Lab environment to accompany Boundary Vault Integration Quickstart Learn tutorial.
MPL-2.0 License
This directory contains an example deployment of Boundary using docker-compose and Terraform. The lab environment is meant to accompany the Hashicorp Learn Boundary Vault integration quickstart tutorial.
In this example, a demo postgres database target is deployed. A dev Vault server is then configured using the database secrets engine and policies allowing Boundary to request credentials for two roles, a DBA and an "analyst". Boundary is then run in dev mode, and the DBA and analyst targets are configured using a credential store that contains credential libraries for both targets. This enables credential brokering via Vault, which is demonstrated using the boundary connect postgres
command.
export PG_DB="northwind";export PG_URL="postgres://postgres:secret@localhost:16001/${PG_DB}?sslmode=disable"
docker run -d -e POSTGRES_PASSWORD=secret -e POSTGRES_DB="${PG_DB}" --name ${PG_DB} -p 16001:5432 postgres
psql -d $PG_URL -f northwind-database.sql
psql -d $PG_URL -f northwind-roles.sql
export VAULT_ADDR="http://127.0.0.1:8200"; export VAULT_TOKEN="groot"
vault server -dev -dev-root-token-id=${VAULT_TOKEN}
vault policy write boundary-controller boundary-controller-policy.hcl
Enable the database secrets engine:
vault secrets enable database
Configure Vault with the proper plugin and connection information:
vault write database/config/northwind \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@localhost:16001/postgres?sslmode=disable" \
allowed_roles=dba,analyst \
username="vault" \
password="vault-password"
Create the DBA role that creates credentials with dba.sql.hcl
:
vault write database/roles/dba \
db_name=northwind \
[email protected] \
default_ttl=3m \
max_ttl=60m
Request DBA credentials from Vault to confirm:
vault read database/creds/dba
Create the analyst role that creates credentials with analyst.sql.hcl
:
vault write database/roles/analyst \
db_name=northwind \
[email protected] \
default_ttl=3m \
max_ttl=60m
Request analyst credentials from Vault to confirm:
vault read database/creds/analyst
vault policy write northwind-database northwind-database-policy.hcl
vault token create \
-no-default-policy=true \
-policy="boundary-controller" \
-policy="northwind-database" \
-orphan=true \
-period=20m \
-renewable=true
boundary dev
boundary authenticate password \
-auth-method-id=ampw_1234567890 \
-login-name=admin \
-password=password
boundary targets update tcp -id=ttcp_1234567890 -default-port=16001
Create target for analyst
boundary targets create tcp \
-scope-id "p_1234567890" \
-default-port=16001 \
-session-connection-limit=-1 \
-name "Northwind Analyst Database"
ID: ttcp_MugI59YN6b
Create target for DBA
boundary targets create tcp \
-scope-id "p_1234567890" \
-default-port=16001 \
-session-connection-limit=-1 \
-name "Northwind DBA Database"
ID: ttcp_4J24foaobT
Add host set to both
boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_MugI59YN6b
boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_4J24foaobT
boundary connect postgres -target-id ttcp_1234567890 -username postgres
Password is secret
.
boundary credential-stores create vault -scope-id "p_1234567890" \
-vault-address "http://127.0.0.1:8200" \
-vault-token "s.kGa7MXH1YXvrFWNunGgppnnk"
Create library for analyst credentials
boundary credential-libraries create vault \
-credential-store-id ${CS_ID} \
-vault-path "database/creds/analyst" \
-name "northwind analyst"
Analyst Library ID: clvlt_3zCNiY66lG
Create library for DBA credentials
boundary credential-libraries create vault \
-credential-store-id ${CS_ID} \
-vault-path "database/creds/dba" \
-name "northwind dba"
DBA Library ID: clvlt_vaaDNUTZmi
Analyst target
boundary targets add-credential-libraries \
-id=ttcp_MugI59YN6b \
-application-credential-library=clvlt_3zCNiY66lG
DBA target
boundary targets add-credential-libraries \
-id=ttcp_4J24foaobT \
-application-credential-library=clvlt_vaaDNUTZmi
Analyst target
boundary connect postgres -target-id ttcp_MugI59YN6b -dbname northwind