Boundary enables identity-based access management for dynamic infrastructure.
vault
credential library subtype has
now been removed in favor of vault-generic
. For example, instead of
boundary credential-libraries create vault
, you must use boundary credential-libraries create vault-generic
.-format=json
option will now only use the status_code
field. The status
field has been removed.application-credential-source
has been
removed as a field. brokered-credential-source
should be used instead.
(PR, deprecated
changelog).boundary connect ssh
subcommand.
(Issue,
PR).maximum_page_size
and dereference_aliases
(PR).authenticate
command against a password auth
method on Windows where the password would be swallowed when the login name is
submitted (PR)id
field has been changed to ids
(but id
will
still be accepted for now, up until 0.15.0). In the ids
field, multiple IDs
can now be specified in a grant, either via commas (text format) or array
(JSON format). (PR).boundary dev
the initial LDAP auth-method with an
ID of amldap_1234567890
is now in a public-active state, so it will be returned
in the response from boundary auth-methods list
ids
parameter. In 0.15.0 the ability to add new grants via the id
parameter will be removed.default_client_port
field allows specifying the default
port to use on the client side when connecting to a target, unless overridden
by the client via -listen-port
(PR)ldap
subcommands available on CRUDL
operations for examples), as well as the ability to authenticate against it
via the SDK, CLI, admin UI, and desktop client. (PR)With the introduction of the new KMS variant for worker registration (as
described below), using the deprecated behavior requires opting-in. This is
only recommended if compatibility with pre-0.13 workers using the KMS auth
method is required. Requiring opting in removes some potentially confusing
behavior for deciding when to use the old versus new mechanism. To opt in, add
use_deprecated_kms_auth_method = true
to the worker
config block. Note
that if a 0.13+ worker using KMS connects to a 0.13+ controller using KMS, the
transition to the new method will happen automatically. To go back to the old
method after that will require the worker to be deleted and re-added with the
use_deprecated_kms_auth_method
config field specified.
When grants are added to roles additional validity checking is now performed. This extra validity checking is designed to reject grants that are not documented grant formats or are for combinations of IDs and types that cannot actually be used together. These previously would have been accepted without error but would never result in permissions being granted, causing confusion. As a result, attempting to write such grants into roles may now result in an error; the error message gives hints for resolution.
WithAutomaticVersioning
for auth tokens in Go SDK: this option was
incorrectly being generated for auth token resources, which do not support
versioning. This is technically a breaking change, but it was a no-op option
anyways that there was no reason to be using. It has now been removed.
Plugins: With the introduction of the storage plugin service, the Azure and AWS Host plugin
repositories have been renamed to drop the host
element of the repository name:
Similarly the plugins/host
package has been renamed to plugins/boundary
(PR1,PR2, PR3, PR4).
PostgreSQL 12 or greater is now required. PostgreSQL 11 is no longer supported.
authorize-session
now works properly when using a target's name as
the identifier and the target name contains one or more slashes (PR)client secret
bug for OIDC authentication methods(PR)vault-ssh-certificate
credential libraries, the
vault
credential library subtype is being renamed to vault-generic
to
denote it as a credential library that can be used in a generalized way to
issue credentials from vault. Existing credential libraries with the
subtype of vault
will be updated to vault-generic
. The subtype of
vault
will still be accepted as a valid subtype in API requests to the
credential libraries endpoints, but is deprecated. Instead vault-generic
should be used. In addition the boundary credential-libraries create vault
and boundary credential-libraries update vault
subcommands will
still function, but are deprecated. Instead boundary credential-libraries create vault-generic
and boundary credential-libraries update vault-generic
should be used. Also note that any credential library created
using the subtype of vault
, either via the API or via the deprecated
subcommand, will have the subtype set to vault-generic
. The deprecated
subtype and subcommands will be removed in boundary 0.14.0, at which point
vault-generic
must be used.-format=json
option with the cli would provide
a status_code
for successful API requests from the cli. However, in the
case where an error was returned, the JSON would use status
instead. This
inconsistency has been fixed, with status_code
being used in both cases.
For error cases status
will still be populated, but is deprecated and will
be removed in 0.14.0.worker_filter
field has been deprecated and
replaced with egress and ingress worker filters. Egress worker filters determine which workers are
used to access targets. Ingress worker filters (HCP Boundary only) determine which workers are
used to connect with a client to initiate a session. (PR)SIGHUP
sent to parent process; some init systems, notably
dumb-init
, would pass them along to the child processes and cause the
plugin to exit (PR)-format=json
the JSON was inconsistent in how it reported
status codes. In successful cases it would use status_code
, but in error
cases it would use status
. Now status_code
is used in both cases. In
error cases status
is still populated, see the deprecations above for
more details. (PR)job_run
table.
(PR)Vault Parameter Templating: In vault
credential libraries, the paths and any
POST bodies can contain templated parameters using Go template syntax (similar
to Consul-Template). The following template parameters are supported (note
that account values are tied to the account associated with the token making
the call):
{{ .User.Id }}
: the user's ID{{ .User.Name }}
: the user's name (from the user resource){{ .User.FullName }}
: the user's name (from the account corresponding to
the primary auth method in the user's scope; this may not be populated or
maybe different than the account name in the template){{ .User.Email }}
: the user's email address (same caveat as FullName
){{ .Account.Id }}
: the account's ID{{ .Account.Name }}
: the account's name (from the account resource){{ .Account.LoginName }}
: the account's login name (if used by that type
of account){{ .Account.Subject }}
: the account's subject (if used by that type
of account){{ .Account.Email }}
: the account's email (if used by that type
of account)Additionally, there is currently a single function that strips the rest of a string after a specified substring; this is useful for pulling an user/account name from an email address. In the following example it uses the account email can be any other parameter:
{{ truncateFrom .Account.Email "@" }}
: this would turn [email protected]
into foo
Per-scope key lifecycle management: You can now manage the lifecycles of both Key Encryption Keys (KEKs) and Data Encryption Keys (DEKs) using the new key rotation and key version destruction functionality. To learn more about this new feature, refer to the documentation.
Upgrade notice: If the Database purpose DEK for a scope is destroyed, you must use the API to cancel any sessions that predate the upgrade. (PR)
workers: PKI Worker daemons now get disconnected from upstreams when their corresponding resource is deleted (PR)
authorize-session
time, which could allow one worker to bear the majority of
sessions (PR)worker_filter
attribute when configuring a Vault credential store.json
credential type supported by static
credential stores that allows submitting a generic JSON object to Boundary for
use with credential brokering workflows
(PR)SIGINT
or SIGTERM
(PR)add-host-sets
, remove-host-sets
, and set-host-sets
actions
on targets were deprecated in favor of add-host-sources
,
remove-host-sources
, and set-host-sources
. Originally these actions and
API calls were to be removed in 0.6, but this was delayed to give extra time
for clients to switch over. This has now been fully switched over. A database
migration will modify any grants in roles to have the new actions. This same
changeover has been made for add-/remove-/set-credential-libraries
to
add-/remove-/set-credential-sources
, although those actions would only be in
grant strings in very rare circumstances as the -sources
actions replaced
the -libraries
actions very quickly.
(PR)