HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Boundary
Boundary Home

Targets

A target is a resource that represents a networked service with an associated set of permissions a user can connect to and interact with through Boundary by way of a session. A target can only be defined within a project. A target can contain references to host sets from host catalogs which belong to the same project as the target. A target can contain references to credential libraries from credential stores which belong to the same project as the target. A target can contain an address which is used by a session to connect to a networked resource. A target cannot have an address and also reference host sources. A user must be assigned a role with the authorize-session permission for the target to establish a session with a networked resource by way of an address, or host in any host set referenced by the target.

Attributes

A target has the following configurable attributes:

  • name - (required) The name must be unique within the target's project.

  • description - (optional)

  • address - (optional) This value represents a network resource address and is used when establishing a session. It does not accept a port, only an IP address or DNS name.

  • default_client_port - (optional) Represents a local port that you want Boundary to listen to by default when someone initiates a session on the client.

  • egress_worker_filter - (optional) A boolean expression to filter which egress workers can handle sessions for this target. Egress worker filters determine which workers are used to access targets. You can configure an egress filter to enable multi-hop connections. If you do not configure an egress filter, then Boundary uses a single worker to connect to the controller.

  • ingress_worker_filter - (optional) HCP/ENT A boolean expression to filter which ingress workers can handle sessions for this target. Ingress worker filters determine which workers you connect with to initiate a session. If you do not configure an ingress filter, Boundary selects a front line worker for the session. A front line worker is any worker directly connected to the control plane; for HCP Boundary this will be an HCP worker.

  • session_connection_limit - (required) The cumulative number of connections allowed during a session. A -1 value means no limit. The default is -1. The value must be greater than 0 or exactly -1.

  • session_max_seconds - (required) The maximum duration of an individual session between the user and the target. All connections for a session are closed and the session is terminated when a session reaches the maximum duration. The default is 8 hours (28800 seconds). This value must be greater than 0.

TCP target attributes

TCP targets have the following additional attribute:

  • default_port - (required) The default port to set on this target.

SSH target attributes HCP/ENT

SSH targets can source username/password or SSH private key credentials from Vault credential libraries or static credentials. Boundary then injects credentials into the SSH session between a client and end host. This allows users to securely connect to remote hosts using SSH, while never being in possession of a valid credential for that target host.

SSH targets have the following additional attributes:

  • default_port - (optional) The default port to set on this target. If this is not specified the default port will be 22.

  • enable_session_recording - (optional) Set to true to enable session recordings for a target. If you enable session recording, the storage_bucket_id is required.

  • storage_bucket_id - (optional) Designates the storage bucket to be used for session recording. This attribute is required if you set enable_session_recording to true.

Referenced by

Service API docs

The following services are relevant to this resource:

Edit this page on GitHub