Multiple credential store donot work in single target , control visibility of credential generated by multiple credential store .

[pratiyush05]

Describe the bug Added 2 credential libraries in a single target which has 2 hosts .While connecting to the hosts , boundary used same credential library .

https://user-images.githubusercontent.com/110039059/205293333-da2a0514-39cd-4255-9076-893bc5daa0bc.mp4

Target - Service_1_mysql_DBs has 2 credential libraries - boundary-2-lib and nms-libs . Credential library has following config-

• nms-libs for host - nms_backend_DB .
• boundary-2-lib is for host - Mysql_Boundary_2 .

Tried connecting to the hosts separately but every time boundary chose same nms-libs credential library .Thus wrong credentials were generated .

To Reproduce Steps to reproduce the behavior:

1. Add 2 hosts in a host-set .
2. Add that host-set in one target .
3. Add 2 credential stores for the above two hosts .
4. Add those 2 credential stores libraries in the target .
5. Try connecting to the hosts using desktop app .

Expected behavior Boundary should choose the correct credential store from those present in the target .

Suggestion Allow to add credential library to a host rather than to a target .

Please correct me if I am missing something while configuring credential store . Thanks in advance .

Linked to query on discuss forum - https://discuss.hashicorp.com/t/connect-to-a-target-on-non-default-port/25999/4

[louisruch]

@pratiyush05 Thank you for using Boundary and helping us improve the product!

You mention having 2 credential sources, one for each host on your target. However, when multiple credential sources are added to a target all the credential sources added are brokered to the user during the time of connect (there is not support to filter per host). In the video attached the screen is cut off, but I would expect that the second credential is below the first one. This should occur regardless of the host you are choosing when connecting. I tested this out on my side using static and dynamic Vault credentials and could see both credential being brokered each time I connect to the target or select a specific host.

That being said, the two hosts you have added to the host set seem to be for different purposes, one for nms_backend_DB and the second Mysql_Boundary_2, the suggested configuration here would be to create different targets for each of these. Splitting these up would therefore only broker the credentials you actually need for the connection. Is there a specific reason as to why you want to use a single target here?

[pratiyush05]

Hi @louisruch Thank you clearing our doubt on credential store's working .So credentials are brokered from every credential store present in that target but only one of them works for that specific host to whom we would like to connect .So end-user must at least know the credential-library name to know the correct credential out of the presented ones or try each one of them one-by-one .

We used same target as both are mysql databases .They are using same port on different machines .So we thought of grouping them in single host-set and then in single target will be more efficient .

We are planning to have two projects - production and staging , each one containing hosts of their respective environment . Inside each project , we will have different host-catalogs for different services .Then we will group hosts which are using same port in one host-set and then add that host-set in a single target . Please suggest if there is any better way for this arrangement .

[louisruch]

@pratiyush05 Currently there is no method to filter which credentials are provided based on the host you are connecting to. If you want to only use a single target the user would need to know which credentials to use of the multiple credentials brokered. You could add more detail to the description of the credential library or you can move to using multiple targets. I will discuss internally with the team if this is something we want to support in the future.

[psekar]

We will leave this open to see if we can get more interest for this feature. Thanks

[pratiyush05]

Hi @louisruch Thanks for helping us out on our previous doubts .We have worked that out to fit in our case . We have a another question related to multiple credential store . We are trying to control the visibility of different credentials that are created by multiple credential stores attached to a target for certain users . Like in - we have two credentials generated by two different credential stores libraries - postgres_lib and write_lib , we would like to show only single credential (lets say the one generated by postgres_lib) to our user . Is it possible to control such visibility ? We have been searching to control this visibility using grants provided in role for that user . Eg - id=*;type=*;actions=authorize-session:(any-possible-subaction) to show only one credential generated by those multiple credential stores .

[louisruch]

@pratiyush05 we currently do not provide the ability to control which credentials are returned based on user roles. All brokered-credentials attached to a target will be returned at the time of authorizing a session. Our current advice is to rather create multiple targets and control visibility to credentials based on the users access to the target. We have had similar requests in the past so I will tag @AdamBouhmad from product in case he has any follow up questions to ask about your use case.

[pratiyush05]

Thank you @louisruch for clearing our query again .Appreciate your speedy reply .

[ankit-ls]

Hey @louisruch @AdamBouhmad , we have a usecase to control the visibility of credentials for different sets of users. Is there a plan to build this feature in Boundary soon?