HashiCorp Boundary provides identity-based access management for dynamic infrastructure. Instead of VPNs and SSH bastion hosts, Boundary lets users connect to targets through an authenticated, auditable API.
Free and open source. No license key for the community edition.
Why Use the Boundary API?
- Replace VPNs — connect to databases, servers, and K8s clusters without a VPN
- Audit every session — every connection is logged with user identity
- Dynamic targets — automatically discover hosts from cloud providers
- Programmatic access — automate user/group/target management via REST API
Quick Setup
1. Start Boundary Dev Server
boundary dev
# Starts on http://127.0.0.1:9200
# Default login: admin / password
2. Authenticate
export BOUNDARY_ADDR="http://127.0.0.1:9200"
# Get auth token
boundary authenticate password \
-auth-method-id ampw_1234567890 \
-login-name admin \
-password password
# Or via API
curl -s -X POST "$BOUNDARY_ADDR/v1/auth-methods/ampw_1234567890:authenticate" \
-H "Content-Type: application/json" \
-d '{"attributes":{"login_name":"admin","password":"password"}}' | jq '.attributes.token'
3. List Targets
TOKEN="your-auth-token"
curl -s -H "Authorization: Bearer $TOKEN" \
"$BOUNDARY_ADDR/v1/targets?scope_id=p_1234567890" | jq '.items[] | {id: .id, name: .name, type: .type, address: .address}'
4. Create a New Target
curl -s -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"$BOUNDARY_ADDR/v1/targets" \
-d '{"scope_id":"p_1234567890","type":"tcp","name":"prod-database","attributes":{"default_port":5432},"address":"db.internal.example.com"}'
5. Connect to a Target
boundary connect -target-id ttcp_xxxxx
# Opens a local proxy — connect your client to localhost:port
# For SSH targets:
boundary connect ssh -target-id ttcp_xxxxx -- -l ubuntu
Python Example
import requests
BOUNDARY = "http://127.0.0.1:9200"
# Authenticate
auth = requests.post(f"{BOUNDARY}/v1/auth-methods/ampw_1234567890:authenticate",
json={"attributes":{"login_name":"admin","password":"password"}}).json()
token = auth["attributes"]["token"]
headers = {"Authorization": f"Bearer {token}"}
# List all scopes
scopes = requests.get(f"{BOUNDARY}/v1/scopes", headers=headers).json()
for s in scopes["items"]:
print(f"Scope: {s['name']} ({s['id']}) | Type: {s['type']}")
# List targets
targets = requests.get(f"{BOUNDARY}/v1/targets?scope_id=p_1234567890", headers=headers).json()
for t in targets.get("items", []):
print(f"Target: {t['name']} | Type: {t['type']} | Port: {t.get('attributes',{}).get('default_port','N/A')}")
Key Endpoints
| Use Case | Endpoint | Method |
|---|---|---|
| Authenticate | /v1/auth-methods/{id}:authenticate | POST |
| List scopes | /v1/scopes | GET |
| List targets | /v1/targets | GET |
| Create target | /v1/targets | POST |
| List sessions | /v1/sessions | GET |
| List users | /v1/users | GET |
| Authorize session | /v1/targets/{id}:authorize-session | POST |
Tips
- Community edition is fully open source (MPL 2.0)
- HCP Boundary (hosted version) has a free tier
- Built-in credential injection — no more shared passwords
- Integrates with Vault for dynamic credentials
Need custom data extraction or scraping solution? I build production-grade scrapers for any website. Email: Spinov001@gmail.com | My Apify Actors
Top comments (0)