default_client_port - (optional) Represents a local port that you want Boundary to listen to by default when someone initiates a session on the client.

  • egress_worker_filter - (optional) A boolean expression to filter which egress workers can handle sessions for this target. Egress worker filters determine which workers are used to access targets. You can configure an egress filter to enable multi-hop connections. If you do not configure an egress filter, then Boundary uses a single worker to connect to the controller.

  • ingress_worker_filter - (optional) HCP/ENT A boolean expression to filter which ingress workers can handle sessions for this target. Ingress worker filters determine which workers you connect with to initiate a session. If you do not configure an ingress filter, Boundary selects a front line worker for the session. A front line worker is any worker directly connected to the control plane; for HCP Boundary this will be an HCP worker.

  • session_connection_limit - (required) The cumulative number of connections allowed during a session. A -1 value means no limit. The default is -1. The value must be greater than 0 or exactly -1.

  • session_max_seconds - (required) The maximum duration of an individual session between the user and the target. All connections for a session are closed and the session is terminated when a session reaches the maximum duration. The default is 8 hours (28800 seconds). This value must be greater than 0.

Target types

Boundary supports TCP and SSH target types. An SSH target must have at least one injected application credential. A TCP target cannot have any injected application credentials. Note the following target type requirements:

  • To use brokered credentials to connect to a target that runs SSH: you must use a tcp target type.
  • To use injected application credentials to connect to a target that runs SSH: you must use an ssh target type.
  • To enable session recording for a target that runs SSH: you must use injected application credentials and an ssh target type.

TCP target attributes

TCP targets have the following additional attribute:

  • default_port - (required) The default port to set on this target.

SSH target attributes

Enterprise

This feature requires HCP Boundary or Boundary Enterprise

SSH targets use injected application credentials to authenticate an SSH session between the client and end host. Injected credentials allow users to securely connect to remost hosts using SSH, while never being in the possession of a valid credential for that target host. The injected credentials can be a username/password or username/private key credential from Vault credential libraries or they can be static credentials or an SSH certificate from Vault SSH credential libraries.

SSH targets have the following additional attributes:

  • default_port - (optional) The default port to set on this target. If this is not specified the default port will be 22.

  • enable_session_recording - (optional) Set to true to enable session recordings for a target. If you enable session recording, the storage_bucket_id is required.

  • storage_bucket_id - (optional) Designates the storage bucket to be used for session recording. This attribute is required if you set enable_session_recording to true.

Referenced by

Service API docs

The following services are relevant to this resource: