boundary/website/content/docs/concepts/domain-model/targets.mdx

---
layout: docs
page_title: Domain Model - Targets
description: |-
  The anatomy of a Boundary target
---

# Targets

A target is a resource
that represents a networked service
with an associated set of permissions
a [user][] can connect to
and interact with
through Boundary
by way of a session.
A target can only be defined within a [project][].
A target can contain references to [host sets][] from [host catalogs][]
which belong to the same project as the target.
A target can contain references to [credential libraries][]
from [credential stores][] which belong to the same project as the target.
A target can contain an address
which is used by a session to connect to a networked resource.
A target cannot have an address and also reference host sources.
A user must be assigned a [role][] with the `authorize-session` [permission][]
for the target to
establish a session with a networked resource by way of an address,
or host in any host set referenced by the target.

## Attributes

A target has the following configurable attributes:

- `name` - (required)
  The `name` must be unique within the target's [project][].

- `description` - (optional)

- `address` - (optional)
  Represents a network resource address and is used when establishing a session.
  Accepts no port, only an IP address or DNS name.

### TCP target attributes

TCP targets have the following additional attributes:

- `address` - (optional)
  A valid network address for the target to connect to.
  This value cannot be used alongside host sources.

- `default_port` - (required)
  The default port to set on this target.

- `egress_worker_filter` - (optional)
  A boolean expression to [filter][] which egress workers can handle sessions
  for this target.
  Egress worker filters determine which workers are used to access targets.
  You can configure an egress filter to enable [multi-hop](/boundary/docs/configuration/worker/pki-worker#multi-hop-workershcp-only) connections.
  If you do not configure an egress filter, then Boundary uses a single worker to connect to the controller.

- `ingress_worker_filter` - (optional) <sup>HCP Only</sup>
  A boolean expression to [filter][] which ingress workers can handle sessions
  for this target.
  Ingress worker filters determine which workers you connect with to initiate a session.
  If you do not configure an ingress filter, Boundary selects a front line worker for the session.
  A front line worker is any worker directly connected to the control plane; for HCP Boundary this will be an HCP worker.

- `session_connection_limit` - (required)
  The cumulative number of TCP connections allowed during a session.
  A -1 value means no limit.
  The default is -1.
  The value must be greater than 0 or exactly -1.

- `session_max_seconds` - (required)
  The maximum duration of an individual session between the user and the target.
  All connections for a session are closed
  and the session is terminated
  when a session reaches the maximum duration.
  The default is 8 hours (28800 seconds).
  This value must be greater than 0.

### SSH target attributes <sup>HCP/ENT</sup>

SSH targets can source username/password or SSH private key credentials from Vault [credential libraries][] or static
[credentials][]. Boundary then injects credentials into the SSH session between a client and end host. This allows users to
securely connect to remote hosts using SSH, while never being in possession of a valid credential for that target host.

SSH targets have the following additional attributes:

- `address` - (optional)
  A valid network address for the target to connect to.
  This value cannot be used alongside host sources.

- `default_port` - (optional)
  The default port to set on this target.
  If this is not specified the default port will be 22.

- `egress_worker_filter` - (optional)
  A boolean expression to [filter][] which egress workers can handle sessions
  for this target.
  Egress worker filters determine which workers are used to access targets.
  You can configure an egress filter to enable [multi-hop](/boundary/docs/configuration/worker/pki-worker#multi-hop-workershcp-only) connections.
  If you do not configure an egress filter, then Boundary uses a single worker to connect to the controller.

- `enable_session_recording` - (optional)
  Set to `true` to enable [session recordings][] for a target.
  If you enable session recording, the `storage_bucket_id` is required.

- `ingress_worker_filter` - (optional) <sup>HCP/ENT</sup>
  A boolean expression to [filter][] which ingress workers can handle sessions
  for this target.
  Ingress worker filters determine which workers you connect with to initiate a session.
  If you do not configure an ingress filter, Boundary selects a front line worker for the session.
  A front line worker is any worker directly connected to the control plane; for HCP Boundary this will be an HCP worker.

- `session_connection_limit` - (required)
  The cumulative number of TCP connections allowed during a session.
  A -1 value means no limit.
  The default is -1.
  The value must be greater than 0 or exactly -1.

- `session_max_seconds` - (required)
  The maximum duration of an individual session between the user and the target.
  All connections for a session are closed
  and the session is terminated
  when a session reaches the maximum duration.
  The default is 8 hours (28800 seconds).
  This value must be greater than 0.

- `storage_bucket_id` - (optional)
  Designates the storage bucket to be used for session recording.
  This attribute is required if you set `enable_session_recording` to `true`.

## Referenced by

- [Credential Library][]
- [Host Set][]
- [Project][]
- [Session][]
- [Session Recordings][]
- [Worker Filtering][]

[credentials]: /boundary/docs/concepts/domain-model/credentials
[credential library]: /boundary/docs/concepts/domain-model/credential-libraries
[credential libraries]: /boundary/docs/concepts/domain-model/credential-libraries
[credential store]: /boundary/docs/concepts/domain-model/credential-stores
[credential stores]: /boundary/docs/concepts/domain-model/credential-stores
[host catalog]: /boundary/docs/concepts/domain-model/host-catalogs
[host catalogs]: /boundary/docs/concepts/domain-model/host-catalogs
[host set]: /boundary/docs/concepts/domain-model/host-sets
[host sets]: /boundary/docs/concepts/domain-model/host-sets
[host]: /boundary/docs/concepts/domain-model/hosts
[hosts]: /boundary/docs/concepts/domain-model/hosts
[permission]: /boundary/docs/concepts/security/permissions
[permissions]: /boundary/docs/concepts/security/permissions
[project]: /boundary/docs/concepts/domain-model/scopes#projects
[projects]: /boundary/docs/concepts/domain-model/scopes#projects
[role]: /boundary/docs/concepts/domain-model/roles
[roles]: /boundary/docs/concepts/domain-model/roles
[session]: /boundary/docs/concepts/domain-model/sessions
[sessions]: /boundary/docs/concepts/domain-model/sessions
[session recordings]: /boundary/docs/concepts/domain-model/session-recordings
[filter]: /boundary/docs/concepts/filtering/worker-tags
[worker filtering]: /boundary/docs/concepts/filtering/worker-tags
[user]: /boundary/docs/concepts/domain-model/users
[users]: /boundary/docs/concepts/domain-model/users

## Service API docs

The following services are relevant to this resource:

- [Target Service](/boundary/api-docs/target-service)