Search the Community

Before I automate the installation and configuration of a tool, I log into a virtual machine and run each command separately, eventually building a server with the correct configuration and packages. When I teach how to use tools like HashiCorp Vault and Consul on live streams, I encourage the use of manual commands to reinforce important concepts and build tacit knowledge when operating and using a tool. However, I also need a way to help my co-host learn the tools without making them depend too much on pre-existing knowledge of AWS and Terraform. I also need to automate their manual commands to set up for the next streaming episode. HashiCorp Boundary is a secure remote access solution that provides an easy way to allow access to applications and critical systems with fine-grained authorizations based on trusted identities. Boundary helps me grant temporary access to my co-host on a live stream without them needing to fully understand AWS or Terraform. In this post, I’ll show you how I use Boundary to grant temporary access to my co-host, record their manual commands on a live stream, and reconcile the commands into automation written in Terraform. At the end of the stream, I play back a session recording and use the configuration to automate the next episode. This workflow of making manual break-glass changes to an endpoint and reconciling the changes to automation applies to any automation you build. Grant temporary access to servers Break-glass changes involve granting temporary access to log in to a system to make emergency changes. When making a live video, I need to collaborate with my co-host, Melissa Gurney (Director of Community Development), and grant her temporary access to a set of virtual machines during the episode. I set up HashiCorp Cloud Platform (HCP) Boundary and create a self-managed Boundary worker to help proxy into EC2 instances on AWS. On the stream, Melissa uses Boundary Desktop to target a specific server without needing to download its SSH key or pass in a specific username. Prior to using Boundary, my co-host and I would share Amazon EC2 key pairs and label which ones logged into which instance. Now, Boundary automatically injects the SSH credentials from Vault. Melissa and I do not have direct access to the SSH keys, which further secures our environment and reduces the burden of downloading the keys for each EC2 instance. Some episodes require us to configure multiple servers. To help with this, I create a host set to logically group a set of Vault servers in Boundary, as they share a common function. Melissa selects which Vault server to configure based on the list of hosts. Sharing a screen on live video has its own security concerns. While we try to avoid showing root credentials in plaintext, we have to run commands that generate tokens and keys that we cannot easily mask. To mitigate the risk of exposing these credentials, I use Boundary to close Melissa’s sessions to each server at the end of each episode. Then, I use Terraform to create a new set of servers after each episode to revoke any tokens or keys. Reconcile manual commands into automation During the live stream, Melissa logs into different servers and runs several commands to configure a Vault server. Prior to using Boundary, my previous co-hosts and I had to remember to copy the history of commands off each server we configured in the episode. We would replay the entire two-hour episode to reverse engineer the history by putting the proper configuration and commands into a script. Now, I set up Boundary session recording to record each command Melissa runs on the server during the live stream. After the live stream, I find the session recording in Boundary and replay the commands. I directly copy the configuration into my automation for the next episode. For example, Melissa and I manually built a Vault server on one virtual machine instance. After the stream, I found the recording of the session on the Vault server. By reviewing the recording, I could copy a working Vault configuration and update it in the user data script for the EC2 instance. Even though manual commands require some editing for automation, I can quickly copy a tested sequence of commands and configuration and apply minor updates for automation. These updates include refactoring manual commands and configurations with hard coded IP addresses or EC2 instance identifiers to use templated or dynamically generated values. Learn more By granting temporary access to my co-host during the live stream and recording their manual commands with Boundary, I can track changes across multiple servers and replay them for future automation. Prior to using Boundary, I spent hours reviewing the episode and reconstructing the configuration we typed on stream. Now, it takes less than an hour to copy the configuration and refactor it for automation. As an additional benefit, I can always return to the session recording and verify the manual commands in case I need to build new automation. The workflow I use for live streams applies to reconstructing any break-glass change you make to production. By using Boundary to control SSH access to servers in production, you can offer on-demand, time-limited access during break-glass changes. Rather than reverse engineer your commands, you can use a session recording to more efficiently copy your changes into automation after you stabilize the system. To learn more, sign up for HCP Boundary and get started with Boundary session recording. Review our tutorial to enable it on your own Boundary cluster and configure SSH credential injection from Vault. To get a live demonstration of how we use Boundary, tune into our video series for Getting into Vault and check out the repository we use for setting up each episode. View the full article

