@ -17,7 +17,9 @@ To configure credential brokering or credential injection with static credential
## Credential brokering
Credential brokering is the process by which credentials are fetched from a credential store, and then returned back to the user.
The user must already be authorized to connect to a specific target to have credentials for that target brokered back to them.
Credentials are brokered when the session is established.
The credential brokering process works as follows:
@ -28,10 +30,10 @@ The credential brokering process works as follows:
The controller fetches credentials from the credential store and passes the credentials to the user.
1. The user establishes a connection to the session.
The controller assigns the job to a worker, and the worker establishes a session to the target.
The controller assigns the job to a worker, and the worker establishes a session to the target.
1. The user enters the credentials.
The user is authenticated to the target.
The user is authenticated to the target.
You can attach brokered credentials to either TCP targets or SSH targets.
Brokered credentials can take the form of a token, username and password, SSH private key, certificate, JSON blob, or an unstructured secret stored in Vault, for example.
@ -44,6 +46,7 @@ Consider a scenario where a user wants to access a target using SSH.
In this scenario, the user must be authorized to access the target.
If they are authorized, they can authenticate themselves to the machine using credentials that were brokered, or returned, back to them.
If the user is not authorized to access the target, they will not be able to retrieve brokered credentials for that target.
<img
@ -72,7 +75,9 @@ Learn more about the [Vault dynamic secrets engine](/vault/docs/secrets).
<EnterpriseAlert product="boundary">This feature requires <a href="https://www.hashicorp.com/products/boundary">HCP Boundary or Boundary Enterprise</a></EnterpriseAlert>
Credential injection is the process by which a credential is fetched from a credential store and then passed on to a worker for authentication to a remote machine.
With credential injection, the user never sees the credential required to authenticate to the target.
This provides a passwordless experience for the user, as the worker does both session establishment and authentication to the target on behalf of the user.
This process differs from credential brokering, where credentials are returned to the user rather than injected into the session on worker nodes.
@ -81,12 +86,12 @@ The credential injection process works as follows:
1. The user authenticates to Boundary.
1. The user requests a connection to a target.
The controller fetches credentials from the credential store.
The controller fetches credentials from the credential store.
1. The user establishes a connection to the session.
The controller assigns the job to a worker, and the worker establishes a session to the target.
Then the controller passes credentials to the worker.
The worker authenticates to the target, and the user is then authenticated to the target.
The controller assigns the job to a worker, and the worker establishes a session to the target.
Then the controller passes credentials to the worker.
The worker authenticates to the target, and the user is then authenticated to the target.
Credential injection is required for the SSH target type, allowing users to inject the following credential types when they access targets using SSH:
@ -94,6 +99,8 @@ Credential injection is required for the SSH target type, allowing users to inje
- Usernames and passwords
- Usernames and public keys
Additional credentials can be brokered to SSH targets after the session is establised using injected credentials.
### Security considerations
Consider a scenario where a user wants to access a target using SSH.
stellarsquall
2 years ago