Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News HashiCorp Boundary Adds Multi-Hop Sessions and Credential Templating

HashiCorp Boundary Adds Multi-Hop Sessions and Credential Templating

HashiCorp has released version 0.12 of Boundary, their open-source identity-based access management service for infrastructure. This release introduces support for multi-hop sessions removing the need to expose Boundary workers running on private networks. Additional improvements include support for credential injection via Vault, assigning network addresses on targets, and credential templating.

The addition of multi-hop sessions allows for establishing sessions via workers chained together through reverse-proxy connections. In previous releases of Boundary, workers were required to have an outbound connection to the HCP Boundary control plane as well as an inbound connection from clients. In cases where inbound connections are not permitted on private networks, remote users needed to be on the same network or leverage a VPN solution.

Multi-hop sessions mean that users will only require access to the client-facing worker. There are currently two primarily supported means of setting up an outbound-only session. The first involves leveraging one of HCP Boundary's public workers as a client-facing ingress point. The second method requires setting up a publically accessible worker on the corporate network as a form of bastion host.

The two primary means of setting up outbound-only sessions

The two primary means of setting up outbound-only sessions (credit: HashiCorp)


This release also introduces credential injection using HashiCorp Vault SSH signed certificates. This approach leverages Vault as the certificate authority and uses either the issue or sign endpoints to generate certificates. Previous releases required either the use of static credentials or the distribution of user-specific keys to each host.

Credential templating aims to simplify the process of mapping credentials to specific users. It is now possible to configure one target with a single credential library to generate per-user credentials. Previously each user on a host would require individual targets and credential libraries such as /kv/data/joe. This can now be simplified using templates to only require one target and one credential library: /kv/data/{{ .Account.LoginName }}. Templates support other values such as the user's ID or name and the account ID, name, or email.

The open-source version of Boundary has a new key lifecycle management feature. This provides key rotation and key version destruction functionality for key encryption keys (KEKs) and data encryption keys (DEKs). When rotating keys, the new keys will be used for encrypting new data only. However, it is possible to re-encrypt existing key versions with the newly rotated KEK.

The static credential store has been updated to include support for a new JSON credential type. Admin users can now create and broker JSON blobs to users connecting to machines. This is in addition to being able to store username/password and username/key pair combinations.

Boundary is available both within HashiCorp Cloud Platform (HCP) and as an open-source offering. Similar solutions to Boundary include Cloudflare Tunnel, strongdm, and the open-source headscale.

HashiCorp has provided an upgrade guide for the release to assist with upgrading to 0.12. At the time of writing, the OSS version of Boundary is available, but features specific to the HCP version of Boundary are not fully available.

About the Author

Rate this Article