HashiCorp Developer AI Private beta now available Sign up today
Boundary
Boundary Home

connect

Command: boundary connect

Every command that results in an API call contains a set of flags that control connection options, which include TLS and other settings. Boundary provides connect helpers that can facilitate access to certain protocols like HTTP, RDP, and SSH. One example is the Boundary helper for SSH that automatically accepts host SSH key prompts for you. You run these connect helpers using the command boundary connect <subcommand>. You can run boundary connect -h to see the available helpers, options, and arguments.

Examples

The following example connects to a target ttcP_INY0BCD2VF and shows the use of the -listen-addr and -listen-port flags to specify the listening address and port used that Boundary will attempt to use for every connection. This example uses the address 127.0.0.1 and the port 8872:

$ boundary connect ssh \
    -listen-addr=127.0.0.1 \
    -listen-port=8872
    -target_id=ttcp_INY0BCD2VF

Usage

Usage: boundary connect <subcommand> [options] [args]
  # ...
Subcommands:
    http        Authorize a session against a target and invoke an HTTP client to connect
    kube        Authorize a session against a target and invoke a Kubernetes client to connect
    postgres    Authorize a session against a target and invoke a Postgres client to connect
    rdp         Authorize a session against a target and invoke an RDP client to connect
    ssh         Authorize a session against a target and invoke an SSH client to connect

For more information, examples, and usage, click on the name of the subcommand in the sidebar or one of the links below:

Command options

  • -addr (string: "") - The address of the Boundary controller as a complete URL, for example https://boundary.example.com:9200. Instead of passing the -addr argument with every command, you can configure the BOUNDARY_ADDR environment variable. In both cases, the value denotes the address of the Boundary environment you want to send CLI commands to.
  • -ca-cert (string: "") - The path on the local disk to a single PEM-encoded CA certificate that should be used to verify the controller or worker server's SSL certificate. This value takes precedence over -ca-path. You can also specify the path using the BOUNDARY_CACERT environment variable.
  • -ca-path (string: "") - The path on the local disk to a directory of PEM-encoded CA certificates that should be used to verify the controller's SSL certificate. You can also specify the path using the BOUNDARY_CAPATH environment variable.
  • -client-cert (string: "") - The path on the local disk to a single PEM-encoded CA certificate that should be used for TLS authentication to the Boundary controller. If you configure this flag, the -client-key value is also required. You can also specify the path using the BOUNDARY_CLIENT_CERT environment variable.
  • -client-key (string: "") - The path on the local disk to a single PEM-encoded private key that matches the client certificate you referenced with -client-cert. You can also specify the path using the BOUNDARY_CLIENT_KEY environment variable.
  • -listen-addr (string: "") - If set, the CLI attempts to bind its listening address to the given value, which must be an IP address. If it cannot bind the listening address, the command produces an error. If you do not set this value, Boundary defaults to the most common IPv4 loopback address, 127.0.0.1. You can also specify a listening address using the BOUNDARY_CONNECT_LISTEN_ADDR environment variable.
  • -listen-port (string: "") - If set, the CLI attempts to bind its listening port to the given value. If it cannot bind the listening port, the command produces error. You can also specify a listening address using the BOUNDARY_CONNECT_LISTEN_PORT environment variable.
  • -tls-insecure - If set, this option disables verification of TLS certificates. We highly discourage using this option as it decreases the security of data transmissions to and from the Boundary server. The default value is false. You can also disable TLS certificate validation using the BOUNDARY_TLS_INSECURE environment variable.
  • -tls-server-name (string: "") - A name to use as the SNI host when you connect to the Boundary server using TLS. You can also specify the SNI host using the BOUNDARY_TLS_SERVER_NAME environment variable.

Connect command options:

  • -authz-token (string: "") - The authorization string returned from the Boundary controller via an authorize-session action against a target. This option is only required if you don't set a -target-id. If you set the value to -, the command attempts to read in the authorization string from standard input. You can also specify the authorization string using the BOUNDARY_CONNECT_AUTHZ_TOKEN environment variable.

  • -exec (string: "") - If set, specifies that the given binary should be executed after connecting to the worker, if set. This value should be a binary on your path or an absolute path. If all command flags are followed by -- (space, two hyphens, space), then any arguments after that are sent directly to the binary. You can also specify a binary using the BOUNDARY_CONNECT_EXEC environment variable.

  • -host-id (string: "") - The ID of a specific host to connect to out of the target's host sets. If you do not indicate a specific host, Boundary chooses one at random.

  • -target-id (string: "") - The ID of the target to authorize against. You cannot use this option with -authz-token.

  • -target-name (string: "") - The target name, if you authorize the session using scope parameters and target name.

  • -target-scope-id (string: "") - The target scope ID, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-name. You can also specify the target scope ID using the BOUNDARY_CONNECT_TARGET_SCOPE_ID environment variable.

  • -target-scope-name (string: "") - The target scope name, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-id. You can also specify the target scope name using the BOUNDARY_CONNECT_TARGET_SCOPE_NAME environment variable.

Edit this page on GitHub