Enable session recording with AWS and Vault

Start by logging in to HCP Boundary within the terminal.

1. Log in to the HCP portal.

2. From the HCP Portal's Boundary page, click Open Admin UI - a new page will open.

3. Enter the admin username and password you created when you deployed the new instance and click Authenticate.

Next, set up a new testing org and project scope.

1. Navigate to to the Orgs page and click New Org.

2. Fill out the new org form with a Name of ssh-recording-org and Description of SSH test org. Click Save.

3. From within the new org, click New Project.

4. Fill out the new project form with a Name of ssh-recording-project and Description of Secure Socket Handling recordings. Click Save.

Create a host catalog

You can use a dynamic host catalog to import the hosts created by Terraform into Boundary. These hosts will be used later on when configuring an SSH target.

1. Select Host Catalogs from the left navigation panel.

2. Choose New.

3. Enter aws-recording-catalog in the Name field, and enter a description of aws session recording host catalog.

4. Select the Dynamic type. Select the AWS provider, and enter the following details:

   • AWS Region: <YOUR_AWS_REGION>
   • Access Key ID: <YOUR_host_catalog_access_key_id>
   • Secret Access Key: <YOUR_host_catalog_secret_access_key>

   The host_catalog_access_key_id and host_catalog_secret_access_key are sensitive Terraform outputs. This means you will have to manually extract their contents from the terraform.tfstate file.

   Open the shell session where Terraform was deployed, and execute the following:

   $ export HOST_CATALOG_ACCESS_KEY_ID=$(jq -r ".outputs.host_catalog_access_key_id.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
     echo "HOST_CATALOG_ACCESS_KEY_ID=$HOST_CATALOG_ACCESS_KEY_ID" ; \
     export HOST_CATALOG_SECRET_ACCESS_KEY=$(jq -r ".outputs.host_catalog_secret_access_key.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
     echo "HOST_CATALOG_SECRET_ACCESS_KEY=$HOST_CATALOG_SECRET_ACCESS_KEY"
   

   Copy

   Copy these values into their fields.

   Lastly, check the box beside Disable credential rotation.

5. Click Save.

Create the dev host set

A host set can be used to sort hosts by environment.

Start by creating a host set for the dev hosts.

1. Select the Host Sets tab, and then select New.

2. Enter dev_host_set in the Name field.

3. Next, define the instances that should belong to the dev host set. This can be done by examining the instance tags, which are printed in the Terraform output:

   $ make terraform_output
   ...
   ... 
   ...
   target_instance_tags = {
     "i-04e6118b9e7ec37c7" = tomap({
       "Name" = "boundary-host-2"
       "User" = "aws_username"
       "env" = "prod"
       "workspace" = "username"
     })
     "i-0c3debf71c8a67661" = tomap({
       "Name" = "boundary-host-1"
       "User" = "aws_username"
       "env" = "dev"
       "workspace" = "username"
     })
   }
   ...
   ...
   ...
   

   Notice the instance tagged as "env" = "dev".

   To select it for the host set, enter the following in the Filter field:

   tag:env=dev
   

   Copy

4. Click Save.

5. Click the Hosts tab, and verify that the boundary-host-1 host appears as expected. If it's missing, wait a few moments and refresh the page.

Create the prod host set

Next, create a host set for the prod hosts.

1. Navigate back to the aws-recording-catalog host catalog. Click Manage, and select New Host Set.

2. Enter prod_host_set in the Name field.

3. Define the instances that should belong to the prod host set by selecting the instance tagged as "env" = "prod".

   To select it for the host set, enter the following in the Filter field,

   tag:env=prod
   

   Copy

4. Click Save.

5. Click the Hosts tab, and verify that the boundary-host-2 host appears as expected. If it's missing, wait a few moments and refresh the page.

Create a credential store

Next, create a Vault credential store within Boundary using the VAULT_CRED_STORE_TOKEN value, defined when you set up Vault. The vault credential store type is used for Vault integration, but you can also use static credential stores with credential injection.

When you set up a worker, it's important to create a filter for the credential store. A worker filter will identify workers that should be used as proxies for the new credential store, and ensure these credentials are brokered from the private Vault.

Navigate to the global scope within the UI, and select the Workers page.

Select vault-worker, and notice its Worker Tags:

"type" = ["s3", "vault", "worker"]

With the tags and VAULT_CRED_STORE_TOKEN value, set up a new credential store.

1. Navigate back to the ssh-recording-org, and select the ssh-recording-project.

2. Select the Credential Stores page, and click New.

3. Enter the Name Vault AWS Host Credentials.

4. Select the type Vault, and enter the following details:

   • Address: <YOUR_VAULT_ADDR>
   • Worker Filter: "vault" in "/tags/type"
   • Token: <YOUR_VAULT_CRED_STORE_TOKEN>

   The VAULT_ADDR and VAULT_CRED_STORE_TOKEN values were exported as environment variables when executing make vault_init in the Write policies and create a client token section. Check their values in the terminal session used to apply Terraform:

   $ echo $VAULT_ADDR; echo $VAULT_CRED_STORE_TOKEN
   

   Copy

   Copy these values into their fields.

5. Click Save.

Create a credential library

A credential library is used to determine what credentials should be accessed from Vault, and the path to query for them.

Create a new credential library of type ssh_private_key within Boundary using the credential store ID and passing the vault-path of secret/data/ssh_host.

To gather the CRED_STORE_ID, navigate to the Credential Stores page within the ssh-recording-project, and copy the Vault AWS Host Credentials credential store ID (such as csvlt_CixM26cMMn).

Return to the shell session used to deploy Terraform and log in to Boundary using your admin credentials. These were set as environment variables at the beginning of the tutorial as BOUNDARY_USERNAME and BOUNDARY_PASSWORD.

$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):

Authentication information:
  Account ID:      acctpw_byMkJ6gu9n
  Auth Method ID:  ampw_AQSr776Hnm
  Expiration Time: Tue, 26 Sep 2023 13:09:05 MDT
  User ID:         u_IwFxiyB0I8

The token was successfully stored in the chosen keyring and is not displayed here.

Next, create the credential library.

$ boundary credential-libraries create vault-generic \
  -credential-store-id YOUR_CRED_STORE_ID \
  -vault-path "secret/data/ssh_host" \
  -name "vault-cred-library" \
  -credential-type ssh_private_key

Example output:

$ boundary credential-libraries create vault-generic \
  -credential-store-id csvlt_CixM26cMMn \
  -vault-path "secret/data/ssh_host" \
  -name "vault-cred-library" \
  -credential-type ssh_private_key

Credential Library information:
  Created Time:          Tue, 19 Sep 2023 13:09:29 MDT
  Credential Store ID:   csvlt_CixM26cMMn
  ID:                    clvlt_64hCzmT2yG
  Name:                  vault-cred-library
  Type:                  vault-generic
  Updated Time:          Tue, 19 Sep 2023 13:09:29 MDT
  Version:               1

  Scope:
    ID:                  p_ODNjhpjfl3
    Name:                ssh-recording-project
    Parent Scope ID:     o_Mk1iM4Gge8
    Type:                project

  Authorized Actions:
    no-op
    read
    update
    delete

  Attributes:
    HTTP Method:         GET
    Path:                secret/data/ssh_host

  Credential Type:
    ssh_private_key

Open the Boundary Admin Web UI, and navigate back to the Credential Stores page.

From the Vault AWS Host Credentials host catalog, click the Credential Libraries tab. Verify that the vault-cred-library was created successfully, and click on its name to verify its details.

Open the terminal session used to deploy Terraform.

Start by logging in to Boundary as the admin user.

$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
  Account ID:      acctpw_VOeNSFX8pQ
  Auth Method ID:  ampw_wxzojlKJLN
  Expiration Time: Mon, 13 Feb 2023 12:35:32 MST
  User ID:         u_1vUkf5fPs9
The token was successfully stored in the chosen keyring and is not displayed here.

Set up a new org and project

Create a new org named ssh-recording-org. The following command executes boundary scopes create, prints the result, selects the org ID with jq, and stores the value as an environment variable. The jq utility is used to reduce the amount of copy-paste for IDs for the rest of this tutorial.

$ ORG_ID=$(boundary scopes create \
  -scope-id=global \
  -name=ssh-recording-org \
  -description="SSH test org" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "ORG_ID=$ORG_ID"

Example output:

$ ORG_ID=$(boundary scopes create \
  -scope-id=global \
  -name=ssh-recording-org \
  -description="SSH test org" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "ORG_ID=$ORG_ID"
{"status_code":200,"item":{"id":"o_wYHjCRhcYD","scope_id":"global","scope":{"id":"global","type":"global","name":"global","description":"Global Scope"},"name":"ssh-recording-org-2","description":"SSH test org","created_time":"2023-09-19T21:36:30.134092Z","updated_time":"2023-09-19T21:36:30.134092Z","version":1,"type":"org","authorized_actions":["no-op","read","update","delete"]}}
ORG_ID=o_wYHjCRhcYD

Create a new project scope named ssh-recording-project within the ssh-recording-org. The following command also exports the PROJECT_ID environment variable.

