@ -88,14 +88,17 @@ A target has the following configurable attributes:
## Target types
Boundary supports TCP and SSH target types.
An SSH target **must** have at least one injected application credential.
An SSH target **must** have at least one injected application credential to establish the SSH connection.
A TCP target **cannot** have any injected application credentials.
Note the following target type requirements:
- **To use brokered credentials to connect to a target that runs SSH**: you must use a `tcp` target type.
- **To use injected application credentials to connect to a target that runs SSH**: you must use an `ssh` target type.
- **To enable session recording for a target that runs SSH**: you must use injected application credentials and an `ssh` target type.
You can configure brokered credentials for use with SSH targets for purposes other than establishing the initial SSH connection.
### TCP target attributes
TCP targets have the following additional attribute:
@ -111,6 +114,10 @@ SSH targets use injected application credentials to authenticate an SSH session
Injected credentials allow users to securely connect to remost hosts using SSH, while never being in the possession of a valid credential for that target host.
The injected credentials can be a username/password or username/private key credential from Vault [credential libraries][] or they can be static [credentials][] or an SSH certificate from Vault SSH credential libraries.
You cannot establish an SSH connection to a target using brokered credentials.
If you do not configure injected credentials to make the SSH connection, any attempts to connect to the SSH target result in an error.
However, you can use brokered credentials with SSH targets for purposes other than establishing the initial SSH connection.
SSH targets have the following additional attributes:
Dan Heath
2 years ago
committed by
GitHub