Hashicorp Boundary Versions Save

Boundary enables identity-based access management for dynamic infrastructure.

v0.15.4

3 weeks ago

v0.15.3

1 month ago

0.15.3 (2024/03/13)

Bug Fixes

  • Fix a nil pointer error in the client cache daemon when a refresh was forced performing a boundary search. (PR)
  • Resolved an issue introduced in 0.14 where, after successfully deleting an AWS S3 Storage Bucket with credential rotation enabled, Boundary could not delete the associated IAM Access Key resource

New and Improved

  • templating: A new templating function coalesce can be used to match a template against multiple possible values, returning the first non-empty value. As an example, this can be used in a credential library to allow a username value that might be comprised of a name or login name depending on the auth method, e.g. {{ coalesce .Account.Name .Account.LoginName}} (PR))

v0.15.2

1 month ago

v0.14.5

1 month ago

v0.15.1

2 months ago

0.15.1 (2024/02/28)

Bug Fixes

  • cli: Update proxy listener to not close when the number of connections left for the session is zero. The listener will refuse new connections when the number of connections left is zero but existing connections will be active. This fixes a CLI client issue where sessions with max connection count configured were closed when the number of connections left hit 0. (Issue, (PR))
  • Fix issue where the websocket connection was throwing closing errors during the session teardown. (PR)

New and Improved

  • feat: support added for tracking and reporting monthly active users for the purpose of billing. It adds a new API endpoint, /v1/billing:monthly-active-users and new cli command, boundary billing monthly-active-users that can be used to view the monthly active user counts.

v0.15.0

3 months ago

0.15.0 (2024/01/30)

Deprecations/Changes

  • Per the note in Boundary 0.13.0, the previous kms worker method has been removed. Since 0.13.0, unless the use_deprecated_kms_auth_method value was set on the worker config, the new kms mechanism was already being used; this is simply no longer an available option.
  • Per the notes in Boundary 0.12.0 and 0.14.0, it is now an error if an address on a host or target contains a port. As of this release, this restriction also affects existing addresses (not just creation/updating via the API) so any existing addresses containing a port will not be able to be used as part of a target's session authorization call.
  • The grant_scope_id field on roles is now deprecated in favor of the multiple grant scope support.
  • Per the note in Boundary 0.13.1, the id field in grants has changed to ids which allows multiple ids to be included; existing grants submitted to Boundary will continue to work, but grants using "id" can no longer be added to or set on a role.
  • All list endpoints except workers now return the first 1000 items instead of all items if no parameters are provided. The number of items returned can be configured through the new controller configuration value max_page_size. The Admin UI, CLI and api package automatically paginate results.

New and Improved

  • Multiple grant scopes in roles: Roles now support multiple grant scopes, along with the special values this, children (global/org only) to apply to all direct children of a scope, and descendants (global only) to apply to all descendants of a scope. These use the new actions add-grant-scopes, set-grant-scopes, and remove-grant-scopes on roles. For now the grant_scope_id field on roles will continue to be able to be set, which will set a single grant scope, but this capability is now deprecated.
  • Policies (Enterprise and HCP Boundary only): This release introduces Policies, a Boundary resource that represents a Governance Policy to enforce. The first implementation targets Storage Policies, which enables administrators to automate the process of retention and deletion of Session Recordings, ensuring that they're only retaining data that is explicitly required from a security/compliance perspective.
    • ui: Add full UI support for Storage Policies managing the lifecycle of Session Recordings. (PR)
  • New generic commands read, update, and delete have been added. These allow operating on resources by directly specifying the ID of the resource as the next parameter (e.g. boundary update ttcp_1234567890). Subtypes do not need to be specified (e.g. that command is equivalent to boundary targets update tcp -id ttcp_1234567890), and any flags given after the ID are passed through to the type-specific subcommand. Once the ID has been entered, autocomplete is also supported. (PR)
  • The key_id parameter within SSH Certificate Credential Libraries now accepts the use of templated parameters (PR)
  • List endpoint pagination: All list endpoints except workers now support pagination.
    • api: All list endpoints except workers have added support for pagination. The api package automatically paginates until the end of the results. The new `WithListToken`` option can be used to request a list of updated and deleted resources relative to the last result received.
    • config: add new controller field max_page_size for controlling the default and max size of pages when paginating through results.
  • New command search has been added allowing quick searching of targets or sessions. It utilizes a client side cache also added in this release. The client side cache starts itself automatically in the background when successfully executing any command that communicates with a Boundary controller. To disable the client cache from starting automatically set the BOUNDARY_SKIP_CACHE_DAEMON environment variable or pass the -skip-cache-daemon flag when running a command that may start it. Commands daemon start, daemon stop, daemon status, and daemon add-token were added to help manage the cache. The cache does not currently work with Boundary instances that require the use of client side certs.

v0.14.3

4 months ago

0.14.3 (2023/12/05)

New and Improved

  • Added the ability to enforce rate limits on the Controller API. This version enables rate limits by default. For details on the default rate limits, how to configure rate limits, and how to disable rate limiting see the noted PR. (PR)
  • Add support for OIDC prompts. Using prompts, the Relying Party (RP) can customize the authentication and authorization flow to suit their specific needs and improve the user experience. [OIDC Authentication request] (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) server. (PR)

Bug Fixes

  • Update go-kms-wrapping/extras/kms dependency to allow external wrappers without a key id to be used within a KMS config stanza. Note: this fix allows GCP KMS keys to be again with Boundary, which had stopped working in v0.13.0. (PR)

  • Two Vault client settings were not being properly used when constructing a Vault client. (PR)

    The TLS Skip Verify setting was only being set if a CA Cert was also configured. This fix sets the TLS Skip Verify when configured regardless of other settings.

    The TLS Server Name setting was never being set. Bad programmers. This fix now sets it on the Vault client if the Vault Credential Store has been configured to use a value for this setting.

v0.14.2

6 months ago

0.14.2 (2023/10/27)

New and Improved

  • Expose Valid Principals for Vault SSH Signed Certs: Allow users to add additional valid principals when creating a vault ssh signed cert credential library (PR).

Bug Fixes

  • High CPU consumption: A background GRPC connection state check caused high CPU utilization. This was caused by a long running loop that was checking for GRPC connection state changes between a worker and an upstream connection address. The loop was not correctly waiting for GRPC connection state changes before running. The issue was fixed by correctly updating the state that determines when the loop in GRPC connection state check should run. (PR)
  • LDAP auth methods: Fix encoding of mTLS client key which prevented Boundary from making mTLS connections to an LDAP server (Issue, PR).

v0.14.1

6 months ago

0.14.1 (2023/10/17)

Bug Fixes

  • deps: Bump Go version to v1.21.3; gRPC to v1.58.3; golang.org/x/net to v0.17.0. This is to address a security vulnerability in the HTTP stack where a malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption.

v0.14.0

6 months ago

0.14.0 (2023/10/10)

Deprecations/Changes

  • Per the note in Boundary 0.12.0, the vault credential library subtype has now been removed in favor of vault-generic. For example, instead of boundary credential-libraries create vault, you must use boundary credential-libraries create vault-generic.
  • Per the note in Boundary 0.12.0, errors returned from the cli when using the -format=json option will now only use the status_code field. The status field has been removed.
  • Per the note in Boundary 0.12.0, targets require a default port value. Ports defined as part of a host address were ignored but allowed as part of a target definition; from 0.14.0 onwards, any port defined on a host address will now become an error.
  • Targets: Per the note in Boundary 0.10.10, target Application Credentials has been renamed to Brokered Credentials. application-credential-source has been removed as a field. brokered-credential-source should be used instead. (PR, deprecated changelog).

New and Improved

  • cli: Add support for specifying a command that will be executed on the remote host when using the boundary connect ssh subcommand. (Issue, PR).
  • feat: add API support for additional LDAP auth method fields: maximum_page_size and dereference_aliases (PR).
  • feat: add worker upstream connection status to ops health check (PR).
  • feat: allow HCP cluster id to be sourced from file or env variable (PR).
  • feat: add support for telemetry events via flag or Boundary configuration (requires observation events to be enabled). Deny filter now filters coordination worker status from observation events by default. (This behavior is overridden by any user specified allow or deny filters) (PR).
  • ui: Add full UI support for LDAP auth method (PR)
  • ui: Add new attribute fields to storage bucket to support the assume role service in AWS. (PR)

Bug Fixes

  • LDAP auth methods: allow bind-dn and bind-password to be updated independently. (PR)
  • targets: Fix address field not being populated if the number of targets on a list returns more than 10000 entries (PR)
  • cli: Fix issue when using the authenticate command against a password auth method on Windows where the password would be swallowed when the login name is submitted (PR)
  • worker: Fix an issue that could cause intermittent startup issues on slow systems (PR)
  • cli: Remove websocket max message size. This fixes issues where large message sizes are sent to the client from a worker which resulted in the connection being terminated, as is the case with an scp download when using an SSH Target. (PR)