├── LICENSE ├── README.md ├── analyst.sql.hcl ├── boundary-controller-policy.hcl ├── dba.sql.hcl ├── northwind-database-policy.hcl ├── northwind-database.sql ├── northwind-roles.sql └── worker.hcl /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2021 HashiCorp, Inc. 2 | 3 | Mozilla Public License Version 2.0 4 | ================================== 5 | 6 | 1. Definitions 7 | -------------- 8 | 9 | 1.1. "Contributor" 10 | means each individual or legal entity that creates, contributes to 11 | the creation of, or owns Covered Software. 12 | 13 | 1.2. "Contributor Version" 14 | means the combination of the Contributions of others (if any) used 15 | by a Contributor and that particular Contributor's Contribution. 16 | 17 | 1.3. "Contribution" 18 | means Covered Software of a particular Contributor. 19 | 20 | 1.4. "Covered Software" 21 | means Source Code Form to which the initial Contributor has attached 22 | the notice in Exhibit A, the Executable Form of such Source Code 23 | Form, and Modifications of such Source Code Form, in each case 24 | including portions thereof. 25 | 26 | 1.5. "Incompatible With Secondary Licenses" 27 | means 28 | 29 | (a) that the initial Contributor has attached the notice described 30 | in Exhibit B to the Covered Software; or 31 | 32 | (b) that the Covered Software was made available under the terms of 33 | version 1.1 or earlier of the License, but not also under the 34 | terms of a Secondary License. 35 | 36 | 1.6. "Executable Form" 37 | means any form of the work other than Source Code Form. 38 | 39 | 1.7. "Larger Work" 40 | means a work that combines Covered Software with other material, in 41 | a separate file or files, that is not Covered Software. 42 | 43 | 1.8. "License" 44 | means this document. 45 | 46 | 1.9. "Licensable" 47 | means having the right to grant, to the maximum extent possible, 48 | whether at the time of the initial grant or subsequently, any and 49 | all of the rights conveyed by this License. 50 | 51 | 1.10. "Modifications" 52 | means any of the following: 53 | 54 | (a) any file in Source Code Form that results from an addition to, 55 | deletion from, or modification of the contents of Covered 56 | Software; or 57 | 58 | (b) any new file in Source Code Form that contains any Covered 59 | Software. 60 | 61 | 1.11. "Patent Claims" of a Contributor 62 | means any patent claim(s), including without limitation, method, 63 | process, and apparatus claims, in any patent Licensable by such 64 | Contributor that would be infringed, but for the grant of the 65 | License, by the making, using, selling, offering for sale, having 66 | made, import, or transfer of either its Contributions or its 67 | Contributor Version. 68 | 69 | 1.12. "Secondary License" 70 | means either the GNU General Public License, Version 2.0, the GNU 71 | Lesser General Public License, Version 2.1, the GNU Affero General 72 | Public License, Version 3.0, or any later versions of those 73 | licenses. 74 | 75 | 1.13. "Source Code Form" 76 | means the form of the work preferred for making modifications. 77 | 78 | 1.14. "You" (or "Your") 79 | means an individual or a legal entity exercising rights under this 80 | License. For legal entities, "You" includes any entity that 81 | controls, is controlled by, or is under common control with You. For 82 | purposes of this definition, "control" means (a) the power, direct 83 | or indirect, to cause the direction or management of such entity, 84 | whether by contract or otherwise, or (b) ownership of more than 85 | fifty percent (50%) of the outstanding shares or beneficial 86 | ownership of such entity. 87 | 88 | 2. License Grants and Conditions 89 | -------------------------------- 90 | 91 | 2.1. Grants 92 | 93 | Each Contributor hereby grants You a world-wide, royalty-free, 94 | non-exclusive license: 95 | 96 | (a) under intellectual property rights (other than patent or trademark) 97 | Licensable by such Contributor to use, reproduce, make available, 98 | modify, display, perform, distribute, and otherwise exploit its 99 | Contributions, either on an unmodified basis, with Modifications, or 100 | as part of a Larger Work; and 101 | 102 | (b) under Patent Claims of such Contributor to make, use, sell, offer 103 | for sale, have made, import, and otherwise transfer either its 104 | Contributions or its Contributor Version. 105 | 106 | 2.2. Effective Date 107 | 108 | The licenses granted in Section 2.1 with respect to any Contribution 109 | become effective for each Contribution on the date the Contributor first 110 | distributes such Contribution. 111 | 112 | 2.3. Limitations on Grant Scope 113 | 114 | The licenses granted in this Section 2 are the only rights granted under 115 | this License. No additional rights or licenses will be implied from the 116 | distribution or licensing of Covered Software under this License. 117 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 118 | Contributor: 119 | 120 | (a) for any code that a Contributor has removed from Covered Software; 121 | or 122 | 123 | (b) for infringements caused by: (i) Your and any other third party's 124 | modifications of Covered Software, or (ii) the combination of its 125 | Contributions with other software (except as part of its Contributor 126 | Version); or 127 | 128 | (c) under Patent Claims infringed by Covered Software in the absence of 129 | its Contributions. 130 | 131 | This License does not grant any rights in the trademarks, service marks, 132 | or logos of any Contributor (except as may be necessary to comply with 133 | the notice requirements in Section 3.4). 