HashiCorp Boundary Has a Free API: Zero-Trust Access for Your Infrastructure

#security #devops #hashicorp #zerotrust

What is Boundary?

HashiCorp Boundary is an open-source identity-aware proxy that provides secure remote access to your infrastructure without VPNs. Instead of managing SSH keys, VPN certificates, and firewall rules, Boundary authenticates users through identity providers and grants just-in-time access to specific resources.

Why Boundary Over VPNs?

No VPN needed — users connect directly to resources through Boundary
Identity-based access — authenticate with Okta, Azure AD, LDAP — not SSH keys
Just-in-time credentials — dynamic credentials that expire automatically
Session recording — audit every connection for compliance
Zero Trust — users only see resources they are authorized to access

Architecture

┌──────────┐     ┌───────────────┐     ┌──────────────┐
│  User    │────▶│  Boundary     │────▶│  Target      │
│ (browser │     │  Controller   │     │  (database,  │
│  or CLI) │     │  + Worker     │     │   server,    │
│          │     │               │     │   K8s pod)   │
└──────────┘     └───────────────┘     └──────────────┘
                       │
                  ┌────┴────┐
                  │ Identity│
                  │ Provider│
                  │ (Okta,  │
                  │ Azure)  │
                  └─────────┘

Quick Start

# Install Boundary
brew install boundary  # or download from boundaryproject.io

# Start dev server
boundary dev

# Authenticate
boundary authenticate password \
  -login-name admin \
  -password password \
  -auth-method-id ampw_1234567890

Configure Targets

# Create a target (SSH to a server)
boundary targets create tcp \
  -name "production-db" \
  -description "Production PostgreSQL" \
  -default-port 5432 \
  -scope-id p_1234567890 \
  -session-connection-limit -1

# Add host to target
boundary hosts create static \
  -name "db-primary" \
  -address "10.0.1.50" \
  -host-catalog-id hcst_1234567890

boundary host-sets add-hosts \
  -id hsst_1234567890 \
  -host hst_1234567890

boundary targets add-host-sources \
  -id ttcp_1234567890 \
  -host-source hsst_1234567890

Connect to Resources

# Connect via Boundary — no SSH key needed!
boundary connect ssh -target-id ttcp_1234567890

# Connect to a database
boundary connect postgres -target-id ttcp_db123 -dbname myapp

# Connect with kubectl
boundary connect kube -target-id ttcp_k8s123

Terraform Integration

resource "boundary_scope" "project" {
  name        = "production"
  description = "Production infrastructure"
  scope_id    = boundary_scope.org.id
}

resource "boundary_target" "database" {
  name         = "prod-postgres"
  type         = "tcp"
  default_port = 5432
  scope_id     = boundary_scope.project.id

  host_source_ids = [
    boundary_host_set_static.db_hosts.id
  ]

  injected_application_credential_source_ids = [
    boundary_credential_library_vault.db_creds.id
  ]
}

Boundary vs Alternatives

Feature	Boundary	VPN	SSH Bastion	Teleport
Identity-based	Yes	Certificate	Key-based	Yes
No VPN client	Yes	No	Yes	Yes
Dynamic credentials	Yes (Vault)	No	No	Yes
Session recording	Yes	No	Script	Yes
Multi-cloud	Yes	Complex	Manual	Yes
Open source	Yes	Varies	Yes	Yes

Real-World Impact

A healthcare company had 200+ SSH keys scattered across team laptops. When an engineer left, revoking access took days and sometimes keys were missed — a HIPAA nightmare. With Boundary: access tied to Azure AD, automatic deprovisioning when accounts are disabled, full session recording for auditors. Zero keys to manage.

Securing your infrastructure access? I help teams implement zero-trust architectures. Contact spinov001@gmail.com or explore my automation tools on Apify.

DEV Community