»Connect to Your First Target

The default target is a TCP target with a default port of 22 (SSH). The host sets for this target contain the default host, which has the address When we run boundary connect against this target, the single available host will be selected and we'll open a local authenticated proxy to the target host on the target's default port ( Because this target is proxying to our local SSH server, we can use our built-in connect ssh command to wrap the proxied TCP connection and SSH via Boundary:

$ boundary connect ssh -target-id ttcp_1234567890

This will execute SSH on the target and port combination specified by the local boundary proxy. If you want to specify a username other than your currently logged-in user, you can do so via the -username flag.

If you want to pass additional flags to the SSH client, you can do so by adding them to the command line separated by a double-dash; anything after the double dash will be passed to the executed client. For instance, rather than using -username, an equivalent alternative would be:

$ boundary connect ssh -target-id ttcp_1234567890 -- -l some-other-user

There is also a -style flag to allow the command to format arguments in a different style expected by different SSH clients. At the moment, besides ssh (the default), the boundary connect ssh command supports -style putty to support passing connection information to PuTTY.

»Selecting Targets

When using boundary connect you must identify the target used for connecting. Convention in this documentation is to use the target ID as that's a single value and most explicit; however, other flags are supported:

Note however that these are not uniquely identifying as names can be re-used across scopes. As a result, when not using the target ID, you must use the target's name in conjunction with the scope name or scope ID so that Boundary can correctly identify the desired target.

»Built-In vs. Exec

Boundary comes with built-in wrappers for popular layer 7 connection protocols, such as:

  • ssh: defaults to the local SSH client (ssh)
  • postgres: defaults to the official Postgres CLI client (psql)
  • rdp: defaults to the built-in Windows RDP client (mstsc)
  • http: defaults to curl
  • kube: defaults to kubectl

However, boundary connect can accommodate executing clients even when there is no built-in support for a specific client using -exec. The -exec flag is a very powerful tool, allowing you to wrap Boundary TCP sessions in your preferred client. You can use this flag to create an authenticated proxy to almost anything.

For example, if you wanted to use Boundary to create an authenticated firewall around 'curl', you could update the default TCP target from a default port of :22 to :443:

$ boundary targets update tcp -default-port 443 -id ttcp_1234567890

Target information:
  Created Time:               Fri, 25 Sep 2020 18:35:47 PDT
  Description:                Provides an initial target in Boundary
  ID:                         ttcp_1234567890
  Name:                       Generated target
  Session Connection Limit:   1
  Session Max Seconds:        28800
  Type:                       tcp
  Updated Time:               Fri, 25 Sep 2020 18:36:18 PDT
  Version:                    2

    ID:                       p_1234567890
    Name:                     Generated project scope
    Parent Scope ID:          o_1234567890
    Type:                     project

  Host Sets:
    Host Catalog ID:          hcst_1234567890
    ID:                       hsst_1234567890

    Default Port:             443

In the output above the default port for the target has now changed to :443.

Now, curl can be used as the executed client for the TCP target session to do an authenticated download of hashicorp.com:

$ boundary connect -exec curl -target-id ttcp_1234567890 \
         -- -vvsL --output /dev/null hashicorp.com

*   Trying
* Connected to hashicorp.com ( port 80 (#0)
> GET / HTTP/1.1
> Host: hashicorp.com
> User-Agent: curl/7.64.1
> Accept: */*
...<truncated output>...

Note that -exec is available for subcommands that wrap clients as well. As an example, if putty.exe is available on a Windows host but the command is being run from WSL, the following allows usage of the wrapper but while specifying the correct available binary, as WSL must use .exe when invoking Windows binaries:

$ boundary connect ssh -style putty -exec putty.exe -target-id ttcp_1234567890

»Next Steps

See our common workflows for in depth discussion on managing scopes, targets, identities, and sessions.