Boundary enables identity-based access management for dynamic infrastructure.
SIGHUP
: Workers will now re-read the
initial_upstreams
value from the configuration file when given a SIGHUP.
This allows a worker to reconnect to controllers if the full set of
controllers has been changed over at the same time, without having to restart
the worker. (PR)workers:create:worker-led
(e.g.
via boundary workers create worker-led
) was given an invalid token
(PR)filter
field is not sent by
admin UI (PR).-attr
or
-secret
values that contained colons
(PR)ssh
Target Type With Credential Injection (HCP Boundary only): Boundary has
gained a new ssh
target type. Using this type, username/password or SSH
private key credentials can be sourced from vault
credential libraries or
static
credentials and injected into the SSH session between a client and
end host. This allows users to securely SSH to remote hosts while never being
in possession of a valid credential for that target host.ssh_private_key
credential type
that allows submitting a username/private key (and optional passphrase) to
Boundary for use with credential injection or brokering workflows.boundary connect ssh
Credential Brokering Enhancements: we have extended
support into the boundary connect ssh
helper for brokered credentials of
ssh_private_key
type; the command will automatically pass the credentials to
the ssh
process (PR).boundary authenticate
, boundary accounts
: Enables use of env://
and
file://
syntax to specify location of a password
(PR)boundary dev
, boundary server
and boundary database init
(Issue,
PR).boundary accounts change-password
: Fixed being prompted for confirmation of
the current password instead of the new one
(PR)-token
flag in CLI: Passing a token this way can
reveal the token to any user or service that can look at process information.
This flag must now reference a file on disk or an env var. Direct usage of the
BOUNDARY_TOKEN
env var is also deprecated as it can show up in environment
information; the env://
format now supported by the -token
flag causes the
Boundary process to read it instead of the shell so is safer.
(PR)-password
flag in CLI: The same change made above for
-token
has also been applied to -password
or, for supporting resource
types, -current-password
and -new-password
.
(PR)azure
host plugin: Support multiple MSI identities
(PR
canceling
state to terminated.
(PR)pki
which
authenticates to Boundary using a new certificate-based method, allowing for
worker deployment without using a shared KMS.static
,
which simply takes in a user-supplied credential and stores it (encrypted)
directly in Boundary. Currently, the static
credential store can hold
credentials of type username_password
. These credentials can act as
credential sources for targets, similar to credential libraries from the
vault
credential store, and thus can be brokered to users at session
authorization time. PR
boundary connect
Credential Brokering Integration: we have extended integration
into the boundary connect
helpers. A new sshpass
style has been added to the
ssh
helper, when used, if the credential contains a username/password and sshpass
is installed, the command will automatically pass the credentials to the ssh
process.
Additionally, the default ssh
helper will now use the username
of the brokered credential.
PR.credential libraries
with respect to Target resources.
The library
fields
and actions
were deprecated in Boundary 0.5.0,
please use credential sources
instead. See changelog referenced above for
more details (PR).user_password
credential type has been renamed to
username_password
to remove any inconsistency over what the credential type is.
All existing user_password
typed credential libraries will be migrated to
username_password
(PR).event.newError: missing error: invalid parameter
and handle session cancel
with no TOFU token (Issue,
PR)