boundary

Authenticate to Boundary

$ boundary authenticate

$ boundary connect -target-id [ttcp_1234567890]

$ boundary connect ssh -target-id [ttcp_1234567890]

$ boundary targets list -recursive

$ boundary sessions list -recursive

$ boundary targets read -id [ttcp_1234567890]

$ boundary sessions cancel -id [s_1234567890]

$ boundary connect -target-id [ttcp_1234567890] -listen-port [2222]

boundary command [options]

boundary is the CLI for HashiCorp Boundary, a tool for secure remote access to infrastructure. It provides identity-based access to hosts and services without exposing networks or managing credentials directly.
The connect command establishes sessions to targets. Protocol-specific helpers (ssh, postgres, rdp, http, kube) automatically configure client tools with proper credentials. For SSH, it spawns an ssh process with injected credentials; for databases, it provides connection strings.
Authentication methods include password, OIDC, and LDAP. Credentials are stored in the system keyring or specified location. Use authenticate to log in and logout to clear credentials.
Boundary uses a hierarchical scope model with global, organization, and project scopes. Use -recursive to list resources across all accessible scopes.
Sessions maintain the connection state between client and target. Active sessions can be listed and canceled. Session recordings enable audit and compliance when configured.

-target-id id

Target ID to connect to.

Target name (requires scope).

Scope containing target.

Scope name containing target.

Local port for proxy connection.

Boundary controller address.

Authentication token.

Token name for storage.

Scope ID for operations.

List resources recursively across scopes.

Output format: table, json.

Keyring type for credential storage.

authenticate

Authenticate to a Boundary controller.

Establish connection to a target. Helpers: ssh, postgres, rdp, http, kube.

List or inspect targets.

Manage active sessions.

View hosts in host catalogs.

View host catalogs.

View organizational scopes.

Manage accounts.

View authentication methods.

View roles and permissions.

View groups.

View users.

Clear stored credentials.

Show version information.

Requires access to a Boundary controller. Targets must be configured by administrators with proper permissions. Connect helpers require their respective client tools installed (ssh, psql, etc.). Some features require Boundary Enterprise or HCP Boundary.

Boundary was announced by HashiCorp in October 2020 as part of their security product line alongside Vault. It addresses modern identity-based access patterns, replacing traditional VPNs and bastion hosts. Version 0.1 was released in October 2020. The project reached 1.0 GA status in 2022. Boundary integrates with Vault for credential brokering and injection, providing just-in-time access to infrastructure.

vault(1), ssh(1), tsh(1), kubectl(1)