Scopes are a foundational part of Boundary. They allow users to partition resources and assign ownership of resources to principals. There are three types of scopes within Boundary:
- Global (
These are in a hierarchy:
- There is only one single
globalscope. It is meant as the entry point for initial administration/setup and to manage org scopes.
- Under the
globalscope there can be many org scopes. These are used to hold IAM-related resources and project scopes.
- Under each org scope can be many project scopes. These are used to hold infrastructure-related resources.
Some resources can only be associated with a specific level of scope. As an example, Targets can only be contained within a project scope. Other resources can be contained by multiple scopes. For example, users can be created within the
global scope or an org-level scope. See the domain model for detailed resource specific information.
In this example, we're going to create two scopes, an org and a project.
All resource IDs in this example are illustration only - IDs are uniquely generated for every resource upon creation with the exception being
generated resources in
dev mode. Please make sure to use the resource IDs that are generated when running this example. For example, if you run
boundary users create, use the resource ID of the user seen in stdout, not the ID in the example command.
»Create an Org
In this example, we're going to create an org, which lives in the
The CLI and UI will default to having certain administrative roles be created automatically when a scope is created, so that the user that created the scope can immediately manage it. The Terraform provider defaults skipping creation of those roles so that resources are not created outside of Terraform's purview. To simplify this example, we are telling Terraform to allow these roles to be created in both this section and in the next section where we create a project scope.
$ boundary scopes create -scope-id global -name my_org -description 'My first org' Scope information: Created Time: Tue, 29 Sep 2020 05:48:22 PDT Description: My first org ID: o_y0fEd8iY2J Name: my_org Updated Time: Tue, 29 Sep 2020 05:48:22 PDT Version: 1 Scope (parent): ID: global Name: global Type: global
»Create a Project
Next, we're going to add a project scope to our org.
$ boundary scopes create -scope-id o_0MkQUfE9jA -name my_project -description 'My first project' Scope information: Created Time: Tue, 29 Sep 2020 05:57:45 PDT Description: My first project ID: p_jqCwqjSTQ4 Name: my_project Updated Time: Tue, 29 Sep 2020 05:57:45 PDT Version: 1 Scope (parent): ID: o_0MkQUfE9jA Name: my_org Parent Scope ID: global Type: org