From 97d749fa26312708061e1adc030f28cdbb285186 Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Mon, 3 Jun 2024 12:08:37 -0400
Subject: [PATCH] docs: Clarify credentials and SSH targets (#4863)

* docs: Clarify credentials and SSH targets

* Trigger build
---
 website/content/docs/concepts/domain-model/targets.mdx | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/concepts/domain-model/targets.mdx b/website/content/docs/concepts/domain-model/targets.mdx
index 4be7effb20..cc0a7117d0 100644
--- a/website/content/docs/concepts/domain-model/targets.mdx
+++ b/website/content/docs/concepts/domain-model/targets.mdx
@@ -88,14 +88,17 @@ A target has the following configurable attributes:
 ## Target types
 
 Boundary supports TCP and SSH target types.
-An SSH target **must** have at least one injected application credential.
+An SSH target **must** have at least one injected application credential to establish the SSH connection.
 A TCP target **cannot** have any injected application credentials.
+
 Note the following target type requirements:
 
 - **To use brokered credentials to connect to a target that runs SSH**: you must use a `tcp` target type.
 - **To use injected application credentials to connect to a target that runs SSH**: you must use an `ssh` target type.
 - **To enable session recording for a target that runs SSH**: you must use injected application credentials and an `ssh` target type.
 
+You can configure brokered credentials for use with SSH targets for purposes other than establishing the initial SSH connection.
+
 ### TCP target attributes
 
 TCP targets have the following additional attribute:
@@ -111,6 +114,10 @@ SSH targets use injected application credentials to authenticate an SSH session
 Injected credentials allow users to securely connect to remost hosts using SSH, while never being in the possession of a valid credential for that target host.
 The injected credentials can be a username/password or username/private key credential from Vault [credential libraries][] or they can be static [credentials][] or an SSH certificate from Vault SSH credential libraries.
 
+You cannot establish an SSH connection to a target using brokered credentials.
+If you do not configure injected credentials to make the SSH connection, any attempts to connect to the SSH target result in an error.
+However, you can use brokered credentials with SSH targets for purposes other than establishing the initial SSH connection.
+
 SSH targets have the following additional attributes:
 
 - `default_port` - (optional)