Skip to content
QCecuring Documentation

HashiCorp Boundary Integration

HashiCorp Boundary Integration

Section titled “HashiCorp Boundary Integration”

Integrate SSH-KLM with HashiCorp Boundary for zero-trust network access.

Overview

Section titled “Overview”

HashiCorp Boundary provides identity-based access to infrastructure. SSH-KLM enhances Boundary by:

  • Managing SSH keys on target hosts
  • Providing key inventory visibility
  • Rotating keys on Boundary-managed targets

Architecture

Section titled “Architecture”
┌─────────────────────────────────────────────────────────────┐
│                        User                                 │
└──────────────────────────┬──────────────────────────────────┘
                           
┌──────────────────────────▼──────────────────────────────────┐
│                  Boundary Controller                        │
│            (Authentication & Authorization)                 │
└──────────────────────────┬──────────────────────────────────┘
                           
┌──────────────────────────▼──────────────────────────────────┐
│                   Boundary Worker                           │
│              (Session Proxy & Recording)                    │
└──────────────────────────┬──────────────────────────────────┘
                           
┌──────────────────────────▼──────────────────────────────────┐
│                    Target Host                              │
│               (SSH-KLM Agent Installed)                     │
└─────────────────────────────────────────────────────────────┘

Configuration

Section titled “Configuration”

Step 1: Configure Boundary Integration

Section titled “Step 1: Configure Boundary Integration”
# SSH-KLM integration config
integrations:
  boundary:
    enabled: true
    controllerUrl: "https://boundary.example.com"


    # Authentication
    authMethod: token
    token: ${BOUNDARY_TOKEN}


    # Sync settings
    syncInterval: 5m
    importTargets: true
    scopeId: "o_1234567890"

Step 2: Import Boundary Targets

Section titled “Step 2: Import Boundary Targets”
// Sync targets from Boundary
await client.integrations.boundary.sync();


// List imported targets
const hosts = await client.ssh.listHosts({
  source: 'boundary'
});

Credential Injection

Section titled “Credential Injection”

SSH-KLM can inject ephemeral credentials into Boundary sessions:

// Configure credential injection
await client.integrations.boundary.configureCredentials({
  targetId: 'tssh_1234567890',
  credentialType: 'ephemeral',
  ttl: 300
});

Key Rotation for Boundary Targets

Section titled “Key Rotation for Boundary Targets”
// Rotate keys on Boundary-managed hosts
await client.ssh.rotateKey({
  keyId: 'KEY-boundary-target-01',
  // SSH-KLM connects through Boundary
  viaBoundary: true
});

Event Integration

Section titled “Event Integration”

Forward SSH-KLM events to Boundary:

integrations:
  boundary:
    events:
      enabled: true
      forwardTo: boundary
      eventTypes:
        - key.rotated
        - key.discovered
        - access.granted
Section titled “Related Pages”