Start a Development Environment | Boundary

»Boundary components

A deployment of a highly available (HA) Boundary service requires multiple controllers and workers to construct a cluster.

Boundary components

Controllers are responsible for understanding configuration, authenticating and authorizing users, and serving user API requests (e.g. to initiate a session).
Boundary clusters require an accessible key management service (KMS) and database shared by controllers. Boundary's database maintains the state of Boundary's resources, identities, and access policies. Boundary's KMS is customer-defined and serves as Boundary's root-of-trust for at-rest and in-transit encryption.
Workers are responsible for the actual session recording/proxying capability and other tasks that involve storage.

Boundary can run in a dev mode which is an all-in-one installation method for getting started with Boundary quickly. The dev mode is not a production installation but useful for experiment with Boundary locally.

»Prerequisites

Docker is installed
A route to download the Postgres Docker image image or a local image cached
A Boundary binary in your PATH

NOTE: An interactive tutorial is also available to demonstrate the basic working of Boundary. Click the Show Terminal button to start.

»Start a dev environment

Dev mode brings up a fully functioning instance of Boundary which includes:

A controller server
A worker server
A Postgres database

These components are ephemeral; therefore, data is not persisted and convenient for quick testing.

Check the help message for boundary dev command.

$ boundary dev -h

There are optional flags available to configure Boundary environment through the command line.

Command Options:

  -api-listen-address=<string>
      Address to bind to for controller "api" purpose. This can also be
      specified via the BOUNDARY_DEV_CONTROLLER_API_LISTEN_ADDRESS environment
      variable.

  -cluster-listen-address=<string>
      Address to bind to for controller "cluster" purpose. This can also
      be specified via the BOUNDARY_DEV_CONTROLLER_CLUSTER_LISTEN_ADDRESS
      environment variable.

  -combine-logs
      If set, both startup information and logs will be sent to stdout. If not
      set (the default), startup information will go to stdout and logs will
      be sent to stderr. The default is false.

  # ...snip...

Start Boundary in development mode with default configuration.

$ boundary dev

Example output:

==> Boundary server configuration:

       [Controller] AEAD Key Bytes: WO1h2kTypqzGqPUs+zoDioVAWIoHDtYxRy4m56DEe8A=
         [Recovery] AEAD Key Bytes: xL3hZ1ePrJW2QUYx8mRgh4lGmRIf6+fOMFjHRfQJi9s=
      [Worker-Auth] AEAD Key Bytes: GJmSp2MHslM698m8i2a14Mvc/9/5bq7/jZLlN9c/oi0=
              [Recovery] AEAD Type: aes-gcm
                  [Root] AEAD Type: aes-gcm
           [Worker-Auth] AEAD Type: aes-gcm
                               Cgo: disabled
            Dev Database Container: happy_wing
                  Dev Database Url: postgres://postgres:password@localhost:32768?sslmode=disable
          Generated Auth Method Id: ampw_1234567890
  Generated Auth Method Login Name: admin
    Generated Auth Method Password: password
         Generated Host Catalog Id: hcst_1234567890
                 Generated Host Id: hst_1234567890
             Generated Host Set Id: hsst_1234567890
            Generated Org Scope Id: o_1234567890
        Generated Project Scope Id: p_1234567890
               Generated Target Id: ttcp_1234567890
                        Listener 1: tcp (addr: "127.0.0.1:9200", max_request_duration: "1m30s", purpose: "api")
                        Listener 2: tcp (addr: "127.0.0.1:9201", max_request_duration: "1m30s", purpose: "cluster")
                        Listener 3: tcp (addr: "127.0.0.1:9202", max_request_duration: "1m30s", purpose: "proxy")
                         Log Level: info
                             Mlock: supported: false, enabled: false
                           Version: Boundary v0.1.0
                       Version Sha: e08ab98a2b128ee202eae46551da23c831b4acfc
                Worker Public Addr: 127.0.0.1:9202

==> Boundary server started! Log data will stream in below:

Notice the following default configurations:

Generated Auth Method Id: ampw_1234567890
Generated Auth Method Login Name: admin
Generated Auth Method Password: password

Also, notice that the output displays Generated Host Catalog Id, Generated Host Id, Generated Host Set Id, and so on. Those are Boundary resources preconfigured by default to quickly start Boundary in dev mode. You are going to learn how to manage those assets using the Boundary admin console.

If you wish to overwrite the default login name and password, use the -login-name and -password flags (e.g. boundary dev -login-name="dev-admin" -password="p@ssw0rd").

»Authenticate with Boundary

Now that Boundary is running in a dev mode, you can authenticate with admin console to verify that you can connect.

Use the Generated Auth Method Login Name (admin) and Generated Auth Method Password (password) unless you overwrote those values.

Open a web browser and enter http://127.0.0.1:9200 to launch the admin console.
Enter admin as Username and password in the Password text field to sign in.
Click Authenticate to log in.
Upon a successful authentication, you are on the Organizations page. Click on the Generated org scope.

»Next steps

You started Boundary in a dev mode, and verified that you can authenticate using the username and password.

The next step is to configure and manage the Boundary resources using the admin console.

Infrastructure

Security

Networking

Applications

»Boundary components

»Prerequisites

»Start a dev environment

»Authenticate with Boundary

»Next steps