Scopes are a foundational part of Boundary. They allow users to partition resources and assign ownership of resources to principals. There are three types of scopes within Boundary:
- Global (
NOTE: Within the software itself and in the documentation, Boundary uses org instead of organization to remove ambiguity between different regional spellings of the word.
- There is only one
globalscope. It is the entry point for initial administration/setup and to manage the org scopes.
- Under the
globalscope, you can create multiple org scopes. Orgs are used to hold IAM-related resources and project scopes.
- Under each org scope, you can create multiple project scopes. Projects are used to hold infrastructure-related resources.
Some resources can only be associated with a specific level of scope. For example, targets can only be created within a project, while users can be created at the global-level or an org-level. See the domain model for detailed resource-specific information.
In this tutorial, you're going to create two scopes, an org, and a project.
All resource IDs in this tutorial are illustrations only. IDs are uniquely
generated for every resource upon creation with the exception being generated
dev mode. Be sure to use the resource IDs that are generated for
your environment when running this tutorial. For example, if you run
boundary users create, use the resource ID of the user seen in
stdout, not the ID in
the example command.
To perform the tasks described in this tutorial, you need to have a Boundary environment. Refer to the Getting Started tutorial to install and start a Boundary.
»Create an org
In this tutorial, you are going to create an org under the
The CLI and admin console will create certain administrative roles automatically when a scope is created so that the user that created the scope can immediately manage it. The Terraform provider skips creation of those roles so that resources are not created outside of Terraform's purview. To simplify this tutorial, you are telling Terraform to allow these roles to be created in both this section and in the next section where you create a project scope.
To start this tutorial, be sure to Login to the Boundary Console first.
Create a new org under the
global scope named, "IT_Support" with description,
"IT Support Team".
$ boundary scopes create -scope-id=global -name=IT_Support -description="IT Support Team"
Scope information: Created Time: Thu, 10 Dec 2020 21:24:52 PST Description: IT Support Team ID: o_BdK14OKdM4 Name: IT_Support Updated Time: Thu, 10 Dec 2020 21:24:52 PST Version: 1 Scope (parent): ID: global Name: global Type: global
List the existing scopes.
$ boundary scopes list
Scope information: ID: o_1234567890 Version: 1 Name: Generated org scope Description: Provides an initial org scope in Boundary ID: o_BdK14OKdM4 Version: 1 Name: IT_Support Description: IT Support Team
In this example, the generated scope ID for IT_Support is
Notice that org ID starts with
Copy the ID of the
IT_Support org and save it as an environment variabe,
$ export ORG_ID=<IT_Support_Org_ID>
$ export ORG_ID="o_BdK14OKdM4"
»Create a project
Next, create a new project named, QA_Tests under the "IT_Support" scope with description, "Manage QA machines".
To create a project under the
IT_Support org, execute the
boundary scopes create command.
$ boundary scopes create -scope-id=$ORG_ID -name=QA_Tests \ -description="Manage QA machines"
Scope information: Created Time: Thu, 10 Dec 2020 21:33:29 PST Description: Manage QA machines ID: p_HtkJjpSlic Name: QA_Tests Updated Time: Thu, 10 Dec 2020 21:33:29 PST Version: 1 Scope (parent): ID: o_BdK14OKdM4 Name: IT_Support Parent Scope ID: global Type: org
List the project under the
IT_Support org to verify.
$ boundary scopes list -scope-id=$ORG_ID
Scope information: ID: p_HtkJjpSlic Version: 1 Name: QA_Tests Description: Manage QA machines
In this example, the generated project ID is
p_HtkJjpSlic. Notice that project
ID starts with
Copy the ID of the
QA_Tests project and save it as an environment variabe,
$ export PROJECT_ID=<QA_Tests_Project_ID>
$ export PROJECT_ID="p_HtkJjpSlic"
You created a new org, IT_Support which has the QA_Tests project. Those new scopes can help create logical groupings of Boundary resources such as targets, users, groups, and roles.
You are now ready to define scope-level resources and manage them per scope.