NEW Boundary on the HashiCorp Cloud Platform is now in public beta Learn more
  • Infrastructure
    • terraform
    • packer
  • Networking
    • consul
  • Security
    • vault
    • boundary
  • Applications
    • nomad
    • waypoint
    • vagrant
  • HashiCorp Cloud Platform

    A fully managed platform to automate infrastructure on any cloud with HashiCorp products.

    • consul
    • terraform
    • vault
    • packerbeta
    Visit cloud.hashicorp.com
  • Overview
  • Tutorials
  • Docs
  • API
  • Community
GitHub—Stars on GitHub
Download
    • v0.9.x (latest)
    • v0.8.x
    • v0.7.x
    • v0.6.x
    • v0.5.x
    • v0.4.x
    • v0.3.x
    • v0.2.x
    • v0.1.x
  • What is Boundary?
    • Overview
      • Overview
      • Production
    • Deploy and Login
    • Connect to Target
    • Overview/Top-Level Parameters
      • Overview
      • PKI Workers
      • KMS Workers OSS Only
      • Overview
      • TCP
      • Unix
      • Overview
      • AEAD
      • AWS KMS
      • AliCloud KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • Vault Transit
      • Overview
      • Common Sink Parameters
      • File Sink
      • Stderr Sink
    • controller OSS Only
    • plugins OSS Only
    • Overview
    • Service Discovery
      • Overview
        • Overview
        • Assignable Permissions
        • Permission Grant Formats
        • Resource Table
      • Data Encryption
      • Connections/TLS
      • Overview
      • Accounts
      • Auth Methods
      • Credentials
      • Credential Libraries
      • Credential Stores
      • Groups
      • Hosts
      • Host Catalogs
      • Host Sets
      • Managed Groups
      • Scopes
      • Sessions
      • Session Connections
      • Targets
      • Roles
      • Users
      • Overview
      • OIDC Managed Groups
      • Resource Listing
      • Worker Tags
      • Events
  • Common Workflows
    • Overview
    • Manage Roles
    • Manage Scopes
    • Manage Sessions
    • Manage Targets
    • Manage Users and Groups
    • Workflow SSH Proxy
    • Overview
    • API
    • CLI
    • Go SDK
    • Desktop
    • Desktop

    • Overview
      • Overview
      • Dev Mode
      • Run and Login
      • Connect to Dev Target
      • Non-Dev Environments
      • Systemd Install
      • Postgres Install
      • High Availability Install
      • Reference Architectures
      • Overview
      • Metrics
      • Health Endpoint
      • Overview
      • Building
      • Developing the UI

  • Roadmap
    • Overview
    • v0.9.0
    • v0.8.0
    • v0.7.0
    • v0.6.0
    • v0.5.0
    • v0.4.0
    • v0.3.0
    • v0.2.0
    • v0.1.0
Type '/' to Search

»Manage Scopes

Scopes are a foundational part of Boundary. They allow users to partition resources and assign ownership of resources to principals. There are three types of scopes within Boundary:

  1. Global (global)
  2. Org
  3. Project

These are in a hierarchy:

  • There is only one single global scope. It is meant as the entry point for initial administration/setup and to manage org scopes.
  • Under the global scope there can be many org scopes. These are used to hold IAM-related resources and project scopes.
  • Under each org scope can be many project scopes. These are used to hold infrastructure-related resources.

Some resources can only be associated with a specific level of scope. As an example, Targets can only be contained within a project scope. Other resources can be contained by multiple scopes. For example, users can be created within the global scope or an org-level scope. See the domain model for detailed resource specific information.

In this example, we're going to create two scopes, an org and a project.

All resource IDs in this example are illustration only - IDs are uniquely generated for every resource upon creation with the exception being generated resources in dev mode. Please make sure to use the resource IDs that are generated when running this example. For example, if you run boundary users create, use the resource ID of the user seen in stdout, not the ID in the example command.

»Create an Org

In this example, we're going to create an org, which lives in the global scope.

The CLI and UI will default to having certain administrative roles be created automatically when a scope is created, so that the user that created the scope can immediately manage it. The Terraform provider defaults skipping creation of those roles so that resources are not created outside of Terraform's purview. To simplify this example, we are telling Terraform to allow these roles to be created in both this section and in the next section where we create a project scope.

$ boundary scopes create -scope-id global -name my_org -description 'My first org'

Scope information:
  Created Time:        Tue, 29 Sep 2020 05:48:22 PDT
  Description:         My first org
  ID:                  o_y0fEd8iY2J
  Name:                my_org
  Updated Time:        Tue, 29 Sep 2020 05:48:22 PDT
  Version:             1

  Scope (parent):
    ID:                global
    Name:              global
    Type:              global
$ boundary scopes create -scope-id global -name my_org -description 'My first org'

Scope information:
  Created Time:        Tue, 29 Sep 2020 05:48:22 PDT
  Description:         My first org
  ID:                  o_y0fEd8iY2J
  Name:                my_org
  Updated Time:        Tue, 29 Sep 2020 05:48:22 PDT
  Version:             1

  Scope (parent):
    ID:                global
    Name:              global
    Type:              global

»Create a Project

Next, we're going to add a project scope to our org.

$ boundary scopes create -scope-id o_0MkQUfE9jA -name my_project -description 'My first project'

Scope information:
  Created Time:        Tue, 29 Sep 2020 05:57:45 PDT
  Description:         My first project
  ID:                  p_jqCwqjSTQ4
  Name:                my_project
  Updated Time:        Tue, 29 Sep 2020 05:57:45 PDT
  Version:             1

  Scope (parent):
    ID:                o_0MkQUfE9jA
    Name:              my_org
    Parent Scope ID:   global
    Type:              org
$ boundary scopes create -scope-id o_0MkQUfE9jA -name my_project -description 'My first project'

Scope information:
  Created Time:        Tue, 29 Sep 2020 05:57:45 PDT
  Description:         My first project
  ID:                  p_jqCwqjSTQ4
  Name:                my_project
  Updated Time:        Tue, 29 Sep 2020 05:57:45 PDT
  Version:             1

  Scope (parent):
    ID:                o_0MkQUfE9jA
    Name:              my_org
    Parent Scope ID:   global
    Type:              org
github logoEdit this page
DocsLearnPrivacySecurityPress KitConsent Manager