{"id":25115719,"url":"https://github.com/devops-rob/vault-plugin-boundary-secrets-engine","last_synced_at":"2025-04-22T14:44:47.265Z","repository":{"id":64307439,"uuid":"468474273","full_name":"devops-rob/vault-plugin-boundary-secrets-engine","owner":"devops-rob","description":"A Vault secrets engine that generates dynamic Boundary accounts","archived":false,"fork":false,"pushed_at":"2024-06-24T22:07:27.000Z","size":166,"stargazers_count":12,"open_issues_count":3,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-17T08:39:34.472Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/devops-rob.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-10T18:58:07.000Z","updated_at":"2024-07-23T08:47:06.000Z","dependencies_parsed_at":"2024-06-18T13:23:25.603Z","dependency_job_id":"d4da6b51-e662-481b-b4d0-67ca4636a7fd","html_url":"https://github.com/devops-rob/vault-plugin-boundary-secrets-engine","commit_stats":null,"previous_names":["hashicorp-dev-advocates/vault-plugin-boundary-secrets-engine"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-boundary-secrets-engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-boundary-secrets-engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-boundary-secrets-engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/devops-rob%2Fvault-plugin-boundary-secrets-engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/devops-rob","download_url":"https://codeload.github.com/devops-rob/vault-plugin-boundary-secrets-engine/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250262165,"owners_count":21401624,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-08T02:33:48.836Z","updated_at":"2025-04-22T14:44:47.232Z","avatar_url":"https://github.com/devops-rob.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Boundary Secrets Engine for HashiCorp Vault\n\nThe Boundary secrets engine creates Boundary Workers, and additionally, generates user and account credentials dynamically based on configured permissions and scopes. This means that services that need to access a Boundary scope no longer need to hardcode credentials and Boundary workers can be ephemeral.\n\nWith every service accessing Boundary with unique credentials, auditing is much easier in threat modelled scenarios.\n\nVault makes use both of its own internal revocation system to delete Boundary users and accounts when generating Boundary credentials to ensure that users and accounts become invalid within a reasonable time of the lease expiring.\n\nAdditionally, Vault can remove workers that it has created, thereby removing the controller led auth token\n\n## Setup for User credentials\n\nMost secrets engines must be configured in advance before they can perform their functions. These steps are usually completed by an operator or configuration management tool.\n\n\n1. Enable secrets engine:\n\n\n```shell\nvault secrets enable boundary\n```\n\nBy default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a different path, use the -path argument.\n\n\n2. Configure the credentials that Vault uses to communicate with Boundary to generate credentials:\n```shell\nvault write boundary/config \\\n  addr=http://localhost:9200 \\\n  login_name=admin \\\n  password=password \\\n  auth_method_id=ampw_1234567890\n```\nIt is important that the Vault user have the permissions to manage users and accounts at all scope levels.\n\n3. Configure a role that maps a name in Vault to a Boundary scope and roles:\n\n```shell\nvault write boundary/role/my-role \\\n  ttl=180 \\\n  max_ttl=360 \\\n  auth_method_id=ampw_1234567890 \\\n  boundary_roles=r_cwRmglckUr \\\n  role_type=user \\\n  scope_id=global\n  \n```\n\nBy writing to the roles/my-role path we are defining the my-role role. This role will be created by evaluating the given `auth_method_id`, `boundary_roles`, `scope_id`, `ttl` and `max_ttl` statements. Credentials generated against this role will be created at the specified scope, using the specified auth method, and will have the specified boundary roles assigned for the duration of the ttl specified. You can read more about [Boundary's Identity and Access Management domain.](https://www.hashicorp.com/blog/understanding-the-boundary-identity-and-access-management-model)\n\n## Usage\n\nAfter the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials.\n\n1. Generate a new credential by reading from the /creds endpoint with the name of the role:\n```shell\nvault read boundary/creds/my-role\n```\n\n### Worker auth tokens\n\nConfiguring a worker role is slightly different to a user role. The example below shows a worker role being configured:\n\n```shell\nvault write boundary/role/worker \\\n  ttl=180 \\\n  max_ttl=360 \\\n  role_type=worker \\\n  scope_id=global\n```\n\nA worker can then be generated using the following command:\n\n```shell\nvault read boundary/creds/worker worker_name=\"local worker\"\n```\n\nAn optional description can be added to the worker using the `description` parameter.