HashiCorp Boundary

Sym integrates with Boundary to provide a seamless solution for discovering Boundary resources, and providing users with temporary access.

Connect Sym with your AWS Secrets Manager

Follow the Manage Secrets with AWS Secrets Manager tutorial to connect your AWS Secrets Manager with the Sym Runtime.

Create a System User in Boundary

We recommend that you create a dedicated Boundary user in the Global scope that will be granted permissions in every scope that contains resources you wish to access or manage with Sym.

Create an Account for the System User

In the Global scope, navigate to the "Auth Methods" tab. If you do not have a password auth method, then create one by clicking "Password" under the "New" dropdown menu.

In your password Auth Method, navigate to the "Accounts" tab, and create a new Account that will be used by the your Sym integration system user. Click on "Manage > Create Account" in the top right corner.

Create an Account that will be used by your system user. We recommend using sym-integration as the Login Name, for clarity.

πŸ“˜

Save your credentials!

Save the "Login Name" and "Password" in a secure location. These will be used to configure your sym_integration resource in a later step. You will also need the ID of the Auth Method this Account was created in.

Create a System User

In the Global scope, navigate to the Users tab and click "New User." Enter a unique name and description; we recommend using sym-integration as the name, for clarity and consistency with the Account's Login Name. Click "Save" to create the user.

After creating the user, click the "Accounts" tab and click "Add Accounts." Select the sym-integration account that was created in the previous step, and click "Add Accounts."

Assign Permissions to the System User in Boundary

Once your Boundary system user is created, you must assign it permissions in each scope that contains resources that you wish to manage or access with Sym. For ease of use, we recommend the following grants:

  • id=*;type=user;actions=list,read: To allow Sym permissions to list and read users in the scope. This allows Sym to dynamically map Sym Users to Boundary users at runtime.
  • id=*;type=group;actions=list,read: To allow Sym to list and read Boundary groups in the scope. This is required for the Boundary SDK methods boundary.list_groups and boundary.get_group, as well as the Boundary Access Strategy
  • id=*;type=group;actions=add-members,remove-members: To allow Sym to add and remove members from Boundary groups in the scope. This is required for the Boundary Access Strategy.

Follow the following instructions in each scope you wish to access with Sym.

Create a Role in the Scope

In the "Roles" tab, select "New Role." Create a role that will be assigned to the sym-integration user. We recommend naming it sym-integration-permissions for clarity. Click "Save" to create the role.

Assign the Role to the System User

In the "Principals" tab, click "Add Principals," and select the system user that you created in the previous step. Click "Add Principals" to save the assignment.

Add Grants to the Role

Navigate to the "Grants" tab, and add the following grants:

  • id=*;type=user;actions=list,read
  • id=*;type=group;actions=list,read
  • id=*;type=group;actions=add-members,remove-members

πŸ“˜

Make sure to add permissions for every scope!

You must repeat the above steps for every scope that contains resources that you wish to access with Sym (i.e. users and/or groups)!

Share your Boundary Credentials with Sym

Follow the Share Secrets with the Sym Runtime tutorial to share your System User's "Login Name" and "Password" with Sym. We recommend using the JSON style secret to keep the login_name and password together when saving them in AWS Secrets.

{
  "login_name": "sym-integration",
  "password": "super-secret"
}
# Note: This example snippet shows only the Boundary specific resources.

resource "aws_secretsmanager_secret" "boundary_credentials" {
  name        = "sym/main/boundary-credentials"
  description = "Login name and password for Boundary System User"

  tags = {
    # This SymEnv tag is required and MUST match the SymEnv tag in the 
    # aws_iam_policy.secrets_manager_access in your `secrets.tf` file
    SymEnv = local.environment_name
  }
}

resource "sym_secret" "boundary_login_name" {
    # `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
    source_id = sym_secrets.this.id
    path = aws_secretsmanager_secret.boundary_credentials.name

    settings = {
        json_key = "login_name"  # The key to the system user's login_name in your JSON secret
    }
}

resource "sym_secret" "boundary_password" {
    # `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
    source_id = sym_secrets.this.id
    path = aws_secretsmanager_secret.boundary_credentials.name

    settings = {
        json_key = "password"  # The key to the bot user's password in your JSON secret
    }
}

Add a Boundary Integration

Define a sym_integration resource with type = boundary. This integration will specify the Boundary login_name and password, and is necessary for the Boundary SDK methods and Access Strategy.

  • external_id: Your Boundary Cluster URL
  • auth_method_id: A required setting which must be set to the ID of the Auth Method the System User's Account was created in. It will look something like: ampw_abcdef. This ID can also be located in the "Auth Methods" tab in the Boundary Admin Console.
  • login_name_secret: A required setting which must be set to the ID of a sym_secret referencing your Boundary System User's Login Name.
  • password_secret: A required setting which must be set to the ID of a sym_secret referencing your Boundary System User's Password.
resource "sym_integration" "boundary" {
  type        = "boundary"
  name        = "boundary-integration"
  external_id = "https://6ce334e1-12345-abcde.boundary.hashicorp.cloud"

  settings = {
    auth_method_id = "ampw_abcdef"

    # These secrets were defined in the previous step
    login_name_secret = sym_secret.boundary_login_name.id
    password_secret   = sym_secret.boundary_password.id
  }

Next Steps

With your Boundary Integration configured, you can now: