Boundary enables identity-based access management for dynamic infrastructure.
SIGHUP: Workers will now re-read the
initial_upstreams value from the configuration file when given a SIGHUP.
This allows a worker to reconnect to controllers if the full set of
controllers has been changed over at the same time, without having to restart
the worker. (PR)workers:create:worker-led (e.g.
via boundary workers create worker-led) was given an invalid token
(PR)filter field is not sent by
admin UI (PR).-attr or
-secret values that contained colons
(PR)ssh Target Type With Credential Injection (HCP Boundary only): Boundary has
gained a new ssh target type. Using this type, username/password or SSH
private key credentials can be sourced from vault credential libraries or
static credentials and injected into the SSH session between a client and
end host. This allows users to securely SSH to remote hosts while never being
in possession of a valid credential for that target host.ssh_private_key credential type
that allows submitting a username/private key (and optional passphrase) to
Boundary for use with credential injection or brokering workflows.boundary connect ssh Credential Brokering Enhancements: we have extended
support into the boundary connect ssh helper for brokered credentials of
ssh_private_key type; the command will automatically pass the credentials to
the ssh process (PR).boundary authenticate, boundary accounts: Enables use of env:// and
file:// syntax to specify location of a password
(PR)boundary dev, boundary server
and boundary database init
(Issue,
PR).boundary accounts change-password: Fixed being prompted for confirmation of
the current password instead of the new one
(PR)-token flag in CLI: Passing a token this way can
reveal the token to any user or service that can look at process information.
This flag must now reference a file on disk or an env var. Direct usage of the
BOUNDARY_TOKEN env var is also deprecated as it can show up in environment
information; the env:// format now supported by the -token flag causes the
Boundary process to read it instead of the shell so is safer.
(PR)-password flag in CLI: The same change made above for
-token has also been applied to -password or, for supporting resource
types, -current-password and -new-password.
(PR)azure host plugin: Support multiple MSI identities
(PR
canceling state to terminated.
(PR)pki which
authenticates to Boundary using a new certificate-based method, allowing for
worker deployment without using a shared KMS.static,
which simply takes in a user-supplied credential and stores it (encrypted)
directly in Boundary. Currently, the static credential store can hold
credentials of type username_password. These credentials can act as
credential sources for targets, similar to credential libraries from the
vault credential store, and thus can be brokered to users at session
authorization time. PR
boundary connect Credential Brokering Integration: we have extended integration
into the boundary connect helpers. A new sshpass style has been added to the
ssh helper, when used, if the credential contains a username/password and sshpass
is installed, the command will automatically pass the credentials to the ssh process.
Additionally, the default ssh helper will now use the username of the brokered credential.
PR.credential libraries with respect to Target resources.
The library fields and actions were deprecated in Boundary 0.5.0,
please use credential sources instead. See changelog referenced above for
more details (PR).user_password credential type has been renamed to
username_password to remove any inconsistency over what the credential type is.
All existing user_password typed credential libraries will be migrated to
username_password (PR).event.newError: missing error: invalid parameter and handle session cancel
with no TOFU token (Issue,
PR)