We are pleased to announce the release of HashiCorp Boundary 0.15, which adds session recording storage policies (HCP Plus/Enterprise) and desktop/CLI client improvements like search and filtering. Boundary is a modern privileged access management (PAM) solution that was designed for and thrives in dynamic environments. Boundary streamlines end user access to infrastructure resources without exposing credentials or internal network topologies. Recent initiatives were aimed to improve governance and useability. As a result, previous releases included features like SSH session recording and an embedded terminal in the desktop client. We continue this effort in our latest 0.15 release and are excited for users to try it out themselves. Session recording storage policies (HCP Plus/Enterprise) Introduced in Boundary 0.13, SSH session recording helped organizations meet their compliance objectives by recording detailed end user activities and commands. Those SSH session recordings are then stored in the organization’s designated Amazon S3 buckets. Boundary 0.15 improves storage governance by allowing administrators to set retention and deletion policies for session recordings. This helps ensure that recordings are available and accessible for the desired retention period, ensuring that teams can meet various regulatory requirements. This feature also helps reduce management and storage costs by automatically deleting recordings at the designated time and date. Improvements to the Boundary Desktop/CLI client Boundary 0.15 improvements include search and filtering capabilities, session time indicators, and support for ARM64 architectures. Search and filtering Recent improvements to the Boundary Desktop client have dramatically simplified the end user experience. However, at a large scale, some end users may be authorized to connect to tens or hundreds of target resources. This makes it difficult to locate a specific target in a long list. Similarly, finding a specific session among tens or hundreds of active sessions can also be challenging. The desktop and CLI client in Boundary 0.15 includes new search and filter capabilities to help users locate their desired targets and sessions. Users simply search for the full or partial names or IDs of the desired target and can further narrow down the results by filtering out the scopes or session states (active, pending, or terminated). Larger result sets are paginated for improved search performance. We expect this subtle addition to noticeably improve the user experience and reduce the time it takes to locate and connect to a target. Session time indicator Our goal with Boundary Desktop is to centralize the experience of connecting to any resource on your network, for any type of user. Upon establishing a session, end users often can’t tell how long their sessions will last. That information has now been added in version 1.8 of the Boundary Desktop client. A time-remaining helper now appears at the top of the session, giving users a sense of how long their session will be valid for. This also paves the way for future features, such as approvals and session renewals. Support for ARM64 architectures Prior to this release, Boundary did not support Darwin ARM64/Apple silicon builds. Version 1.8 of the Boundary Desktop client, adds support for ARM64 architectures. Download the Boundary Desktop client here. Minor improvements and bug fixes We have also made various minor improvements and addressed bugs uncovered since the latest release. Improvements include grant scopes for roles and new commands for the CLI which simplify and reduce the required sub-commands. For more information, please view the changelog. Get started with Boundary 0.15 We are excited for users to try the new governance and usability features available in Boundary 0.15. Administrators can deploy a HashiCorp-managed Boundary cluster using the HashiCorp Cloud Platform (HCP) or a self-managed Boundary cluster using Boundary’s Community or Enterprise versions. Check out these resources to get started: Sign up for a free HCP Boundary account. For self-managed versions, download Boundary 0.15. Download the free Boundary Desktop client. Watch this Getting Started with HCP Boundary demo video. Get up and running quickly with our Get Started with HCP Boundary tutorial. Read the documentation for storage policies and Boundary CLI search functions. To request a Boundary Enterprise trial, contact HashiCorp sales. View the full article

We are pleased to announce the release of HashiCorp Boundary 0.8 and the release of Boundary Desktop 1.4.3. Boundary provides identity-based secure remote access for dynamic infrastructure. This release includes a number of key features and improvements since the release of Boundary 0.7 in November, including: New health monitoring observability metrics: Prometheus metrics can now be used to monitor the health of workers and controllers. Event logs: Initially added in Boundary 0.5 and expanded in Boundary 0.8 , this feature provides a full log of all events that occur on the Boundary client. Support for worker tags in the admin UI: Users can now set and edit worker tag filters in the Boundary admin console, allowing them to specify which workers are allowed to handle a session. With this release, security admins can better understand and monitor their organization’s use of Boundary and infrastructure access. View the full article Grafana dashboard using Prometheus metrics

