NEW Boundary on the HashiCorp Cloud Platform is now in public beta Learn more
  • Infrastructure
    • terraform
    • packer
  • Networking
    • consul
  • Security
    • vault
    • boundary
  • Applications
    • nomad
    • waypoint
    • vagrant
  • HashiCorp Cloud Platform

    A fully managed platform to automate infrastructure on any cloud with HashiCorp products.

    • consul
    • terraform
    • vault
    • packerbeta
    Visit cloud.hashicorp.com
  • Overview
  • Tutorials
  • Docs
  • API
  • Community
GitHub—Stars on GitHub
Download
    • v0.9.x (latest)
    • v0.8.x
    • v0.7.x
    • v0.6.x
    • v0.5.x
    • v0.4.x
    • v0.3.x
    • v0.2.x
    • v0.1.x
  • What is Boundary?
    • Overview
      • Overview
      • Production
    • Deploy and Login
    • Connect to Target
    • Overview/Top-Level Parameters
      • Overview
      • PKI Workers
      • KMS Workers OSS Only
      • Overview
      • TCP
      • Unix
      • Overview
      • AEAD
      • AWS KMS
      • AliCloud KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • Vault Transit
      • Overview
      • Common Sink Parameters
      • File Sink
      • Stderr Sink
    • controller OSS Only
    • plugins OSS Only
    • Overview
    • Service Discovery
      • Overview
        • Overview
        • Assignable Permissions
        • Permission Grant Formats
        • Resource Table
      • Data Encryption
      • Connections/TLS
      • Overview
      • Accounts
      • Auth Methods
      • Credentials
      • Credential Libraries
      • Credential Stores
      • Groups
      • Hosts
      • Host Catalogs
      • Host Sets
      • Managed Groups
      • Scopes
      • Sessions
      • Session Connections
      • Targets
      • Roles
      • Users
      • Overview
      • OIDC Managed Groups
      • Resource Listing
      • Worker Tags
      • Events
  • Common Workflows
    • Overview
    • Manage Roles
    • Manage Scopes
    • Manage Sessions
    • Manage Targets
    • Manage Users and Groups
    • Workflow SSH Proxy
    • Overview
    • API
    • CLI
    • Go SDK
    • Desktop
    • Desktop

    • Overview
      • Overview
      • Dev Mode
      • Run and Login
      • Connect to Dev Target
      • Non-Dev Environments
      • Systemd Install
      • Postgres Install
      • High Availability Install
      • Reference Architectures
      • Overview
      • Metrics
      • Health Endpoint
      • Overview
      • Building
      • Developing the UI

  • Roadmap
    • Overview
    • v0.9.0
    • v0.8.0
    • v0.7.0
    • v0.6.0
    • v0.5.0
    • v0.4.0
    • v0.3.0
    • v0.2.0
    • v0.1.0
Type '/' to Search

»Manage Roles and Permissions

Roles in Boundary manage the permissions given to principals (Users/Groups). Roles can be defined at the global, org, or project scopes.

In this example, we're going to show you how to create a role in Boundary, assign that roles grants, and assign principals to the role.

Note that all resource IDs in this example are illustration only - IDs are uniquely generated for every resource upon creation with the exception being generated resources in dev mode. Please make sure to use the resource IDs that are generated when running this example. For example, if you run boundary roles create, use the resource ID of the role seen in stdout, not the ID in the example command.

»Create a Role

Roles can live in the global, org, or project scopes. In this example we will create a role in the generated org scope in dev mode.

$ boundary roles create -scope-id o_1234567890 -name my_role -description "My first role"

Role information:
  Created Time:        Fri, 09 Oct 2020 14:19:22 PDT
  Description:         My first role
  Grant Scope ID:      o_1234567890
  ID:                  r_kHY8tQteXr
  Name:                my_role
  Updated Time:        Fri, 09 Oct 2020 14:19:22 PDT
  Version:             1

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org
$ boundary roles create -scope-id o_1234567890 -name my_role -description "My first role"

Role information:
  Created Time:        Fri, 09 Oct 2020 14:19:22 PDT
  Description:         My first role
  Grant Scope ID:      o_1234567890
  ID:                  r_kHY8tQteXr
  Name:                my_role
  Updated Time:        Fri, 09 Oct 2020 14:19:22 PDT
  Version:             1

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org

»Assign Principals to a Role

Users and groups are granted permissions to perform actions by assigning them to a role.

boundary roles add-principals -id $role_id -principal $principal_id

Role information:
  Created Time:        Fri, 09 Oct 2020 14:45:47 PDT
  Description:         My first role
  Grant Scope ID:      o_1234567890
  ID:                  r_CqEl81Io1C
  Name:                test
  Updated Time:        Fri, 09 Oct 2020 16:31:39 PDT
  Version:             2

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org

  Principals:
    ID:             u_gAv6YgVtVs
      Type:         user
      Scope ID:     o_1234567890
boundary roles add-principals -id $role_id -principal $principal_id

Role information:
  Created Time:        Fri, 09 Oct 2020 14:45:47 PDT
  Description:         My first role
  Grant Scope ID:      o_1234567890
  ID:                  r_CqEl81Io1C
  Name:                test
  Updated Time:        Fri, 09 Oct 2020 16:31:39 PDT
  Version:             2

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org

  Principals:
    ID:             u_gAv6YgVtVs
      Type:         user
      Scope ID:     o_1234567890

»Assign Grants to a Role

Grants describe the actions that the principals should be allowed to perform. For more information on how to format grants see Permission Grant Formats. In this example we give a role read and list permissions to all resources.

boundary roles add-grants -id $role_id -grant 'id=*;type=*;actions=no-op,list'

Role information:
  Created Time:        Fri, 09 Oct 2020 14:45:47 PDT
  Description:         My first role
  Grant Scope ID:      o_1234567890
  ID:                  r_CqEl81Io1C
  Name:                test
  Updated Time:        Fri, 09 Oct 2020 17:15:47 PDT
  Version:             3

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org

  Principals:
    ID:             u_gAv6YgVtVs
      Type:         user
      Scope ID:     o_1234567890

  Canonical Grants:
    id=*;type=*;actions=list,no-op

boundary roles add-grants -id $role_id -grant 'id=*;type=*;actions=no-op,list'

Role information:
  Created Time:        Fri, 09 Oct 2020 14:45:47 PDT
  Description:         My first role
  Grant Scope ID:      o_1234567890
  ID:                  r_CqEl81Io1C
  Name:                test
  Updated Time:        Fri, 09 Oct 2020 17:15:47 PDT
  Version:             3

  Scope:
    ID:                o_1234567890
    Name:              Generated org scope
    Parent Scope ID:   global
    Type:              org

  Principals:
    ID:             u_gAv6YgVtVs
      Type:         user
      Scope ID:     o_1234567890

  Canonical Grants:
    id=*;type=*;actions=list,no-op

github logoEdit this page
DocsLearnPrivacySecurityPress KitConsent Manager