$ PROJECT_ID=$(boundary scopes create \
  -scope-id=$ORG_ID \
  -name=ssh-recording-project \
  -description="SSH test machines" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "PROJECT_ID=$PROJECT_ID"

Example output:

$ PROJECT_ID=$(boundary scopes create \
  -scope-id=$ORG_ID \
  -name=ssh-recording-project \
  -description="SSH test machines" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "PROJECT_ID=$PROJECT_ID"
{"status_code":200,"item":{"id":"p_9XqgVGnMaQ","scope_id":"o_wYHjCRhcYD","scope":{"id":"o_wYHjCRhcYD","type":"org","name":"ssh-recording-org","description":"SSH test org","parent_scope_id":"global"},"name":"ssh-recording-project","description":"SSH test machines","created_time":"2023-09-19T21:44:32.166448Z","updated_time":"2023-09-19T21:44:32.166448Z","version":1,"type":"project","authorized_actions":["no-op","read","update","delete"]}}
PROJECT_ID=p_9XqgVGnMaQ

Create a host catalog

You can use a dynamic host catalog to import the hosts created by Terraform into Boundary. These hosts will be used later on when configuring an SSH target.

To create a host catalog, an AWS access key ID and secret access key are required. These should be associated with a user that has the required permissions to call the DescribeInstances API. This user has been pre-configured as part of the lab environment, and its policies can be viewed in the infra/iam.tf file.

Refer to the Dynamic host catalogs on AWS tutorial to learn more.

The host_catalog_access_key_id and host_catalog_secret_access_key are sensitive Terraform outputs. This means you will have to manually extract their contents from the terraform.tfstate file.

Open the shell session where Terraform was deployed, and execute the following:

$ export HOST_CATALOG_ACCESS_KEY_ID=$(jq -r ".outputs.host_catalog_access_key_id.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "HOST_CATALOG_ACCESS_KEY_ID=$HOST_CATALOG_ACCESS_KEY_ID"; \
  export HOST_CATALOG_SECRET_ACCESS_KEY=$(jq -r ".outputs.host_catalog_secret_access_key.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "HOST_CATALOG_SECRET_ACCESS_KEY=$HOST_CATALOG_SECRET_ACCESS_KEY"

Create the AWS host catalog. The following command also exports the HOST_CATALOG_ID environment variable.

$ HOST_CATALOG_ID=$(boundary host-catalogs create plugin \
  -scope-id $PROJECT_ID \
  -plugin-name aws \
  -attr disable_credential_rotation=true \
  -attr region=$AWS_REGION \
  -secret access_key_id=env://HOST_CATALOG_ACCESS_KEY_ID \
  -secret secret_access_key=env://HOST_CATALOG_SECRET_ACCESS_KEY \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "HOST_CATALOG_ID=$HOST_CATALOG_ID"

Example output:

$ HOST_CATALOG_ID=$(boundary host-catalogs create plugin \
  -scope-id $PROJECT_ID \
  -plugin-name aws \
  -attr disable_credential_rotation=true \
  -attr region=$AWS_REGION \
  -secret access_key_id=env://HOST_CATALOG_ACCESS_KEY_ID \
  -secret secret_access_key=env://HOST_CATALOG_SECRET_ACCESS_KEY \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "HOST_CATALOG_ID=$HOST_CATALOG_ID"
{"status_code":200,"item":{"id":"hcplg_G1Auj5onC3","scope_id":"p_9XqgVGnMaQ","scope":{"id":"p_9XqgVGnMaQ","type":"project","name":"ssh-recording-project","description":"SSH test machines","parent_scope_id":"o_wYHjCRhcYD"},"plugin_id":"pl_m8nWNSPfbY","plugin":{"id":"pl_m8nWNSPfbY","name":"aws","description":"Built-in AWS host plugin"},"created_time":"2023-09-19T23:37:58.631019Z","updated_time":"2023-09-19T23:37:58.631019Z","version":1,"type":"plugin","attributes":{"disable_credential_rotation":true,"region":"us-east-1"},"secrets_hmac":"Cfag9TcS5yVq8Dc2ApeLm4oxxVMubr5mwkreQpqFfe3k","authorized_actions":["no-op","read","update","delete"],"authorized_collection_actions":{"host-sets":["create","list"],"hosts":["list"]}}}
HOST_CATALOG_ID=hcplg_G1Auj5onC3

Create the dev host set

You can use a host set to sort hosts by environment.

Start creating a host set for the dev hosts by defining the instances tagged with "env" = "dev". This can be done by examining the instance tags, which are printed in the Terraform output:

$ make terraform_output
...
... 
...
target_instance_tags = {
  "i-04e6118b9e7ec37c7" = tomap({
    "Name" = "boundary-host-2"
    "User" = "aws_username"
    "env" = "prod"
    "workspace" = "username"
  })
  "i-0c3debf71c8a67661" = tomap({
    "Name" = "boundary-host-1"
    "User" = "aws_username"
    "env" = "dev"
    "workspace" = "username"
  })
}
...
...
...

Notice the instance tagged as "env" = "dev". To select it for the host set, you can use the following filter:

`tag:env=dev`

Next, create a host set for the dev hosts. The following command also exports the DEV_HOST_SET_ID environment variable.

$ DEV_HOST_SET_ID=$(boundary host-sets create plugin \
  -name dev_host_set \
  -host-catalog-id $HOST_CATALOG_ID \
  -attr filters=tag:env=dev \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "DEV_HOST_SET_ID=$DEV_HOST_SET_ID"

Example output:

$ DEV_HOST_SET_ID=$(boundary host-sets create plugin \
  -name dev_host_set \
  -host-catalog-id $HOST_CATALOG_ID \
  -attr filters=tag:env=dev \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "DEV_HOST_SET_ID=$DEV_HOST_SET_ID"
{"status_code":200,"item":{"id":"hsplg_SmP0yLVJER","host_catalog_id":"hcplg_G1Auj5onC3","scope":{"id":"p_9XqgVGnMaQ","type":"project","name":"ssh-recording-project","description":"SSH test machines","parent_scope_id":"o_wYHjCRhcYD"},"plugin":{"id":"pl_m8nWNSPfbY","name":"aws","description":"Built-in AWS host plugin"},"name":"dev_host_set","created_time":"2023-09-19T23:44:21.160280Z","updated_time":"2023-09-19T23:44:21.160280Z","version":1,"type":"plugin","attributes":{"filters":["tag:env=dev"]},"authorized_actions":["no-op","read","update","delete"]}}
DEV_HOST_SET_ID=hsplg_SmP0yLVJER

Verify that the new host set was created correctly:

$ boundary host-sets read -id $DEV_HOST_SET_ID
Host Set information:
  Created Time:        Tue, 19 Sep 2023 17:44:21 MDT
  Host Catalog ID:     hcplg_G1Auj5onC3
  ID:                  hsplg_SmP0yLVJER
  Name:                dev_host_set
  Type:                plugin
  Updated Time:        Tue, 19 Sep 2023 17:44:21 MDT
  Version:             2

  Scope:
    ID:                p_9XqgVGnMaQ
    Name:              ssh-recording-project
    Parent Scope ID:   o_wYHjCRhcYD
    Type:              project

  Plugin:
    ID:                pl_m8nWNSPfbY
    Name:              aws

  Attributes:
    filters:           [tag:env=dev]

  Authorized Actions:
    no-op
    read
    update
    delete

  Host IDs:
    hplg_EQiYxHDgIb

Lastly, verify that the Host ID listed refers to the boundary-host-1 host:

$ boundary hosts read -id hplg_EQiYxHDgIb
Host information:
  Created Time:        Tue, 19 Sep 2023 17:44:21 MDT
  External ID:         i-00cfc6df25a4e425f
  External Name:       boundary-host-1
  Host Catalog ID:     hcplg_G1Auj5onC3
  ID:                  hplg_EQiYxHDgIb
  Type:                plugin
  Updated Time:        Tue, 19 Sep 2023 17:44:21 MDT
  Version:             1

  Scope:
    ID:                p_9XqgVGnMaQ
    Name:              ssh-recording-project
    Parent Scope ID:   o_wYHjCRhcYD
    Type:              project

  Plugin:
    ID:                pl_m8nWNSPfbY
    Name:              aws

  Authorized Actions:
    no-op
    read

  Host Set IDs:
    hsplg_SmP0yLVJER

  IP Addresses:
    10.0.47.15
    3.215.142.99

  DNS Names:
    ec2-3-215-142-99.compute-1.amazonaws.com
    ip-10-0-47-15.ec2.internal

Create the prod host set

Follow the same process for the prod hosts by defining the instances tagged with "env" = "prod".

