Terraform patterns for Boundary credentials and credential stores
Boundary supports multiple types of static credentials and Vault dynamic credentials. A credential store stores credentials for hosts. Static credential stores can hold username/passwords, JSON tokens, SSH key pairs, and SSH certificates.
Requirements
This document assumes the reader has:
- An understanding of Terraform fundamentals
- An existing Boundary installation. Refer to Initialize Boundary to learn about deploying Boundary.
- Configured the Terraform Boundary provider.
- Configured hosts for any credential store you plan to create.
Static credential store configuration
This example creates both a static credential store and a Vault credential store.
# Create a static credential store
resource "boundary_credential_store_static" "example" {
name = "example_static_credential_store"
description = "My first static credential store"
scope_id = boundary_scope.project.id
}
# Create a Vault credential store
resource "boundary_credential_store_vault" "example" {
name = "vault_store"
description = "My first Vault credential store"
# change to your Vault address
address = "http://127.0.0.1:8200"
# Use a token that has rights to access the secrets in Vault that
# Boundary should use
token = var.vault_token
scope_id = boundary_scope.project.id
}
After you create a credential store, you can create one or more credentials in that store.
Add static credentials configuration
This example creates static credentials that Boundary manages. The credentials are for a user named Carlos.
# Create a username/password combination
resource "boundary_credential_username_password" "carlos" {
name = "example_username_password"
description = "My first username password credential"
credential_store_id = boundary_credential_store_static.example.id
username = "Carlos"
password = "Carlos-password"
}
# Create an ssh private key
resource "boundary_credential_ssh_private_key" "carlos_ssh" {
name = "example_ssh_private_key"
description = "My first ssh private key credential"
credential_store_id = boundary_credential_store_static.example.id
username = "carlos"
# You can also load the private_key from a file using the Terraform file() function.
private_key = var.carlos_ssh_key
# change to the passphrase of the private key, if required
private_key_passphrase = "optional-passphrase"
}
# Create a JSON credential
resource "boundary_credential_json" "example" {
name = "example_json"
description = "My first json credential"
credential_store_id = boundary_credential_store_static.example.id
# This points to the actual json file. You can also load this from a variable.
object = file("~/object.json")
}
Vault credential store configuration
For Vault credential stores, you can then create a credential library which distributes credentials of a specific access level from a Vault path.
This example creates a credential library that reads secrets from a Vault path called my/secret/foo
.
resource "boundary_credential_library_vault" "foo" {
name = "foo"
description = "My first Vault credential library"
credential_store_id = boundary_credential_store_vault.example.id
# Defines a valid Vault secret path
path = "my/secret/foo"
http_method = "GET"
}
Translate key names from Vault configuration
If you need to translate the key names from Vault into values expected by Boundary, use this pattern.
resource "boundary_credential_library_vault" "baz" {
name = "baz"
description = "vault username password credential with mapping overrides"
credential_store_id = boundary_credential_store_vault.example.id
# Defines the vault path that contains the secret you need
path = "my/secret/baz"
http_method = "GET"
credential_type = "username_password"
# This maps the username and password field names in Vault to their names in Boundary
credential_mapping_overrides = {
password_attribute = "alternative_password_label"
username_attribute = "alternative_username_label"
}
}
Use SSH certificates as credentials configuration
To use SSH certificates as credentials, you use the boundary_credential_vault_ssh_certificate
resource as shown in this example.
resource "boundary_credential_library_vault_ssh_certificate" "example" {
name = "foo"
description = "My first Vault SSH certificate credential library"
credential_store_id = boundary_credential_store_vault.foo.id
# Declares the vault path that generates certificates
path = "ssh/sign/foo"
# Defines the username
username = "foo"
}
Declare additional certificate attributes and extensions configuration
This example declares additional certificate attributes and extensions. Note that you can enable extensions by declaring their names and setting their values to empty strings.
resource "boundary_credential_library_vault_ssh_certificate" "example" {
name = "baz"
description = "vault "
credential_store_id = boundary_credential_store_vault.foo.id
path = "ssh/issue/foo" # change to the Vault endpoint and role
username = "foo"
# Defines additional optional certificate attributes
key_type = "rsa"
key_bits = 4096
extensions = {
permit-pty = ""
permit-X11-forwarding = ""
}
critical_options = {
force-command = "/bin/some_script"
}
}
More information
For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:
For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:
- Credentials
- Credential libraries
- Credential stores
Next steps
Once you have configured credentials and credential stores, you may want to enable session recording for auditing purposes or configure targets for your users to connect to.