June 20-22 Announcing HashiConf Europe full schedule: keynotes, sessions, labs & more Register Now
  • Infrastructure
    • terraform
    • packer
  • Networking
    • consul
  • Security
    • vault
    • boundary
  • Applications
    • nomad
    • waypoint
    • vagrant
  • HashiCorp Cloud Platform

    A fully managed platform to automate infrastructure on any cloud with HashiCorp products.

    • consul
    • terraform
    • vault
    • packerbeta
    Visit cloud.hashicorp.com
  • Overview
  • Tutorials
  • Docs
  • API
  • Community
GitHub—Stars on GitHub
Download
    • v0.8.x (latest)
    • v0.7.x
    • v0.6.x
    • v0.5.x
    • v0.4.x
    • v0.3.x
    • v0.2.x
    • v0.1.x
  • What is Boundary?
    • Overview
      • Overview
      • Production
    • Run and Login
    • Connect to Target
    • Overview
    • Non-Dev Environments
    • Systemd Install
    • Postgres Install
    • High Availability Install
    • Reference Architectures
    • Overview
    • API
    • CLI
    • Go SDK
    • Desktop
    • Desktop
    • Overview
    • Service Discovery
      • Overview
        • Overview
        • Assignable Permissions
        • Permission Grant Formats
        • Resource Table
      • Data Encryption
      • Connections/TLS
      • Overview
      • Accounts
      • Auth Methods
      • Credentials
      • Credential Libraries
      • Credential Stores
      • Groups
      • Hosts
      • Host Catalogs
      • Host Sets
      • Managed Groups
      • Scopes
      • Sessions
      • Session Connections
      • Targets
      • Roles
      • Users
      • Overview
      • OIDC Managed Groups
      • Resource Listing
      • Worker Tags
      • Events
    • Overview
    • Building
    • Developing the UI

    • Overview
      • Overview
      • TCP
      • Unix
      • Overview
      • AEAD
      • AWS KMS
      • AliCloud KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • Vault Transit
    • controller
    • worker
      • Overview
      • Common Sink Parameters
      • File Sink
      • Stderr Sink
    • plugins
    • Overview
    • Metrics
    • Health Endpoint
  • Common Workflows
    • Overview
    • Manage Roles
    • Manage Scopes
    • Manage Sessions
    • Manage Targets
    • Manage Users and Groups
    • Workflow SSH Proxy

  • Roadmap
    • Overview
    • v0.8.0
    • v0.7.0
    • v0.6.0
    • v0.5.0
    • v0.4.0
    • v0.3.0
    • v0.2.0
    • v0.1.0
Type '/' to Search

»Run and Login to Boundary

To start Boundary in dev mode:

$ boundary dev
$ boundary dev

»Login to Boundary

Boundary uses a predictable login name (admin) and password (password) in dev mode. These can be overridden, or randomly generated, with flags to boundary dev.

$ boundary authenticate password \
         -login-name=admin \
         -password password \
         -auth-method-id=ampw_1234567890
$ boundary authenticate password \
         -login-name=admin \
         -password password \
         -auth-method-id=ampw_1234567890

If you are on Unix-like operating system (other than macOS/Darwin), you may get an error indicating that the token could not be stored, as the freedesktop.org Secret Service implementation is not always available. On these systems, you can work around this by installing dbus-x11 and gnome-keyring using your package manager, then creating and unlocking the default keyring with the following, substituting in a password of your choice for "foobar" (but ending with \n). You can also avoid putting the password on the command line by running the gnome-keyring-daemon commands directly and entering in the password, followed by a newline (return) and an EOF (Ctrl+D).

  • eval "$(printf 'foobar\n' | gnome-keyring-daemon --unlock)"
  • eval "$(printf 'foobar\n' | gnome-keyring-daemon --start)"

This would have to be run in each shell.

If you're unable to install these packages, or don't want to, you can tell the Boundary authenticate command to not save the token to the operating system's key manager by setting -token-name=none flag or BOUNDARY_TOKEN_NAME=none env variable when running boundary authenticate. You'll be responsible for setting the token in subsequent commands via -token flag or BOUNDARY_TOKEN env variable. An easy way to do this would be to use the -format=json flag along with jq to pull the token value out of the response and place it wherever you wish, then create a command alias for boundary that sources that value into the environment or the -token flag.

Token storage on *nix systems has been more problematic than we expected. We're exploring alternatives. See the discussion on this GitHub issue to track it and voice your thoughts.

»Next Steps

See connecting to your first target for how to use Boundary to run your first SSH session.

github logoEdit this page
DocsLearnPrivacySecurityPress KitConsent Manager