Create a host set for the prod hosts. The following command also exports the PROD_HOST_SET_ID environment variable.

$ PROD_HOST_SET_ID=$(boundary host-sets create plugin \
  -name prod_host_set \
  -host-catalog-id $HOST_CATALOG_ID \
  -attr filters=tag:env=prod \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "PROD_HOST_SET_ID=$PROD_HOST_SET_ID"

Example output:

$ PROD_HOST_SET_ID=$(boundary host-sets create plugin \
  -name prod_host_set \
  -host-catalog-id $HOST_CATALOG_ID \
  -attr filters=tag:env=prod \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "PROD_HOST_SET_ID=$PROD_HOST_SET_ID"
{"status_code":200,"item":{"id":"hsplg_Sv05NDr2A1","host_catalog_id":"hcplg_G1Auj5onC3","scope":{"id":"p_9XqgVGnMaQ","type":"project","name":"ssh-recording-project","description":"SSH test machines","parent_scope_id":"o_wYHjCRhcYD"},"plugin":{"id":"pl_m8nWNSPfbY","name":"aws","description":"Built-in AWS host plugin"},"name":"prod_host_set","created_time":"2023-09-19T23:50:06.376825Z","updated_time":"2023-09-19T23:50:06.376825Z","version":1,"type":"plugin","attributes":{"filters":["tag:env=prod"]},"authorized_actions":["no-op","read","update","delete"]}}
PROD_HOST_SET_ID=hsplg_Sv05NDr2A1

Create a credential store

Next, set up a Vault credential store using the VAULT_CRED_STORE_TOKEN. This value was exported as an environment variable when executing make vault_init in the Write policies and create a client token section.

When creating a Vault credential store, you need to construct a worker filter. This tells Boundary which worker is deployed in the same network as Vault.

Recall the tags associated with the vault-worker:

Tags:
  Configuration:
    type: ["s3", "vault" "worker"]
  Canonical:
    type: ["worker" "vault", "s3"]

The tags for this worker are:

"type" = ["s3", "vault" "worker"]

An appropriate filter to select this worker is:

"vault" in "/tags/type"

Create the Vault credential store. The following command also exports the VAULT_CRED_STORE_ID environment variable.

$ VAULT_CRED_STORE_ID=$(boundary credential-stores create vault \
  -scope-id $PROJECT_ID \
  -vault-address $VAULT_ADDR \
  -vault-token $VAULT_CRED_STORE_TOKEN \
  -worker-filter='"vault" in "/tags/type"' \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "VAULT_CRED_STORE_ID=$VAULT_CRED_STORE_ID"

Example output:

$ VAULT_CRED_STORE_ID=$(boundary credential-stores create vault \
  -scope-id $PROJECT_ID \
  -vault-address $VAULT_ADDR \
  -vault-token $VAULT_CRED_STORE_TOKEN \
  -worker-filter='"vault" in "/tags/type"' \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "VAULT_CRED_STORE_ID=$VAULT_CRED_STORE_ID"
{"status_code":200,"item":{"id":"csvlt_K9E5sXmF7s","scope_id":"p_9XqgVGnMaQ","scope":{"id":"p_9XqgVGnMaQ","type":"project","name":"ssh-recording-project","description":"SSH test machines","parent_scope_id":"o_wYHjCRhcYD"},"created_time":"2023-09-19T22:13:33.167801Z","updated_time":"2023-09-19T22:13:33.167801Z","version":1,"type":"vault","attributes":{"address":"http://ec2-3-239-162-213.compute-1.amazonaws.com:8200","token_hmac":"JU7GIHDj_MKBf6b9zXYl2A9MaMSn7UycoSBjJVmf6I8","token_status":"current","worker_filter":"\"vault\" in \"/tags/type\""},"authorized_actions":["no-op","read","update","delete"],"authorized_collection_actions":{"credential-libraries":["create","list"]}}}
VAULT_CRED_STORE_ID=csvlt_K9E5sXmF7s

Create a credential library

A credential library is used to determine what credentials should be accessed from Vault, and the path to query for them.

Create a credential library at the secret/data/ssh_host Vault path. The following command also exports the VAULT_CRED_LIB_ID environment variable.

$ VAULT_CRED_LIB_ID=$(boundary credential-libraries create vault-generic \
  -credential-store-id $VAULT_CRED_STORE_ID \
  -vault-path "secret/data/ssh_host" \
  -name "vault-cred-library" \
  -credential-type ssh_private_key \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "VAULT_CRED_LIB_ID=$VAULT_CRED_LIB_ID"

Example output:

$ VAULT_CRED_LIB_ID=$(boundary credential-libraries create vault-generic \
  -credential-store-id $VAULT_CRED_STORE_ID \
  -vault-path "secret/data/ssh_host" \
  -name "vault-cred-library" \
  -credential-type ssh_private_key \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "VAULT_CRED_LIB_ID=$VAULT_CRED_LIB_ID"
{"status_code":200,"item":{"id":"clvlt_EcpfDBGuOl","credential_store_id":"csvlt_K9E5sXmF7s","scope":{"id":"p_9XqgVGnMaQ","type":"project","name":"ssh-recording-project","description":"SSH test machines","parent_scope_id":"o_wYHjCRhcYD"},"name":"vault-cred-library","created_time":"2023-09-19T22:18:09.092937Z","updated_time":"2023-09-19T22:18:09.092937Z","version":1,"type":"vault-generic","attributes":{"http_method":"GET","path":"secret/data/ssh_host"},"authorized_actions":["no-op","read","update","delete"],"credential_type":"ssh_private_key"}}
VAULT_CRED_LIB_ID=clvlt_EcpfDBGuOl

This configuration references Terraform resources documented in the Boundary Terraform provider.

To simplify lab cleanup, create a new Terraform configuration file called boundary.tf in the top of the learn-boundary-session-rec-aws-vault/ repo. Do not place this config in the nested infra/ folder.

$ touch boundary.tf

Verify that the file was created in the correct location:

$ pwd && ls
~/learn-boundary-session-rec-aws-vault
Makefile    README.md   boundary.tf infra       scripts     vault

Next, open boundary.tf in your text editor.

Set up the provider

Start by defining Boundary as a required provider, and setting up the provider's input variables.

provider "boundary" {
  addr                   = var.BOUNDARY_ADDR
  auth_method_id         = var.BOUNDARY_AUTH_METHOD_ID
  auth_method_login_name = var.BOUNDARY_USERNAME
  auth_method_password   = var.BOUNDARY_PASSWORD
}

terraform {
  required_version = ">= 1.3.0"
  required_providers {
    boundary = {
      source  = "hashicorp/boundary",
      version = ">= 1.1.9"
    }
  }
}

Define the input variables

The following variables will be passed to Terraform, so no default values are required. Define all these variables within the boundary.tf config file.

variable "BOUNDARY_ADDR" {
    type = string
}

variable "BOUNDARY_AUTH_METHOD_ID" {
    type = string
}

variable "BOUNDARY_USERNAME" {
    type = string
}

variable "BOUNDARY_PASSWORD" {
    type = string
}

variable "HOST_CATALOG_ACCESS_KEY_ID" {
    type = string
}

variable "HOST_CATALOG_SECRET_ACCESS_KEY" {
    type = string
}

variable "AWS_REGION" {
    type = string
}

variable "VAULT_ADDR" {
    type = string
}

variable "VAULT_CRED_STORE_TOKEN" {
    type = string
}

variable "recording_bucket_name" {
    type = string
}

variable "recording_storage_user_access_key_id" {
    type = string
}

variable "recording_storage_user_secret_access_key" {
    type = string
}

Next, locate the values of the following input variables used by the provider, including:

• BOUNDARY_ADDR
• BOUNDARY_AUTH_METHOD_ID
• BOUNDARY_USERNAME
• BOUNDARY_PASSWORD
• AWS_REGION
• VAULT_ADDR
• VAULT_CRED_STORE_TOKEN

Locate the following values in your shell session:

$ echo $BOUNDARY_ADDR ; \
  echo $BOUNDARY_AUTH_METHOD_ID ; \
  echo $BOUNDARY_USERNAME ; \
  echo $BOUNDARY_PASSWORD ; \
  echo $AWS_REGION ; \
  echo $VAULT_ADDR ; \
  echo $VAULT_CRED_STORE_TOKEN

All of the variables except the BOUNDARY_AUTH_METHOD_ID were previously defined.

You can locate the admin password auth method ID using the CLI or the Admin Web UI.

$ boundary authenticate

$ boundary auth-methods list

Auth Method information:
  ID:                     ampw_AQSr776Hnm
    Version:              1
    Type:                 password
    Name:                 password
    Description:          Password auth method
    Is Primary For Scope: true
    Authorized Actions:
      no-op
      read
      update
      delete
      authenticate

Create a new file called boundary.tfvars in ~/learn-boundary-session-rec-aws-vault. This file is used to pass the required variables to Terraform.

