Boundary and Vault Integration Quickstart

This directory contains an example deployment of Boundary using docker-compose and Terraform. The lab environment is meant to accompany the Hashicorp Learn Boundary Vault integration quickstart tutorial.

In this example, a demo postgres database target is deployed. A dev Vault server is then configured using the database secrets engine and policies allowing Boundary to request credentials for two roles, a DBA and an "analyst". Boundary is then run in dev mode, and the DBA and analyst targets are configured using a credential store that contains credential libraries for both targets. This enables credential brokering via Vault, which is demonstrated using the boundary connect postgres command.

Setup PostgreSQL Northwind demo database
Setup Vault
Setup Boundary
Use Boundary to connect to the Northwind demo database

Setup PostgreSQL Northwind demo database

export PG_DB="northwind";export PG_URL="postgres://postgres:secret@localhost:16001/${PG_DB}?sslmode=disable"
docker run -d -e POSTGRES_PASSWORD=secret -e POSTGRES_DB="${PG_DB}" --name ${PG_DB} -p 16001:5432 postgres
psql -d $PG_URL -f northwind-database.sql
psql -d $PG_URL -f northwind-roles.sql

Setup Vault

Run Vault in dev mode

export VAULT_ADDR="http://127.0.0.1:8200"; export VAULT_TOKEN="groot"
vault server -dev -dev-root-token-id=${VAULT_TOKEN}

Create boundary-controller policy

vault policy write boundary-controller boundary-controller-policy.hcl

Configure database secrets engine

Enable the database secrets engine:
```
vault secrets enable database
```

Configure Vault with the proper plugin and connection information:

vault write database/config/northwind \
     plugin_name=postgresql-database-plugin \
     connection_url="postgresql://{{username}}:{{password}}@localhost:16001/postgres?sslmode=disable" \
     allowed_roles=dba,analyst \
     username="vault" \
     password="vault-password"

Create the DBA role that creates credentials with dba.sql.hcl:

vault write database/roles/dba \
      db_name=northwind \
      creation_statements=@dba.sql.hcl \
      default_ttl=3m \
      max_ttl=60m

Request DBA credentials from Vault to confirm:

vault read database/creds/dba

Create the analyst role that creates credentials with analyst.sql.hcl:

vault write database/roles/analyst \
      db_name=northwind \
      creation_statements=@analyst.sql.hcl \
      default_ttl=3m \
      max_ttl=60m

Request analyst credentials from Vault to confirm:

vault read database/creds/analyst

Create northwind-database policy

vault policy write northwind-database northwind-database-policy.hcl

Create vault token for Boundary credential store

vault token create \
  -no-default-policy=true \
  -policy="boundary-controller" \
  -policy="northwind-database" \
  -orphan=true \
  -period=20m \
  -renewable=true

Setup Boundary

Run Boundary in dev mode

boundary dev

Authenticate to Boundary

boundary authenticate password \
  -auth-method-id=ampw_1234567890 \
  -login-name=admin \
  -password=password

Configure Database Target

Option 1: Edit existing target

boundary targets update tcp -id=ttcp_1234567890 -default-port=16001

Option 2: Create new target

Create target for analyst

boundary targets create tcp \
  -scope-id "p_1234567890" \
  -default-port=16001 \
  -session-connection-limit=-1 \
  -name "Northwind Analyst Database"

ID: ttcp_MugI59YN6b

Create target for DBA

boundary targets create tcp \
  -scope-id "p_1234567890" \
  -default-port=16001 \
  -session-connection-limit=-1 \
  -name "Northwind DBA Database"

ID: ttcp_4J24foaobT

Add host set to both

boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_MugI59YN6b
boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_4J24foaobT

Connect to Database

boundary connect postgres -target-id ttcp_1234567890 -username postgres

Password is secret.

Create Vault Credential Store

boundary credential-stores create vault -scope-id "p_1234567890" \
  -vault-address "http://127.0.0.1:8200" \
  -vault-token "s.kGa7MXH1YXvrFWNunGgppnnk"

Create Credential Libraries

Create library for analyst credentials

boundary credential-libraries create vault \
  -credential-store-id ${CS_ID} \
  -vault-path "database/creds/analyst" \
  -name "northwind analyst"

Analyst Library ID: clvlt_3zCNiY66lG

Create library for DBA credentials

boundary credential-libraries create vault \
  -credential-store-id ${CS_ID} \
  -vault-path "database/creds/dba" \
  -name "northwind dba"

DBA Library ID: clvlt_vaaDNUTZmi

Add Credential Libraries to Targets

Analyst target

boundary targets add-credential-libraries \
  -id=ttcp_MugI59YN6b \
  -application-credential-library=clvlt_3zCNiY66lG

DBA target

boundary targets add-credential-libraries \
  -id=ttcp_4J24foaobT \
  -application-credential-library=clvlt_vaaDNUTZmi

Use Boundary to connect to the Northwind demo database

Analyst target

boundary connect postgres -target-id ttcp_MugI59YN6b -dbname northwind

Name		Name	Last commit message	Last commit date
Latest commit History 17 Commits
LICENSE		LICENSE
README.md		README.md
analyst.sql.hcl		analyst.sql.hcl
boundary-controller-policy.hcl		boundary-controller-policy.hcl
dba.sql.hcl		dba.sql.hcl
northwind-database-policy.hcl		northwind-database-policy.hcl
northwind-database.sql		northwind-database.sql
northwind-roles.sql		northwind-roles.sql
worker.hcl		worker.hcl

License

hashicorp-education/learn-boundary-vault-quickstart

Folders and files

Latest commit

History

Repository files navigation