\n\n```shell\nvault read boundary/creds/worker worker_name=\"local worker\" description=\"Local worker for testing purposes\"\n```\n\n## API\n\n### Setup\n\n1. Enable secrets engine\n\nSample request\n\n```shell\ncurl \\\n    -X POST \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/sys/mounts\n```\n\nSample payload\n\n```json\n{\n    \"type\": \"boundary\"\n}\n```\n\n2. Configure the credentials that Vault uses to communicate with Boundary to generate credentials:\n\nSample request\n```shell\ncurl \\\n    -X POST \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/boundary/config\n```\n\nSample payload\n```json\n{\n  \"addr\": \"http://localhost:9200\",\n  \"login_name\": \"vault-admin\",\n  \"password\": \"...\",\n  \"auth_method_id\": \"ampw_1234567890\"\n}\n```\n\n3. Configure a role that maps a name in Vault to a Boundary scope and roles:\n\nSample request\n```shell\ncurl \\\n    -X POST \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/boundary/role/my-role\n```\n\nSample payload\n```json\n{\n    \"ttl\": 180,\n    \"max_ttl\": 360,\n    \"auth_method_id\": \"ampw_1234567890\",\n    \"credential_type\": \"userpass\",\n    \"boundary_roles\": \"r_cbvEFZbN1S,r_r8mxdp7zOp\",\n    \"role_type\": \"user\",\n    \"scope_id\": \"global\"\n}\n```\n\n### Usage\n\n1. Generate a new credential by reading from the /creds endpoint with the name of the role:\n\nSample request\n```shell\ncurl \\\n    -X GET \\\n    --header \"X-Vault-Token: ...\" \\\n    http://127.0.0.1:8200/v1/boundary/creds/my-role\n```\n\nSample response\n```json\n{\n    \"request_id\": \"ed281bc6-182d-a15e-d700-8c2e64897010\",\n    \"lease_id\": \"boundary/creds/my-role/pH9CfQcAmE9va6CwQKOEPBsx\",\n    \"renewable\": true,\n    \"lease_duration\": 180,\n    \"data\": {\n        \"account_id\": \"acctpw_Haufl3nWxH\",\n        \"auth_method_id\": \"ampw_1234567890\",\n        \"boundary_roles\": \"r_CSuslu0w1X,r_S0OqRsecY6\",\n        \"login_name\": \"vault-role-my-role-fudjntgy\",\n        \"password\": \"2QW7U03mXr614895\",\n        \"user_id\": \"u_sKom7Pxa1v\"\n    },\n    \"wrap_info\": null,\n    \"warnings\": null,\n    \"auth\": null\n}\n```\n\n## Terraform\n\n### Setup\n\n1. Enable secrets engine:\n\n```hcl\nresource \"vault_mount\" \"boundary\" {\n  path        = \"boundary\"\n  type        = \"boundary\"\n  description = \"This is the boundary secrets engine\"\n}\n```\n\n2. Configure the credentials that Vault uses to communicate with Boundary to generate credentials:\n\n```hcl\nresource \"vault_generic_endpoint\" \"boundary_config\" {\n  depends_on           = [\n    vault_mount.boundary\n  ]\n  \n  path                 = \"boundary/config\"\n  ignore_absent_fields = true\n\n  data_json = \u003c\u003cEOT\n{\n  \"addr\": \"http://localhost:9200\",\n  \"login_name\": \"vault-admin\",\n  \"password\": \"...\",\n  \"auth_method_id\": \"ampw_1234567890\"\n}\nEOT\n}\n\n```\n\n3. Configure a role that maps a name in Vault to a Boundary scope and roles:\n\n```hcl\nresource \"vault_generic_endpoint\" \"boundary_role\" {\n  depends_on           = [\n    vault_mount.boundary\n  ]\n  \n  path                 = \"boundary/role/my-role\"\n  ignore_absent_fields = true\n\n  data_json = \u003c\u003cEOT\n{\n    \"ttl\": 180,\n    \"max_ttl\": 360,\n    \"auth_method_id\": \"ampw_1234567890\",\n    \"credential_type\": \"userpass\",\n    \"boundary_roles\": \"r_cbvEFZbN1S,r_r8mxdp7zOp\",\n    \"role_type\": \"user\"\n    \"scope_id\": \"global\"\n}\nEOT\n}\n```\n\n## Usage\n\n1. Generate a new credential by reading from the /creds endpoint with the name of the role:\n\n```hcl\ndata \"vault_generic_secret\" \"boundary_creds\" {\n  path = \"boundary/creds/my-role\"\n}\n\noutput \"creds\" {\n  value     = data.vault_generic_secret.boundary_creds.data\n  sensitive = true\n}\n```\n\n2. Read the output from Terraform's state file:\n\n```shell\nterraform output creds\n```\n\nExample response:\n\n```\ntomap({\n  \"account_id\" = \"acctpw_nNaPX7PYzl\"\n  \"auth_method_id\" = \"ampw_1234567890\"\n  \"boundary_roles\" = \"r_U2t8YBalKE,r_5hKAwk9Rs9\"\n  \"login_name\" = \"vault-role-my-role-tewohlyv\"\n  \"password\" = \"4Le8z639725g0f1G\"\n  \"user_id\" = \"u_TxJs1IabfY\"\n})\n```\n\n## License\n\nLicensed under the Apache License, Version 2.0 (the \"License\").\n\nYou may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.\n\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" basis, without WARRANTIES or conditions of any kind, either express or implied.\n\nSee the License for the specific language governing permissions and limitations under the License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-rob%2Fvault-plugin-boundary-secrets-engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdevops-rob%2Fvault-plugin-boundary-secrets-engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdevops-rob%2Fvault-plugin-boundary-secrets-engine/lists"}