AWS_REGION = "<YOUR_AWS_REGION>"

BOUNDARY_ADDR = "<YOUR_BOUNDARY_ADDR>"

BOUNDARY_USERNAME = "<YOUR_ADMIN_USERNAME>"

BOUNDARY_PASSWORD = "<YOUR_ADMIN_PASSWORD>"

BOUNDARY_AUTH_METHOD_ID = "<YOUR_AUTH_METHOD_ID>"

BOUNDARY_CLUSTER_ID = "<YOUR_CLUSTER_ID>"

VAULT_ADDR = "<YOUR_VAULT_ADDR>"

VAULT_CRED_STORE_TOKEN = "<YOUR_VAULT_CRED_STORE_TOKEN>"

The following variables will also be defined later on:

• HOST_CATALOG_ACCESS_KEY_ID
• HOST_CATALOG_SECRET_ACCESS_KEY
• recording_bucket_name
• recording_storage_user_access_key_id
• recording_storage_user_secret_access_key

Set up a new org and project

Define the global scope ID, then create a new org named ssh-recording-org with an associated password auth method.

resource "boundary_scope" "global" {
  global_scope = true
  scope_id     = "global"
}

resource "boundary_scope" "org" {
  name        = "ssh-recording-org"
  description = "SSH test org"
  scope_id    = boundary_scope.global.id
  auto_create_admin_role   = true
  auto_create_default_role = true
}

resource "boundary_auth_method_password" "password" {
  name        = "org_password_auth"
  description = "Password auth method for org"
  type        = "password"
  scope_id    = boundary_scope.org.id
}

Create a new project scope named ssh-recording-project within the ssh-recording-org.

resource "boundary_scope" "ssh" {
  name                   = "ssh-recording-project"
  description            = "Secure Socket Handling recordings"
  scope_id               = boundary_scope.org.id
  auto_create_admin_role = true
}

Create a host catalog

You can use a dynamic host catalog to import the hosts created by Terraform into Boundary. These hosts will be used later on when configuring an SSH target.

To create a host catalog, an AWS access key ID and secret access key are required. These should be associated with a user that has the required permissions to call the DescribeInstances API. This user has been pre-configured as part of the lab environment, and its policies can be viewed in the infra/iam.tf file.

Refer to the Dynamic host catalogs on AWS tutorial to learn more.

The host_catalog_access_key_id and host_catalog_secret_access_key are sensitive Terraform outputs. This means you will have to manually extract their contents from the terraform.tfstate file.

Open the shell session where Terraform was deployed, and execute the following:

$ export HOST_CATALOG_ACCESS_KEY_ID=$(jq -r ".outputs.host_catalog_access_key_id.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "HOST_CATALOG_ACCESS_KEY_ID=$host_catalog_access_key_id"; \
  export HOST_CATALOG_SECRET_ACCESS_KEY=$(jq -r ".outputs.host_catalog_secret_access_key.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "HOST_CATALOG_SECRET_ACCESS_KEY=$host_catalog_secret_access_key"

Copy these values and define them in your boundary.tfvars file.

HOST_CATALOG_ACCESS_KEY_ID = "<YOUR_HOST_CATALOG_ACCESS_KEY_ID>"

HOST_CATALOG_SECRET_ACCESS_KEY = "<YOUR_HOST_CATALOG_SECRET_ACCESS_KEY>"

Next, return to the boundary.tf configuration file.

Set up a host catalog plugin of type aws. Pass the AWS_REGION and disable_credential_rotation as JSON attributes, and the host catalog access key ID and secret access key as JSON secrets.

resource "boundary_host_catalog_plugin" "aws_hosts" {
  name            = "aws-recording-catalog"
  description     = "AWS session recording host catalog"
  scope_id        = boundary_scope.ssh.id
  plugin_name     = "aws"
  attributes_json = jsonencode({
    "region"=var.AWS_REGION,
    "disable_credential_rotation"=true,
  })
  secrets_json = jsonencode({
    "access_key_id"     = var.HOST_CATALOG_ACCESS_KEY_ID,
    "secret_access_key" = var.HOST_CATALOG_SECRET_ACCESS_KEY
  })
}

Create the dev host set

You can use a host set to sort hosts by environment.

Start by creating a host set for the dev hosts by defining the instances tagged with "env" = "dev". This can be done by examining the instance tags, which are printed in the Terraform output:

$ make terraform_output
...
... 
...
target_instance_tags = {
  "i-04e6118b9e7ec37c7" = tomap({
    "Name" = "boundary-host-2"
    "User" = "aws_username"
    "env" = "prod"
    "workspace" = "username"
  })
  "i-0c3debf71c8a67661" = tomap({
    "Name" = "boundary-host-1"
    "User" = "aws_username"
    "env" = "dev"
    "workspace" = "username"
  })
}
...
...
...

Notice the instance tagged as "env" = "dev". To select it for the host set, use the following filter:

`tag:env=dev`

Now create a host set for the dev hosts using the filter.

resource "boundary_host_set_plugin" "dev" {
  name            = "dev_host_set"
  host_catalog_id = boundary_host_catalog_plugin.aws_hosts.id
  attributes_json = jsonencode({ "filters" = ["tag:env=dev"] })
}

Create the prod host set

Follow the same process for the prod hosts by defining the instances tagged with "env" = "prod".

Create a host set for the prod hosts.

resource "boundary_host_set_plugin" "prod" {
  name            = "prod_host_set"
  host_catalog_id = boundary_host_catalog_plugin.aws_hosts.id
  attributes_json = jsonencode({ "filters" = ["tag:env=prod"] })
}

Create a credential store

Next, set up a Vault credential store using the VAULT_CRED_STORE_TOKEN and VAULT_ADDR. This value was exported as an environment variable when executing make vault_init in the Write policies and create a client token section.

When you create a Vault credential store, you need to construct a worker filter. The worker filter tells Boundary which worker is deployed in the same network as Vault.

Recall the tags associated with the vault-worker:

Tags:
  Configuration:
    type: ["s3", "vault" "worker"]
  Canonical:
    type: ["worker" "vault", "s3"]

The tags for this worker are:

"type" = ["s3", "vault" "worker"]

An appropriate filter to select this worker is:

"vault" in "/tags/type"

Create the Vault credential store.

resource "boundary_credential_store_vault" "vault_host_cred_store" {
  name        = "Vault AWS Host Credentials"
  address     = var.VAULT_ADDR
  token       = var.VAULT_CRED_STORE_TOKEN
  scope_id    = boundary_scope.ssh.id
}

Create a credential library

A credential library is used to determine what credentials should be accessed from Vault, and the path to query for them.

Create a credential library associated with the vault_host_cred_store credential store at the secret/data/ssh_host Vault path.

resource "boundary_credential_library_vault" "vault_host_cred_library" {
  name                = "Vault AWS Host Cred Library"
  credential_store_id = boundary_credential_store_vault.vault_host_cred_store.id
  credential_type     = "ssh_private_key"
  path                = "secret/data/ssh_host" # change to Vault backend path
  http_method         = "GET"
}

Create a storage bucket

Within Boundary, a storage bucket resource is used to store the recorded sessions. A storage bucket represents a bucket in an external store, in this case, Amazon S3. You must create a Boundary storage bucket associated with an external store before enabling session recording.

1. Navigate to to the global scope, and then the Storage Buckets page.

2. Click New Storage Bucket. Fill out the following details:

   • Name: ssh-test-bucket
   • Scope: ssh-recording-org
   • Bucket name: YOUR_S3_BUCKET_NAME
   • Region: YOUR_AWS_REGION
   • Access key ID: YOUR_recording_storage_user_access_key_id
   • Secret access key: YOUR_recording_storage_user_secret_access_key
   • Worker filter: "s3" in "/tags/type"

   The recording_storage_user_access_key_id and recording_storage_user_secret_access_key values are sensitive Terraform outputs. This means you will have to manually extract their contents from the terraform.tfstate file.

   Additionally, the name of the Amazon S3 bucket is required from the Terraform outputs.

   Open the shell session where Terraform was deployed, and execute the following:

   $ export recording_bucket_name=$(jq -r ".outputs.recording_bucket_name.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
     echo "recording_bucket_name=$recording_bucket_name"; \
     echo "AWS_REGION=$AWS_REGION"; \
     export recording_storage_user_access_key_id=$(jq -r ".outputs.recording_storage_user_access_key_id.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
     echo "recording_storage_user_access_key_id=$recording_storage_user_access_key_id"; \
     export recording_storage_user_secret_access_key=$(jq -r ".outputs.recording_storage_user_secret_access_key.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
     echo "recording_storage_user_secret_access_key=$recording_storage_user_secret_access_key"
   

   Copy

   Copy these values into their fields.

