Boundary enables identity-based access management for dynamic infrastructure.
coalesce
can be used to match a
template against multiple possible values, returning the first non-empty
value. As an example, this can be used in a credential library to allow a
username value that might be comprised of a name or login name depending on
the auth method, e.g. {{ coalesce .Account.Name .Account.LoginName}}
(PR))/v1/billing:monthly-active-users
and new cli command,
boundary billing monthly-active-users
that can be used to view the monthly
active user counts.kms
worker method has been
removed. Since 0.13.0, unless the use_deprecated_kms_auth_method
value was
set on the worker config, the new kms
mechanism was already being used; this
is simply no longer an available option.grant_scope_id
field on roles is now deprecated in favor of the multiple
grant scope support.id
field in grants has changed to ids
which allows multiple ids to be included; existing grants submitted to
Boundary will continue to work, but grants using "id" can no longer be added
to or set on a role.max_page_size
.
The Admin UI, CLI and api package automatically paginate results.this
, children
(global/org only) to apply to all
direct children of a scope, and descendants
(global only) to apply to all
descendants of a scope. These use the new actions add-grant-scopes
,
set-grant-scopes
, and remove-grant-scopes
on roles. For now the
grant_scope_id
field on roles will continue to be able to be set, which will
set a single grant scope, but this capability is now deprecated.read
, update
, and delete
have been added. These
allow operating on resources by directly specifying the ID of the resource as
the next parameter (e.g. boundary update ttcp_1234567890
). Subtypes do not
need to be specified (e.g. that command is equivalent to boundary targets update tcp -id ttcp_1234567890
), and any flags given after the ID are passed
through to the type-specific subcommand. Once the ID has been entered,
autocomplete is also supported.
(PR)key_id
parameter within SSH Certificate Credential Libraries now accepts
the use of templated parameters
(PR)max_page_size
for controlling the default and max size
of pages when paginating through results.search
has been added allowing quick searching of targets or
sessions. It utilizes a client side cache also added in this release. The
client side cache starts itself automatically in the background when successfully
executing any command that communicates with a Boundary controller. To disable
the client cache from starting automatically set the
BOUNDARY_SKIP_CACHE_DAEMON
environment variable or pass the
-skip-cache-daemon
flag when running a command that may start it.
Commands daemon start
, daemon stop
, daemon status
, and daemon add-token
were added to help manage the cache. The cache does not currently work with
Boundary instances that require the use of client side certs.Update go-kms-wrapping/extras/kms dependency to allow external wrappers without a key id to be used within a KMS config stanza. Note: this fix allows GCP KMS keys to be again with Boundary, which had stopped working in v0.13.0. (PR)
Two Vault client settings were not being properly used when constructing a Vault client. (PR)
The TLS Skip Verify
setting was only being set if a CA Cert
was also
configured. This fix sets the TLS Skip Verify
when configured regardless of
other settings.
The TLS Server Name
setting was never being set. Bad programmers. This fix
now sets it on the Vault client if the Vault Credential Store has been
configured to use a value for this setting.
vault
credential library subtype has
now been removed in favor of vault-generic
. For example, instead of
boundary credential-libraries create vault
, you must use boundary credential-libraries create vault-generic
.-format=json
option will now only use the status_code
field. The status
field has been removed.application-credential-source
has been
removed as a field. brokered-credential-source
should be used instead.
(PR, deprecated
changelog).boundary connect ssh
subcommand.
(Issue,
PR).maximum_page_size
and dereference_aliases
(PR).authenticate
command against a password auth
method on Windows where the password would be swallowed when the login name is
submitted (PR)