Avoid Resource Sprawling Using Dynamic Credential Templating in HashiCorp Boundary

Background

• Is your organization using HashiCorp Boundary as a PAM (privileged access management) solution for thousands of hosts residing in private network?
• Are you using HashiCorp Vault for generating dynamic secrets for multiple users and hosts?
• Have you faced a challenge of maintaining user specific targets and credential libraries in Boundary and eventually ended up in a resource sprawl?

In this article, I am going to highlight the solution using dynamic credential templating in HashiCorp Boundary which will help in avoiding resource sprawl.

Problem Statement

• In Boundary, a credential store is a resource that can retrieve, store, and potentially generate credentials (like HashiCorp Vault).
• Credential Store will contain credential libraries pointing to specific paths within Vault.
• These credential libraries are then mapped to Boundary targets which allows a Boundary user to connect to a host residing in private network.

Now, if Vault is making use of a secret engine where we have defined user-specific roles like SSH-OTP (for linux servers) or LDAP (for Windows servers), in Boundary, we end up creating user-specific credential libraries pointing to user-specific Vault paths as shown below. This leads to resource sprawl within Boundary, resulting in hundreds to thousands of individual credential libraries at scale.

How do we solve resource sprawling?

In Boundary 0.12, support for credential templating within credential libraries was added. This allows Boundary administrators to configure one target with one credential library that generates per-user credentials. Hence, you don't need to maintain a target for each user as shown below. The paths in these credential libraries can be mapped to Boundary user's or account's information as highlighted here. The user's/account's information is dynamically populated while accessing credentials.

Code Snippet & Snapshots (Before vs After)

Before : Using Static Credential Libraries and Targets

User-specific credential libraries

User-specific target mapped to user-specific credential library

After : Using dynamic credential libraries and targets

Dynamic Credential Library ampped to Boundary User's name

Dynamic Team specific target mapped to single dynamic credential library

Conclusion

Due to dynamic credential templating, you can very easily create managed groups in Boundary and assign team-specific targets mapped to dynamic host catalogs and single dynamic credential library path using user's information as shown in the above code snippet.

Workflow of PAM use case for linux machines

See Zero Trust Security in action!

If you are new to HashiCorp Boundary and would like to understand how Boundary-Vault integration helps us in achieving Zero Trust Security, you can watch my HashiTalk where I explain the traditional workflow of privileged access management (PAM), its challenges and how we solved couple of PAM use-cases for Windows and Linux servers.