   For the Worker Filter, a worker with access to the S3 storage bucket is needed. A public S3 bucket is used for this tutorial, meaning any worker will have access. In the case of a private S3 bucket, a worker with appropriate network access should be deployed and registered with Boundary, then entered here.

   Select the worker tagged with "type" = ["s3", "vault", "worker"], which also provides access to Vault. The following filter will select this worker:

   "s3" in "/tags/type"
   

   Copy

   Lastly, check the box next to Disable credential rotation.

3. Click Save.

Create an SSH target

To finish setting up recordings, create a target for the boundary-host-1 host.

1. Navigate to the Targets page within ssh-recording-project and click New.

2. Fill out the New Target form. Select a Type of SSH.

   • Name: dev-recording-target
   • Type: SSH
   • Default Port: 22
   • Maximum Connections: -1

3. Slide the button next to Egress worker filter.

   When you create a target, you can specify an egress worker filter. The filter tells Boundary which worker is deployed in the same network as the target. An ingress worker is not used in this example.

   Recall the tags associated with the aws-worker-1, which provides access to the boundary-host-1 host:

   Tags:
     Configuration:
       type: ["worker1" "dev-worker" "s3"]
     Canonical:
       type: ["dev-worker" "s3" "worker"]
   

   Copy

   The tags for this worker are:

   "type" = ["worker1", "dev-worker", "s3"]

   An appropriate filter to select this worker is:

   "dev-worker" in "/tags/type"
   

   Copy
   • Egress worker filter: "dev-worker" in "/tags/type"

   Click Save.

Now associate dev-recording-target with dev-host-set.

1. Select the Host Sources tab for dev-recording-target.

2. Click Add Host Sources.

3. Check the box next to the host set named dev_host_set, then click Add Host Sources.

Now associate the SSH target with the Vault credential library.

1. Select the Injected Application Credentials tab for dev-recording-target.

2. Click +Add Injected Application Credentials.

3. Check the box next to the credential library named vault-cred-library, then click Add Injected Application Credentials.

Enable session recording

Finally, enable session recording for the dev-recording-target.

1. Navigate back to the dev-recording-target Details page.

2. Under Session Recording, click Enable recording.

3. On the Enable Session Recording for Target page, toggle the switch next to Record sessions for this target.

4. For the AWS storage buckets, select the ssh-test-bucket.

5. Click Save.

Under the dev-recording-target Details page, the ssh-test-bucket should now be listed under Session Recording.

Optionally, you may repeat the process with a new prod-recording-target. This target should be configured like the dev target, but should use the "prod-worker" in "/tags/type" worker filter instead. You can use the same storage bucket for both targets.

Create a storage bucket

Within Boundary, a storage bucket resource is used to store the recorded sessions. A storage bucket represents a bucket in an external store, in this case, Amazon S3. You must create a Boundary storage bucket associated with an external store before enabling session recording.

The following details are needed to set up a Boundary storage bucket:

• Name: ssh-test-bucket
• Scope: ssh-recording-org
• Bucket name: YOUR_S3_BUCKET_NAME
• Region: YOUR_AWS_REGION
• Access key ID: YOUR_recording_storage_user_access_key_id
• Secret access key: YOUR_recording_storage_user_secret_access_key
• Worker filter: "s3" in "/tags/type"

The recording_storage_user_access_key_id and recording_storage_user_secret_access_key are sensitive Terraform outputs. This means you will have to manually extract their contents from the terraform.tfstate file.

Additionally, the name of the Amazon S3 bucket is required from the Terraform outputs.

Open the shell session where Terraform was deployed, and execute the following to display these values:

$ export recording_bucket_name=$(jq -r ".outputs.recording_bucket_name.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "recording_bucket_name=$recording_bucket_name"; \
  echo "AWS_REGION=$AWS_REGION"; \
  export recording_storage_user_access_key_id=$(jq -r ".outputs.recording_storage_user_access_key_id.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "recording_storage_user_access_key_id=$recording_storage_user_access_key_id"; \
  export recording_storage_user_secret_access_key=$(jq -r ".outputs.recording_storage_user_secret_access_key.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "recording_storage_user_secret_access_key=$recording_storage_user_secret_access_key"

For the Worker Filter, a worker with access to the S3 storage bucket is needed. A public S3 bucket is used for this tutorial, meaning any worker will have access. In the case of a private S3 bucket, a worker with appropriate network access should be deployed and registered with Boundary, then entered here.

Select the worker tagged with "type" = ["s3", "vault", "worker"], which also provides access to Vault. The following filter will select this worker:

"s3" in "/tags/type"

Create a new storage bucket named ssh-test-bucket. Set the plugin name to aws, the AWS bucket name, and the worker filter. Pass the AWS_REGION and disable_credential_rotation=true as attributes, and the access_key_id and secret_access_key as secrets.

$ boundary storage-buckets create -scope-id $ORG_ID \
  -name "ssh-test-bucket" \
  -plugin-name aws \
  -bucket-name $recording_bucket_name \
  -worker-filter '"s3" in "/tags/type"' \
  -attributes "{\"region\":\"${AWS_REGION}\", \"disable_credential_rotation\":true}" \
  -secrets "{\"access_key_id\":\"${recording_storage_user_access_key_id}\", \"secret_access_key\":\"${recording_storage_user_secret_access_key}\"}"

Example output:

$ boundary storage-buckets create -scope-id $ORG_ID \
  -name "ssh-test-bucket" \
  -plugin-name aws \
  -bucket-name $recording_bucket_name \
  -worker-filter '"s3" in "/tags/type"' \
  -attributes "{\"region\":\"${AWS_REGION}\", \"disable_credential_rotation\":true}" \
  -secrets "{\"access_key_id\":\"${recording_storage_user_access_key_id}\", \"secret_access_key\":\"${recording_storage_user_secret_access_key}\"}"

Storage Bucket information:
  Bucket Name:                   demobucket591735460
  Created Time:                  Wed, 20 Sep 2023 03:31:06 MDT
  ID:                            sb_nzFv30oX2E
  Name:                          ssh-test-bucket
  Plugin ID:                     pl_m8nWNSPfbY
  Secrets HMAC:                  3bQqPTK4ehJNKiuWkxuQEyPBJaPR5jxCnKQaRo4VTD1s
  Updated Time:                  Wed, 20 Sep 2023 03:31:06 MDT
  Version:                       1
  Worker Filter:                 "s3" in "/tags/type"

  Scope:
    ID:                          o_JgJNBHHKro
    Name:                        ssh-recording-org
    Parent Scope ID:             global
    Type:                        org

  Plugin:
    ID:                          pl_m8nWNSPfbY
    Name:                        aws

  Attributes:
    Region:                      us-east-1
    disable_credential_rotation: true

  Authorized Actions:
    no-op
    read
    update
    delete

Copy the ID from the output and export it as the $STORAGE_BUCKET_ID variable.

$ export STORAGE_BUCKET_ID=sb_nzFv30oX2E

$ export STORAGE_BUCKET_ID=`boundary storage-buckets create -scope-id $ORG_ID -name "ssh-test-bucket" -plugin-name aws -bucket-name $recording_bucket_name -worker-filter '"s3" in "/tags/type"' -attributes "{\"region\":\"${AWS_REGION}\", \"disable_credential_rotation\":true}" -secrets "{\"access_key_id\":\"${recording_storage_user_access_key_id}\", \"secret_access_key\":\"${recording_storage_user_secret_access_key}\"}" -format json | jq -r '.item.id'`

Create an SSH target

To finish setting up recordings, create a target for the boundary-host-1 host.

When you create a target, you can specify an egress worker filter. The filter tells Boundary which worker is deployed in the same network as the target. An ingress worker is not used in this example.

Recall the tags associated with the aws-worker-1, which provides access to the boundary-host-1 host:

Tags:
  Configuration:
    type: ["worker1" "dev-worker"]
  Canonical:
    type: ["dev-worker" "worker"]

The tags for this worker are:

"type" = ["worker1", "dev-worker"]

An appropriate filter to select this worker is:

"dev-worker" in "/tags/type"

Create a new target of type ssh named dev-recording-target. Set the default port to 22, enable session recording, and pass the storage bucket ID and egress worker filter.

