aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e41afe4aba'
${ noResults }
boundary/website/content/docs/credentials/configure-credential-inject...

95 lines
4.2 KiB
Raw Blame History

---
layout: docs
page_title: Configure targets with credential injection
description: >-
Configure credential injection so Boundary provides users with a passwordless experience when connecting to targets. Availabile exclusively for Enterprise users.
---
# Configure targets with credential injection
<EnterpriseAlert product="boundary">This feature requires <a href="https://www.hashicorp.com/products/boundary">HCP Boundary or Boundary Enterprise</a></EnterpriseAlert>
The following section provides steps to configure your targets with credential injection.
Credential injection provides end users with a passwordless experience when they connect to targets by automatically injecting credentials without exposing them to the user.
Credential injection is supported for:
- **SSH targets**: Protocol-aware SSH connections
- **RDP targets**: Protocol-aware RDP connections (BETA)
@include 'alerts/beta.mdx'
## Requirements
- This feature requires either <a href="https://www.hashicorp.com/products/boundary">HCP Boundary or Boundary Enterprise</a>
- You must have an existing target available that supports credential injection:
- **RDP targets**: Must be configured with at least one injected application credential
- **SSH targets**: Must be configured with at least one injected application credential
- **TCP targets**: Do not support credential injection
- You must have configured either a static credential store or a Vault credential store:
- To configure a static credential store, refer to [Create static credential stores](/boundary/docs/credentials/static-cred-boundary).
- To configure a Vault credential store and credential library, refer to [Create Vault credential stores](/boundary/docs/credentials/static-cred-vault).
- You must have a static credential saved in your static credential store or Vault credential store. The credential must correspond to the target to which you want to authenticate.
- **For RDP targets**: Network Level Authentication (NLA) is supported. Kerberos and NTLMv2 authentication methods are supported for domain-joined workers. NTLMv2 is supported for non-domain-joined workers.
- **For SSH targets**: Keyboard-interactive authentication is not supported. When you use username-password credentials, ensure that your SSH server is configured to allow password authentication.
## Configuration
Complete the following steps to configure targets with credential injection:
<Tabs>
<Tab heading="UI" group="ui">
1. Log in to Boundary.
2. Select **Orgs** on the navigation pane.
3. Select your desired org.
4. Select the project where your target resides.
5. Click **Targets** on the navigation pane.
6. Click on your target you want to configure for credential injection.
7. Click on the **Injected Application Credential** tab.
8. Click **Managed** and select **Add Injected Application Credential** in the pull down menu.
9. Do one of the following:
- **If you are using a static credential store**: Select the credential that corresponds to your target and click **Add Injected Application Credential**.
- **If you are using a Vault credential store**: Select the credential library that corresponds to your target and click **Add Injected Application Credential**.
</Tab>
<Tab heading="CLI" group="cli">
1. Log into Boundary.
```shell-session
$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
```
2. Add credential injection to target.
```shell-session
$ boundary targets add-credential-sources \
-id trdp_vO60a7TwpI \
-injected-application-credential-source csvlt_Xqa6V6QwfM
```
<Tip>
If you are using a static credential store, `brokered-credential-source` refers to the ID of a **credential** in the static credential store.
If you are using a Vault credential store, `brokered-credential-source` refers to the ID of a **credential library** in the Vault credential store.
</Tip>
</Tab>
</Tabs>
## More information
Refer to the following topics for more information:
- [Create static credential stores](/boundary/docs/credentials/static-cred-boundary)
- [Create Vault credential stores](/boundary/docs/credentials/static-cred-vault)
- [Target types](/boundary/docs/domain-model/targets#target-types)
- [Credentials](/boundary/docs/domain-model/credentials)
Reference in new issue View Git Blame Copy Permalink