In this article, I am going to highlight the solution using dynamic credential templating in HashiCorp Boundary which will help in avoiding resource sprawl.
Now, if Vault is making use of a secret engine where we have defined user-specific roles like SSH-OTP (for linux servers) or LDAP (for Windows servers), in Boundary, we end up creating user-specific credential libraries pointing to user-specific Vault paths as shown below. This leads to resource sprawl within Boundary, resulting in hundreds to thousands of individual credential libraries at scale.
In Boundary 0.12, support for credential templating within credential libraries was added. This allows Boundary administrators to configure one target with one credential library that generates per-user credentials. Hence, you don't need to maintain a target for each user as shown below. The paths in these credential libraries can be mapped to Boundary user's or account's information as highlighted here. The user's/account's information is dynamically populated while accessing credentials.
User-specific credential libraries
User-specific target mapped to user-specific credential library
Dynamic Credential Library ampped to Boundary User's name
Dynamic Team specific target mapped to single dynamic credential library
Due to dynamic credential templating, you can very easily create managed groups in Boundary and assign team-specific targets mapped to dynamic host catalogs and single dynamic credential library path using user's information as shown in the above code snippet.
Workflow of PAM use case for linux machines
If you are new to HashiCorp Boundary and would like to understand how Boundary-Vault integration helps us in achieving Zero Trust Security, you can watch my HashiTalk where I explain the traditional workflow of privileged access management (PAM), its challenges and how we solved couple of PAM use-cases for Windows and Linux servers.