$ boundary targets create ssh -scope-id $PROJECT_ID \
  -name "dev-recording-target" \
  -session-connection-limit -1 \
  -default-port 22 \
  -egress-worker-filter '"dev-worker" in "/tags/type"' \
  -storage-bucket-id=$STORAGE_BUCKET_ID \
  -enable-session-recording=true

Example output:

$ boundary targets create ssh -scope-id $PROJECT_ID \
  -name "dev-recording-target" \
  -session-connection-limit -1 \
  -default-port 22 \
  -egress-worker-filter '"dev-worker" in "/tags/type"' \
  -storage-bucket-id=$STORAGE_BUCKET_ID \
  -enable-session-recording=true

Target information:
  Created Time:               Tue, 19 Sep 2023 21:39:01 MDT
  Egress Worker Filter:       "dev-worker" in "/tags/type"
  ID:                         tssh_vO60a7TwpI
  Name:                       dev-recording-target
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Type:                       ssh
  Updated Time:               Tue, 19 Sep 2023 21:39:01 MDT
  Version:                    1

  Scope:
    ID:                       p_9XqgVGnMaQ
    Name:                     ssh-recording-project
    Parent Scope ID:          o_wYHjCRhcYD
    Type:                     project

  Authorized Actions:
    no-op
    read
    update
    delete
    add-host-sources
    set-host-sources
    remove-host-sources
    add-credential-sources
    set-credential-sources
    remove-credential-sources
    authorize-session

  Attributes:
    Default Port:             22
    Enable Session Recording: true
    Storage Bucket ID:        sb_uQdsdZkWTO

Copy the ID from the output and export it as the $TARGET_ID variable.

$ export TARGET_ID=tssh_vO60a7TwpI

$ export TARGET_ID=`boundary targets create ssh -scope-id $PROJECT_ID -name "dev-recording-target" -session-connection-limit -1 -default-port 22 -egress-worker-filter '"dev-worker" in "/tags/type"' -storage-bucket-id=$STORAGE_BUCKET_ID -enable-session-recording=true -format json | jq -r '.item.id'`

Next, add the dev-host-set as a host source for dev-recording-target.

$ boundary targets add-host-sources -id $TARGET_ID -host-source $DEV_HOST_SET_ID

Target information:
  Created Time:               Tue, 19 Sep 2023 21:39:01 MDT
  Egress Worker Filter:       "dev-worker" in "/tags/type"
  ID:                         tssh_vO60a7TwpI
  Name:                       dev-recording-target
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Type:                       ssh
  Updated Time:               Tue, 19 Sep 2023 22:28:54 MDT
  Version:                    3

  Scope:
    ID:                       p_9XqgVGnMaQ
    Name:                     ssh-recording-project
    Parent Scope ID:          o_wYHjCRhcYD
    Type:                     project

  Authorized Actions:
    no-op
    read
    update
    delete
    add-host-sources
    set-host-sources
    remove-host-sources
    add-credential-sources
    set-credential-sources
    remove-credential-sources
    authorize-session

  Host Sources:
    Host Catalog ID:          hcplg_G1Auj5onC3
    ID:                       hsplg_SmP0yLVJER

  Attributes:
    Default Port:             22
    Enable Session Recording: true
    Storage Bucket ID:        sb_uQdsdZkWTO

Now associate dev-recording-target with the Vault credential library.

$ boundary targets add-credential-sources -id $TARGET_ID -injected-application-credential-source $VAULT_CRED_LIB_ID

Target information:
  Created Time:               Tue, 19 Sep 2023 21:39:01 MDT
  Egress Worker Filter:       "dev-worker" in "/tags/type"
  ID:                         tssh_vO60a7TwpI
  Name:                       dev-recording-target
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Type:                       ssh
  Updated Time:               Tue, 19 Sep 2023 22:31:31 MDT
  Version:                    5

  Scope:
    ID:                       p_9XqgVGnMaQ
    Name:                     ssh-recording-project
    Parent Scope ID:          o_wYHjCRhcYD
    Type:                     project

  Authorized Actions:
    no-op
    read
    update
    delete
    add-host-sources
    set-host-sources
    remove-host-sources
    add-credential-sources
    set-credential-sources
    remove-credential-sources
    authorize-session

  Host Sources:
    Host Catalog ID:          hcplg_G1Auj5onC3
    ID:                       hsplg_SmP0yLVJER

  Injected Application Credential Sources:
    Credential Store ID:      csvlt_6QOHpmciXI
    ID:                       clvlt_jt5ZuKAPpq

  Attributes:
    Default Port:             22
    Enable Session Recording: true
    Storage Bucket ID:        sb_uQdsdZkWTO

The SSH target now has a host source, injected credentials, and a storage bucket configured. Session recording is fully enabled.

Optionally, you may repeat the process with a new prod-recording-target. This target should be configured like the dev target, but should use the "prod-worker" in "/tags/type" worker filter instead. The same storage bucket can be used for both targets.

Create a storage bucket

Within Boundary, a storage bucket resource is used to store the recorded sessions. A storage bucket represents a bucket in an external store, in this case, Amazon S3. You must create a Boundary storage bucket associated with an external store before enabling session recording.

To create a storage bucket, the following details are required:

• Name: ssh-test-bucket
• Scope: ssh-recording-org
• Bucket name: YOUR_recording_bucket_name
• Region: YOUR_AWS_REGION
• Access key ID: YOUR_recording_storage_user_access_key_id
• Secret access key: YOUR_recording_storage_user_secret_access_key
• Worker filter: "s3" in "/tags/type"

The recording_storage_user_access_key_id and recording_storage_user_secret_access_key are sensitive Terraform outputs. This means you will have to manually extract their contents from the terraform.tfstate file.

Additionally, the name of the Amazon S3 bucket is required from the Terraform outputs.

Open the shell session where Terraform was deployed, and execute the following to display these values and export them as environment variables:

$ export recording_bucket_name=$(jq -r ".outputs.recording_bucket_name.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "recording_bucket_name=$recording_bucket_name"; \
  echo "AWS_REGION=$AWS_REGION"; \
  export recording_storage_user_access_key_id=$(jq -r ".outputs.recording_storage_user_access_key_id.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "recording_storage_user_access_key_id=$recording_storage_user_access_key_id"; \
  export recording_storage_user_secret_access_key=$(jq -r ".outputs.recording_storage_user_secret_access_key.value" "./infra/terraform.tfstate.d/boundary-recording-$(whoami)/terraform.tfstate"); \
  echo "recording_storage_user_secret_access_key=$recording_storage_user_secret_access_key"

Copy these values and define them in your boundary.tfvars file.

recording_bucket_name = "<YOUR_recording_bucket_name>"

recording_storage_user_access_key_id = "<YOUR_storage_user_access_key_id>"

recording_storage_user_secret_access_key = "<YOUR_storage_user_secret_access_key>"

Save the boundary.tfvars file.

For the Worker Filter, a worker with access to the S3 storage bucket is needed. A public S3 bucket is used for this tutorial, meaning any worker will have access. In the case of a private S3 bucket, a worker with appropriate network access should be deployed and registered with Boundary, then entered here.

Select the worker tagged with "type" = ["s3", "vault", "worker"], which also provides access to Vault. The following filter will select this worker:

"s3" in "/tags/type"

When using HCL, this filter must be rewritten using escape syntax:

"\"s3\" in \"/tags/type\""

Create a new storage bucket with a plugin_name of aws and pass in the recording_bucket_name. Pass the AWS_REGION and disable_credential_rotation=trueas a JSON attributes, and the recording_storage_user_access_key_id and recording_storage_user_secret_access_key as JSON secrets. Lastly, supply the worker filter.

resource "boundary_storage_bucket" "aws_bucket" {
  name            = "ssh-test-bucketw"
  description     = "SSH session recording test bucket"
  scope_id        = boundary_scope.org.id
  plugin_name     = "aws"
  bucket_name     = var.recording_bucket_name
  attributes_json = jsonencode({
    "region" = "${var.AWS_REGION}",
    "disable_credential_rotation" = true
  })

  secrets_json = jsonencode({
    "access_key_id"     = "${var.recording_storage_user_access_key_id}",
    "secret_access_key" = "${var.recording_storage_user_secret_access_key}"
  })
  
  worker_filter = "\"s3\" in \"/tags/type\""
}

Create an SSH target

To finish setting up recordings, create a target for the boundary-host-1 host.

When you create a target, you can specify an egress worker filter. The filter tells Boundary which worker is deployed in the same network as the target. An ingress worker is not used in this example.

Recall the tags associated with the aws-worker-1, which provides access to the boundary-host-1 host:

Tags:
  Configuration:
    type: ["worker1" "dev-worker"]
  Canonical:
    type: ["dev-worker" "worker"]

The tags for this worker are:

"type" = ["worker1", "dev-worker"]

An appropriate filter to select this worker is:

"dev-worker" in "/tags/type"

When using HCL, this filter must be rewritten using escape syntax:

"\"dev-worker\" in \"/tags/type\""

Create a new target with the following parameters:

• type: ssh
• name: dev-recording-target
• default_port: 22
• egress_worker_filter: "\"dev-worker\" in \"/tags/type\""
• host_source_ids: [boundary_host_set_plugin.dev.id]
• injected_application_credential_source_ids = [boundary_credential_library_vault.vault_host_cred_library.id]
• enable_session_recording: true
• storage_bucket_it: boundary_storage_bucket.aws_bucket

resource "boundary_target" "ssh" {
  name         = "dev-recording-target"
  description  = "SSH target"
  type         = "ssh"
  default_port = "22"
  scope_id     = boundary_scope.ssh-recording-project.id
  egress_worker_filter     = "\"dev-worker\" in \"/tags/type\""
  host_source_ids = [
    boundary_host_set_plugin.dev.id
  ]
  injected_application_credential_source_ids = [
    boundary_credential_library_vault.vault_host_cred_library.id
  ]
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.aws_bucket.id
}

Once all the Boundary provider resources have been added, save this file.