We are pleased to announce HashiCorp Boundary, a new open source project that enables practitioners and operators to securely access dynamic hosts and services with fine-grained authorization without requiring direct network access... View the full article

Over 10,000 people watched our third annual global HashiTalks livestream — our first HashiTalks livestream that spanned 48 hours instead of the usual 24. Why 48 hours this time? We were so impressed by the extremely high number of quality talk submissions that we decided to expand the number we accepted this year and expand our hours accordingly. All of the HashiTalks 2021 livestream footage is available on YouTube, but we also made clips for some of the individual talks and have posted them in the HashiCorp Resource Library with full abstracts for each talk along with slides for some. Today we wanted to highlight a few of those talks. In this first HashiTalks 2021 highlights blog, we’re sharing a handful of talks about our oldest open source tools, HashiCorp Vagrant and Packer, and our newest projects, HashiCorp Boundary and Waypoint, as well as a few product-agnostic talks. Across all of these topics, the community had plenty of great new use cases and demos to share. More talks will be added to this blog next week. »Boundary Deploying Boundary in Azure with Terraform HashiCorp Ambassador Ned Bellavance has built a reference architecture for deploying Boundary on Microsoft Azure for secure session management. Using Boundary for Identity-Based Multi-Cloud Access Another HashiCorp Ambassador, Jacob Mammoliti, shows how Boundary can be deployed in a multi- or hybrid cloud environment and how it can be leveraged by users to access infrastructure across different clouds with secure access via fine-grained permissions. Jacob has spoken at each of the last three worldwide HashiTalks. »Packer The Packer Plugin Repository, What’s init? Wilken Rivera, a HashiCorp software engineer on the Packer team, walks through two of the major changes in the new Packer 1.7 release: A new plugin repository and the packer init command. »Vagrant Getting your Python Development Environment Ready with Vagrant Mario García will show you how to configure Python-based development environments with Vagrant. »Waypoint Building and Deploying Applications to Kubernetes with GitLab and Waypoint A second talk by HashiCorp Ambassador Jacob Mammoliti walks through setting up a GitLab CI/CD pipeline to automatically build, deploy, and release an application to GKE with Waypoint. I Just Want to Ship My Code. Waypoint, Nomad, and Other Things. HashiCorp software engineer Michael Lange will showcase three demos of the build, deploy, release workflow for a Node.js website using Kubernetes and Docker, Nomad and Docker, and Nomad and raw binaries — all with a Waypoint workflow. »Product-Agnostic Chaos, Creativity, and Cookies Andrew VanLoo shares some thought-provoking tips about information theory and how it can help you be a better software engineer. Measuring DevOps Success with Pipeline Analytics Chris Riley teaches you how to build a strategy for measuring DevOps, and using tools like DORA and Flow metrics as KPIs for success. The Hardest Part of Operating a Service Mesh: Envoy Proxy Christian Posta shares his observability, debugging, and tuning lessons for working with Envoy proxy. »More Highlights These were about half of the total HashiTalks that covered Boundary, Packer, Vagrant, or Waypoint topics. To find all of the talks, go to the HashiTalks schedule page to locate the time of day for any other talks you want to see. Then head over to our livestream recordings on YouTube: HashiTalks 2021: Day 1 HashiTalks 2021: Day 2 In the coming weeks, we'll post highlight roundup blogs for HashiTalk sessions covering our other products, HashiCorp Nomad, Consul, Vault, and Terraform. View the full article

We built HashiCorp Boundary to make it simple to grant and maintain access to infrastructure. Today, developers, operators, and security teams struggle to maintain access controls for on-premises and cloud infrastructure. Even though the systems these teams interact with are more automated and extensible than ever, granting a human access to a VM, a database, a container, or any remote system is still difficult at scale... View the full article