Skip to content

hashicorp/boundary-plugin-aws

AWS Plugin for HashiCorp Boundary

This repo contains the aws plugin for HashiCorp Boundary.

Credential Rotation

This is the following priority for the credential chain: static, assume role, environment variables.

Static Credentials

Although static credentials are stored encrypted within Boundary, by default this plugin will attempt to rotate credentials when they are supplied through the secrets object. The given credentials will be used to create a new credential, and then the given credential will be revoked. In this way, after rotation, only Boundary knows the client secret in use by this plugin. More information about AWS static credentials can be found here.

Credential rotation can be turned off by setting the disable_credential_rotation attribute to true.

Assume Role Credentials

This plugin will attempt to assume a role when a role_arn is supplied through the attributes object. More information about assume an AWS role can be found here. This feature only works when the plugin is running on a self managed Boundary worker.

Environment Credentials

This plugin will attempt to retrieve credentials from environment variables. More information about environment variables for AWS credentials can be found here. This feature only works when the plugin is running on a self managed Boundary worker.

Dynamic Hosts

This plugin supports dynamically sourcing hosts from Amazon EC2.

Host sets created with this plugin define filters which select and group like instances within AWS; these host sets can in turn be added to targets within Boundary as host sources.

At creation, update or deletion of a host catalog of this type, configuration of the plugin is performed via the attribute/secret values passed to the create, update, or delete calls actions. The values passed in to the plugin here are the attributes set on on a host catalog in boundary.

The plugin fetches hosts through the DescribeInstances call.

Getting Started

Storage Bucket

This plugin supports storing and fetching objects from Amazon S3.

Files created with this plugin are stored as objects defined by the bucket name and bucket prefix values configured in the storage bucket resource; these storage bucket resources can in turn be associated to targets within Boundary.

At creation, update or deletion of a storage bucket of this type, configuration of the plugin is performed via the attribute/secret values passed to the create, update, or delete calls actions. The values passed in to the plugin here are the attributes set on on a storage bucket in boundary.

The plugin fetches files through the GetObject call.

The plugin stores files through the PutObject call.

The plugin fetches metadata about the files through the HeadObject call.

Getting Started