Cannot setup SSH Certificates as a Brokered Credentials Sources

[shellwhale]

trafficstars

Hello.

I cannot make certificate injection work either so I tried certificate brokering. While trying to setup SSH Certificates as a Brokered Credentials Sources with Terraform the following error is triggered :

module.my_project.boundary_host_catalog_static.servers: Refreshing state... [id=hcst_M0SoS1sEC2]
module.my_project.boundary_credential_store_vault.foo: Refreshing state... [id=csvlt_HJ7VFn0jsm]
module.my_project.boundary_host_static.my_project: Refreshing state... [id=hst_e1TNApyv4v]
module.my_project.boundary_host_set_static.my_project: Refreshing state... [id=hsst_ZF5vWrXgBr]
module.my_project.boundary_target.ssh: Refreshing state... [id=ttcp_6L5Cr0OUss]
module.my_project.boundary_credential_library_vault_ssh_certificate.foo: Refreshing state... [id=clvsclt_nV8DMWuBcg]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.my_project.boundary_target.ssh will be updated in-place
  ~ resource "boundary_target" "ssh" {
      ~ brokered_credential_source_ids             = [
          + "clvsclt_nV8DMWuBcg",
        ]
        id                                         = "ttcp_6L5Cr0OUss"
        name                                       = "ssh"
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
module.my_project.boundary_target.ssh: Modifying... [id=ttcp_6L5Cr0OUss]
╷
│ Error: error updating credential sources in target: {"kind":"InvalidArgument","message":"Errors in provided fields.","details":{"request_fields":[{"name":"brokered_credential_source_ids","description":"Incorrectly formatted credential source identifier \"clvsclt_nV8DMWuBcg\"."}]}}
│
│   with module.my_project.boundary_target.ssh,
│   on example_project_my_project/main.tf line 57, in resource "boundary_target" "ssh":
│   57: resource "boundary_target" "ssh" {
│

A (similar?) error occurs when trying to achieve the same thing using the UI.

Here is the Terraform code:

variable "organization_id" {
}

resource "boundary_scope" "project" {
  name        = "project"
  description = "Projet project"

  # This parameter is the parent scope.  It can be either the global scope, an
  # org-level scope, or a project-level scope.
  scope_id = var.organization_id

  # Using the auto_create_x_role flags can help you get set up faster
  # becasue you won't have to explicitly define these roles.
  auto_create_admin_role   = true
  auto_create_default_role = true
}

resource "boundary_host_catalog_static" "servers" {
  scope_id = boundary_scope.project.id
}

resource "boundary_host_static" "project" {
  type            = "static"
  name            = "project"
  description     = "Machine project"
  address         = "192.168.0.10"
  host_catalog_id = boundary_host_catalog_static.servers.id
}

resource "boundary_host_set_static" "project" {
  type            = "static"
  name            = "project"
  description     = "Host set for project servers"
  host_catalog_id = boundary_host_catalog_static.servers.id
  host_ids        = [boundary_host_static.project.id]
}

resource "boundary_credential_store_vault" "foo" {
  name        = "foo"
  description = "My first Vault credential store!"
  address     = "http://vault:8200"                                                                               # change to Vault address
  token       = "CENSORED" # change to valid Vault token
  scope_id    = boundary_scope.project.id
}

resource "boundary_credential_library_vault_ssh_certificate" "foo" {
  name                = "foo"
  description         = "My first Vault SSH certificate credential library!"
  key_type            = "rsa"
  key_bits            = 4096
  credential_store_id = boundary_credential_store_vault.foo.id
  path                = "ssh/sign/boundary-client" # change to correct Vault endpoint and role
  username            = "root"                     # change to valid username
}

resource "boundary_target" "ssh" {
  type                     = "tcp"
  name                     = "ssh"
  description              = "SSH server"
  enable_session_recording = false
  scope_id                 = boundary_scope.project.id
  session_connection_limit = -1
  session_max_seconds      = 3600
  default_port             = 22

  host_source_ids = [
    boundary_host_set_static.project.id
  ]

  brokered_credential_source_ids = [
    boundary_credential_library_vault_ssh_certificate.foo.id
  ]

  # injected_application_credential_source_ids = [
  #   boundary_credential_library_vault_ssh_certificate.foo.id
  # ]
}

[sswati0]

Hi @shellwhale , thank you for reporting the issue. Did you try setting up SSH Certificates as a Brokered Credentials Sources without TF? Do you still see the same error?

[shellwhale]

Hello @sswati0, yes, as I said I have a similar error happening with the web UI.

[shellwhale]

@sswati0 I don't think it is Terraform related

[shellwhale]

Tried with the API on the latest version and the issue is still occuring.

[trinhrichard]

Hi @shellwhale, unfortunately SSH certificates are not supported with brokered credentials currently. The recommended way is to use injected application credentials instead. This is something we currently do not have on our roadmap but I will leave this ticket open for community upvotes to get it prioritized. Otherwise if you run into issues with credential injection, feel free to share your configuration and we’d be happy to help. You can also refer to this guide for instructions on setting up certificate injection.