Expand the accordion below to see a completed version of the Terraform configuration files for Boundary. For reference, an example of these files with all resources commented out is also included with the lab repository, at learn-boundary-session-rec-aws-vault/boundary-example.tf and learn-boundary-session-rec-aws-vault/boundary-example.tfvars.

provider "boundary" {
  addr                   = var.BOUNDARY_ADDR
  auth_method_id         = var.BOUNDARY_AUTH_METHOD_ID
  auth_method_login_name = var.BOUNDARY_USERNAME
  auth_method_password   = var.BOUNDARY_PASSWORD
}

terraform {
  required_version = ">= 1.3.0"
  required_providers {
    boundary = {
      source  = "hashicorp/boundary",
      version = ">= 1.1.9"
    }
  }
}

variable "BOUNDARY_ADDR" {
    type = string
}

variable "BOUNDARY_AUTH_METHOD_ID" {
    type = string
}

variable "BOUNDARY_USERNAME" {
    type = string
}

variable "BOUNDARY_PASSWORD" {
    type = string
}

variable "HOST_CATALOG_ACCESS_KEY_ID" {
    type = string
}

variable "HOST_CATALOG_SECRET_ACCESS_KEY" {
    type = string
}

variable "AWS_REGION" {
    type = string
}

variable "VAULT_ADDR" {
    type = string
}

variable "VAULT_CRED_STORE_TOKEN" {
    type = string
}

variable "recording_bucket_name" {
    type = string
}

variable "recording_storage_user_access_key_id" {
    type = string
}

variable "recording_storage_user_secret_access_key" {
    type = string
}

resource "boundary_scope" "global" {
  global_scope = true
  scope_id     = "global"
}

resource "boundary_scope" "org" {
  name        = "ssh-recording-org"
  description = "SSH test org"
  scope_id    = boundary_scope.global.id
  auto_create_admin_role   = true
  auto_create_default_role = true
}

resource "boundary_auth_method_password" "password" {
  name        = "org_password_auth"
  description = "Password auth method for org"
  type        = "password"
  scope_id    = boundary_scope.org.id
}

resource "boundary_scope" "ssh-recording-project" {
  name                   = "ssh-recording-project"
  description            = "Secure Socket Handling recordings"
  scope_id               = boundary_scope.org.id
  auto_create_admin_role = true
}

resource "boundary_host_catalog_plugin" "aws_hosts" {
  name            = "aws-recording-catalog"
  description     = "AWS session recording host catalog"
  scope_id        = boundary_scope.ssh-recording-project.id
  plugin_name     = "aws"
  attributes_json = jsonencode({
    "region"=var.AWS_REGION,
    "disable_credential_rotation"=true,
  })
  secrets_json = jsonencode({
    "access_key_id"     = var.HOST_CATALOG_ACCESS_KEY_ID,
    "secret_access_key" = var.HOST_CATALOG_SECRET_ACCESS_KEY
  })
}

resource "boundary_host_set_plugin" "dev" {
  name            = "dev_host_set"
  host_catalog_id = boundary_host_catalog_plugin.aws_hosts.id
  attributes_json = jsonencode({ "filters" = ["tag:env=dev"] })
}

resource "boundary_host_set_plugin" "prod" {
  name            = "prod_host_set"
  host_catalog_id = boundary_host_catalog_plugin.aws_hosts.id
  attributes_json = jsonencode({ "filters" = ["tag:env=prod"] })
}

resource "boundary_credential_store_vault" "vault_host_cred_store" {
  name        = "Vault AWS Host Credentials"
  address     = var.VAULT_ADDR
  token       = var.VAULT_CRED_STORE_TOKEN
  scope_id    = boundary_scope.ssh-recording-project.id
}

resource "boundary_credential_library_vault" "vault_host_cred_library" {
  name                = "Vault AWS Host Cred Library"
  credential_store_id = boundary_credential_store_vault.vault_host_cred_store.id
  credential_type     = "ssh_private_key"
  path                = "secret/data/ssh_host"
  http_method         = "GET"
}

resource "boundary_storage_bucket" "aws_bucket" {
  name            = "ssh-test-bucket"
  description     = "SSH session recording test bucket"
  scope_id        = boundary_scope.org.id
  plugin_name     = "aws"
  bucket_name     = var.recording_bucket_name
  attributes_json = jsonencode({
    "region" = "${var.AWS_REGION}",
    "disable_credential_rotation" = true
  })

  secrets_json = jsonencode({
    "access_key_id"     = "${var.recording_storage_user_access_key_id}",
    "secret_access_key" = "${var.recording_storage_user_secret_access_key}"
  })
  
  worker_filter = "\"s3\" in \"/tags/type\""
}

resource "boundary_target" "ssh" {
  name         = "dev-recording-target"
  description  = "SSH target"
  type         = "ssh"
  default_port = "22"
  scope_id     = boundary_scope.ssh-recording-project.id
  egress_worker_filter     = "\"dev-worker\" in \"/tags/type\""
  host_source_ids = [
    boundary_host_set_plugin.dev.id
  ]
  injected_application_credential_source_ids = [
    boundary_credential_library_vault.vault_host_cred_library.id
  ]
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.aws_bucket.id
}

AWS_REGION = "<YOUR_AWS_REGION>"

BOUNDARY_ADDR = "<YOUR_BOUNDARY_ADDR>"

BOUNDARY_USERNAME = "<YOUR_ADMIN_USERNAME>"

BOUNDARY_PASSWORD = "<YOUR_ADMIN_PASSWORD>"

BOUNDARY_AUTH_METHOD_ID = "<YOUR_AUTH_METHOD_ID>"

BOUNDARY_CLUSTER_ID = "<YOUR_CLUSTER_ID>"

HOST_CATALOG_ACCESS_KEY_ID = "<YOUR_HOST_CATALOG_ACCESS_KEY_ID>"

HOST_CATALOG_SECRET_ACCESS_KEY = "<YOUR_HOST_CATALOG_SECRET_ACCESS_KEY>"

VAULT_ADDR = "<YOUR_VAULT_ADDR>"

VAULT_CRED_STORE_TOKEN = "<YOUR_VAULT_CRED_STORE_TOKEN>"

recording_bucket_name = "<YOUR_recording_bucket_name>"

recording_storage_user_access_key_id = "<YOUR_storage_user_access_key_id>"

recording_storage_user_secret_access_key = "<YOUR_storage_user_secret_access_key>"

Apply Terraform

From the root of the learn-boundary-session-rec-aws-vault, initialize Terraform.

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/boundary versions matching ">= 1.1.9"...
- Installing hashicorp/boundary v1.1.9...
- Installed hashicorp/boundary v1.1.9 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Apply Terraform, passing in the required environment variables using the boundary.tfvars file.

$ terraform apply -var-file="boundary.tfvars"

Example output:

$ terraform apply -var-file="boundary.tfvars"

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with
the following symbols:
  + create

Terraform will perform the following actions:

  # boundary_auth_method_password.password will be created
  + resource "boundary_auth_method_password" "password" {
      + description           = "Password auth method for org"
      + id                    = (known after apply)
      + min_login_name_length = (known after apply)
      + min_password_length   = (known after apply)
      + name                  = "org_password_auth"
      + scope_id              = (known after apply)
      + type                  = "password"
    }

  # boundary_credential_library_vault.vault_host_cred_library will be created
  + resource "boundary_credential_library_vault" "vault_host_cred_library" {
      + credential_store_id = (known after apply)
      + credential_type     = "ssh_private_key"
      + http_method         = "GET"
      + id                  = (known after apply)
      + name                = "Vault AWS Host Cred Library"
      + path                = "secret/data/ssh_host"
    }

  # boundary_credential_store_vault.vault_host_cred_store will be created
  + resource "boundary_credential_store_vault" "vault_host_cred_store" {
      + address                     = "http://ec2-44-215-71-106.compute-1.amazonaws.com:8200"
      + client_certificate_key_hmac = (known after apply)
      + id                          = (known after apply)
      + name                        = "Vault AWS Host Credentials"
      + scope_id                    = (known after apply)
      + token                       = (sensitive value)
      + token_hmac                  = (known after apply)
    }

