Tutorial: How to provide secure access with Hashicorp Boundary

  • June 24, 2021

In provisioning infrastructure for any environment, there is a need for users to securely access dynamic hosts and services – this is where the hashicorp boundary takes a great task up. Hashicorp is an open-source solution and has had several things that have made it evolve in the past years and boundary has to be one of them. It combines secure networking and identity management capabilities needed for brokering access to hosts and services all in one place across a mix of cloud and several on-premise resources. It is an open-source solution and helps with security management for several environments.

At this point, Flugel provides you with the best strategies for approaching cloud challenges and activities. By the end of this tutorial, you will understand the best way of setting up a boundary on development mode while using terraform. Enough of the theoretical banter, let’s get our hands a bit in the dirt.

Prerequisites

  1. Docker installed on your machine.
  2. Provided route to download the Postgres Docker image or any local image cached on the machine.
  3. Binary for Boundary installed in your machine path regardless of the OS. Based on your operating system, you can check the installation here.
  4. AWS account and rightly configured from your machine for CLI access via the terminal. 
  5. Have access to the GitHub issues tab on boundary hashicorp for error checks.

 

Launch The Steps

1.Start boundary development mode with necessary authentication details (you can use any details that suit you for your use case). It takes at least 3 minutes to be up and running; endeavour to use your own name and password. 

 

 

2.Access another tab or a new terminal window before doing this. Authenticate the boundary dev access with the command below:

 

Note: This step should create a special token, endeavour to keep it safe for future use. 

 

3.Access the Admin console via this URL http://localhost:9200/

At this point, you have been able to cross the first section of the process by setting up in development (dev) mode and it enables quick testing and exploration. Dev mode provides admin credentials for password authentication.

 

Setting Up Production Environment

This begins the installation of the production environment and should be taken with care because it has great effects on the overall infrastructure.

 

4.Get to the terminal and Install go 1.15 or later with the command below

 

Note: You may be required to put in your machine password as the root user, please respond accordingly. 

 

5.Install terraform environment in your local machine but for the purpose of this tutorial, I’d install homebrew on my Ubuntu. To check more details on homebrew, look here while for the terraform installation, check here.

 

6.Download the binary and place it on the default location that the installed terraform environment expects to be stored. The command for this is:

 

 

 

7.Clone the boundary reference repository.

 

 

8.You need to access the aws environment.

 

 

9.Execute the terraform operations with the following commands:\

Meanwhile, this may take about 16-20 minutes so get a cup of coffee and watch your infrastructure provision on AWS.

 

Hurray🎉 our infrastructure is LIVE, you could go to your AWS console and confirm all resources

 

10.Check if the controller and worker are running by doing ssh access into the different EC2 instances created via Terraform.

Do not worry about the key.pem file, terraform assumes the user running the command has a key at this location ~/.ssh/id_rsa.pub; it should work as long as you have your ssh public key located at this path https://github.com/hashicorp/boundary-reference-architecture/blob/main/deployment/aws/vars.tf#L5. Just follow the syntax above while the image below is an expected output. 

 

 

Boundary Authentication and Access

11.Next, you need to authenticate to the boundary environment using the CLI via the format below:

Note: 
  • To get the boundary address check the load balancer on AWS and ensure the name corresponds with the instance on EC2.
  • To get the auth-method-id, you must do “terraform apply” then the output should show the value so check for any value that starts with ampw_ then you are there. 
  • Copy the generated token that is generated and stored safely for future reference.

 

12.Access the web interface using the boundary address assigned in step 11 then login with the created user. 

 

 

13.Create a project called “Infrastructure-Project”.

 

 

 

14.Create a host catalog that contains a hostset. Assuming we say the hostset is a set of relational databases, we intend to access an external user.

 

15. Add some hosts to the host set through the hostset tab.

 

16. Create a target that points to the hostset created in the previous step. In case you need to generate some sort of report, this would help in getting that done.

 

17. Copy the target ID for future use.

 

 

 

18. Remotely connect to the target using the required details in the syntax shown:

 

Note:
a. Get the target-id from the boundary dashboard.
b. Get the token from the second step.

 

19.Optional (Should in case you want to pass the usual flags like boundary connect ssh then you can add “–” to the end of the command used in the previous step. In clear face: 

 

 

Now, remember, this article is not only for experts in the software space, even newbies could hop in and learn a lot and that is why I try to make everything clear both in layman and professional terms, so if you have any questions, shoot or you can also reach out to us.

<iframe src=”https://giphy.com/embed/BASTl8qVYWZnG” width=”480″ height=”266″ frameBorder=”0″ class=”giphy-embed” allowFullScreen></iframe><p><a href=”https://giphy.com/gifs/yey-BASTl8qVYWZnG”>via GIPHY</a></p>

The road to setting up a boundary development environment as well as testing is not for the faint of heart. However, it is pretty easy following the how-to guide shown above. It is one of the best ways to become more secure and compliant and a very good place to start your journey. Once you have completed the setup not only will you be able to assure your customers, clients, and your own stakeholders that their data is secure, but you will be on your way to compliance.