  # boundary_host_catalog_plugin.aws_hosts will be created
  + resource "boundary_host_catalog_plugin" "aws_hosts" {
      + attributes_json                            = jsonencode(
            {
              + disable_credential_rotation = true
              + region                      = "us-east-1"
            }
        )
      + description                                = "AWS session recording host catalog"
      + id                                         = (known after apply)
      + internal_force_update                      = (known after apply)
      + internal_hmac_used_for_secrets_config_hmac = (known after apply)
      + internal_secrets_config_hmac               = (known after apply)
      + name                                       = "aws-recording-catalog"
      + plugin_id                                  = (known after apply)
      + plugin_name                                = "aws"
      + scope_id                                   = (known after apply)
      + secrets_hmac                               = (known after apply)
      + secrets_json                               = (sensitive value)
    }

  # boundary_host_set_plugin.dev will be created
  + resource "boundary_host_set_plugin" "dev" {
      + attributes_json = jsonencode(
            {
              + filters = [
                  + "tag:env=dev",
                ]
            }
        )
      + host_catalog_id = (known after apply)
      + id              = (known after apply)
      + name            = "dev_host_set"
      + type            = "plugin"
    }

  # boundary_host_set_plugin.prod will be created
  + resource "boundary_host_set_plugin" "prod" {
      + attributes_json = jsonencode(
            {
              + filters = [
                  + "tag:env=prod",
                ]
            }
        )
      + host_catalog_id = (known after apply)
      + id              = (known after apply)
      + name            = "prod_host_set"
      + type            = "plugin"
    }

  # boundary_scope.global will be created
  + resource "boundary_scope" "global" {
      + global_scope = true
      + id           = (known after apply)
      + scope_id     = "global"
    }

  # boundary_scope.org will be created
  + resource "boundary_scope" "org" {
      + auto_create_admin_role   = true
      + auto_create_default_role = true
      + description              = "SSH test org"
      + id                       = (known after apply)
      + name                     = "ssh-recording-org-4"
      + scope_id                 = (known after apply)
    }

  # boundary_scope.ssh-recording-project will be created
  + resource "boundary_scope" "ssh-recording-project" {
      + auto_create_admin_role = true
      + description            = "Secure Socket Handling recordings"
      + id                     = (known after apply)
      + name                   = "ssh-recording-project"
      + scope_id               = (known after apply)
    }

  # boundary_storage_bucket.aws_bucket will be created
  + resource "boundary_storage_bucket" "aws_bucket" {
      + attributes_json                            = jsonencode(
            {
              + region = "us-east-1"
              + disable_credential_rotation = true
            }
        )
      + bucket_name                                = "demobucket307797066"
      + description                                = "SSH session recording test bucket"
      + id                                         = (known after apply)
      + internal_force_update                      = (known after apply)
      + internal_hmac_used_for_secrets_config_hmac = (known after apply)
      + internal_secrets_config_hmac               = (known after apply)
      + name                                       = "ssh-test-bucket-2"
      + plugin_id                                  = (known after apply)
      + plugin_name                                = "aws"
      + scope_id                                   = (known after apply)
      + secrets_hmac                               = (known after apply)
      + secrets_json                               = (sensitive value)
      + worker_filter                              = "\"s3\" in \"/tags/type\""
    }

  # boundary_target.ssh will be created
  + resource "boundary_target" "ssh" {
      + default_port                               = 22
      + description                                = "SSH target"
      + egress_worker_filter                       = "\"dev-worker\" in \"/tags/type\""
      + enable_session_recording                   = true
      + host_source_ids                            = (known after apply)
      + id                                         = (known after apply)
      + injected_application_credential_source_ids = (known after apply)
      + name                                       = "dev-recording-target"
      + scope_id                                   = (known after apply)
      + session_connection_limit                   = (known after apply)
      + session_max_seconds                        = (known after apply)
      + storage_bucket_id                          = (known after apply)
      + type                                       = "ssh"
    }

Plan: 11 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

boundary_scope.global: Creating...
boundary_scope.global: Creation complete after 0s [id=global]
boundary_scope.org: Creating...
boundary_scope.org: Creation complete after 0s [id=o_yYn9pnppBm]
boundary_scope.ssh-recording-project: Creating...
boundary_auth_method_password.password: Creating...
boundary_storage_bucket.aws_bucket: Creating...
boundary_scope.ssh-recording-project: Creation complete after 0s [id=p_55RcwmX77r]
boundary_auth_method_password.password: Creation complete after 0s [id=ampw_o9k12O77mJ]
boundary_credential_store_vault.vault_host_cred_store: Creating...
boundary_host_catalog_plugin.aws_hosts: Creating...
boundary_host_catalog_plugin.aws_hosts: Creation complete after 1s [id=hcplg_WnAQZfDVjw]
boundary_host_set_plugin.prod: Creating...
boundary_host_set_plugin.dev: Creating...
boundary_host_set_plugin.prod: Creation complete after 0s [id=hsplg_we0Elbp45A]
boundary_host_set_plugin.dev: Creation complete after 0s [id=hsplg_W6brs1wXwG]
boundary_credential_store_vault.vault_host_cred_store: Creating...
boundary_credential_store_vault.vault_host_cred_store: Creation complete after 0s [id=csvlt_6jWdgKAD3y]
boundary_credential_library_vault.vault_host_cred_library: Creating...
boundary_credential_library_vault.vault_host_cred_library: Creation complete after 0s [id=clvlt_xMZtleoUtY]
boundary_storage_bucket.aws_bucket: Creating...
boundary_storage_bucket.aws_bucket: Creation complete after 0s [id=sb_TaYhu2DSS9]
boundary_target.ssh: Creating...
boundary_target.ssh: Creation complete after 0s [id=tssh_JNtJTlpsm3]

Apply complete! Resources: 11 added, 0 changed, 0 destroyed.

If you receive an error like the following, expand the accordion below to troubleshoot:

Error: error creating credential store: {"kind":"Internal","message":"credentialstores.(Service).createInRepo: unable to create credential store: vault.(Repository).CreateCredentialStore: unable to lookup vault token: vault.(client).lookupToken: vault: 403. Errors:\n\n* permission denied"}

$ vault login $VAULT_TOKEN
WARNING! The VAULT_TOKEN environment variable is set! The value of this
variable will take precedence; if this is unwanted please unset VAULT_TOKEN or
update its value accordingly.

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.XicS2Qz5r1E7mstAG1O6rmb4
token_accessor       bq3z0WFoYYw48s9MXzZvclUg
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]

$ client_token=$(vault token create \
        -no-default-policy=true \
        -policy="boundary-controller" \
        -policy="kv-read" \
        -orphan=true \
        -period=20m \
        -renewable=true \
        -format=json | jq -r ".auth.client_token")
    echo "export VAULT_CRED_STORE_TOKEN=\"${client_token}\""

$ export VAULT_CRED_STORE_TOKEN="<NEW_VAULT_CRED_STORE_TOKEN_VALUE>"

$ terraform apply -var-file="boundary-example.tfvars"

To log into Boundary using the Desktop app, you must gather the BOUNDARY_ADDR values from the HCP Boundary Admin Console.

Check the value of BOUNDARY_ADDR in the terminal session where Terraform was applied.

$ echo $BOUNDARY_ADDR
https://d2a6e010-ba05-431a-b7f2-5cbc4e1e9f06.boundary.hashicorp.cloud

Open the Boundary Desktop app.

Enter the Boundary cluster URL (for example, https://d2a6e010-ba05-431a-b7f2-5cbc4e1e9f06.boundary.hashicorp.cloud) and click Submit.

Authenticate using your HCP Boundary admin credentials.

On the Targets page, notice the target details for ssh-recording-target.

Click Connect to initiate a session.

The Successfully Connected page displays the target ID (Target Connection details) and Proxy URL.

To start a session, open your terminal or SSH client. You can start a session using SSH and the Proxy URL from the Boundary Desktop app.

Connect on 127.0.0.1 and provide the proxy port using the -p option. Enter yes when prompted to establish a connection.

$ ssh 127.0.0.1 -p 51968

The authenticity of host '3.239.211.190 (3.239.211.190)' can't be established.
ED25519 key fingerprint is SHA256:Bo4D8kPtsRVR6zu+kz2bgaSoCP3C/Zwhst/J+twVFyw.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:73: ec2-3-239-211-190.compute-1.amazonaws.com
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '3.239.211.190' (ED25519) to the list of known hosts.

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[ec2-user@ip-10-0-51-203 ~]$

When you are finished, you can close the connection to the server by entering exit, or you can cancel the session directly from the Boundary Desktop app under the Sessions view.

Execute boundary connect, which has a helper called ssh.

Enter yes when prompted to establish the connection.

$ boundary connect ssh -target-id $TARGET_ID
Last login: Wed Sep 20 10:23:00 2023 from ip-10-0-51-203.ec2.internal

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
[ec2-user@ip-10-0-51-203 ~]$