134 | 135 | 2.4. Subsequent Licenses 136 | 137 | No Contributor makes additional grants as a result of Your choice to 138 | distribute the Covered Software under a subsequent version of this 139 | License (see Section 10.2) or under the terms of a Secondary License (if 140 | permitted under the terms of Section 3.3). 141 | 142 | 2.5. Representation 143 | 144 | Each Contributor represents that the Contributor believes its 145 | Contributions are its original creation(s) or it has sufficient rights 146 | to grant the rights to its Contributions conveyed by this License. 147 | 148 | 2.6. Fair Use 149 | 150 | This License is not intended to limit any rights You have under 151 | applicable copyright doctrines of fair use, fair dealing, or other 152 | equivalents. 153 | 154 | 2.7. Conditions 155 | 156 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 157 | in Section 2.1. 158 | 159 | 3. Responsibilities 160 | ------------------- 161 | 162 | 3.1. Distribution of Source Form 163 | 164 | All distribution of Covered Software in Source Code Form, including any 165 | Modifications that You create or to which You contribute, must be under 166 | the terms of this License. You must inform recipients that the Source 167 | Code Form of the Covered Software is governed by the terms of this 168 | License, and how they can obtain a copy of this License. You may not 169 | attempt to alter or restrict the recipients' rights in the Source Code 170 | Form. 171 | 172 | 3.2. Distribution of Executable Form 173 | 174 | If You distribute Covered Software in Executable Form then: 175 | 176 | (a) such Covered Software must also be made available in Source Code 177 | Form, as described in Section 3.1, and You must inform recipients of 178 | the Executable Form how they can obtain a copy of such Source Code 179 | Form by reasonable means in a timely manner, at a charge no more 180 | than the cost of distribution to the recipient; and 181 | 182 | (b) You may distribute such Executable Form under the terms of this 183 | License, or sublicense it under different terms, provided that the 184 | license for the Executable Form does not attempt to limit or alter 185 | the recipients' rights in the Source Code Form under this License. 186 | 187 | 3.3. Distribution of a Larger Work 188 | 189 | You may create and distribute a Larger Work under terms of Your choice, 190 | provided that You also comply with the requirements of this License for 191 | the Covered Software. If the Larger Work is a combination of Covered 192 | Software with a work governed by one or more Secondary Licenses, and the 193 | Covered Software is not Incompatible With Secondary Licenses, this 194 | License permits You to additionally distribute such Covered Software 195 | under the terms of such Secondary License(s), so that the recipient of 196 | the Larger Work may, at their option, further distribute the Covered 197 | Software under the terms of either this License or such Secondary 198 | License(s). 199 | 200 | 3.4. Notices 201 | 202 | You may not remove or alter the substance of any license notices 203 | (including copyright notices, patent notices, disclaimers of warranty, 204 | or limitations of liability) contained within the Source Code Form of 205 | the Covered Software, except that You may alter any license notices to 206 | the extent required to remedy known factual inaccuracies. 207 | 208 | 3.5. Application of Additional Terms 209 | 210 | You may choose to offer, and to charge a fee for, warranty, support, 211 | indemnity or liability obligations to one or more recipients of Covered 212 | Software. However, You may do so only on Your own behalf, and not on 213 | behalf of any Contributor. You must make it absolutely clear that any 214 | such warranty, support, indemnity, or liability obligation is offered by 215 | You alone, and You hereby agree to indemnify every Contributor for any 216 | liability incurred by such Contributor as a result of warranty, support, 217 | indemnity or liability terms You offer. You may include additional 218 | disclaimers of warranty and limitations of liability specific to any 219 | jurisdiction. 220 | 221 | 4. Inability to Comply Due to Statute or Regulation 222 | --------------------------------------------------- 223 | 224 | If it is impossible for You to comply with any of the terms of this 225 | License with respect to some or all of the Covered Software due to 226 | statute, judicial order, or regulation then You must: (a) comply with 227 | the terms of this License to the maximum extent possible; and (b) 228 | describe the limitations and the code they affect. Such description must 229 | be placed in a text file included with all distributions of the Covered 230 | Software under this License. Except to the extent prohibited by statute 231 | or regulation, such description must be sufficiently detailed for a 232 | recipient of ordinary skill to be able to understand it. 233 | 234 | 5. Termination 235 | -------------- 236 | 237 | 5.1. The rights granted under this License will terminate automatically 238 | if You fail to comply with any of its terms. However, if You become 239 | compliant, then the rights granted under this License from a particular 240 | Contributor are reinstated (a) provisionally, unless and until such 241 | Contributor explicitly and finally terminates Your grants, and (b) on an 242 | ongoing basis, if such Contributor fails to notify You of the 243 | non-compliance by some reasonable means prior to 60 days after You have 244 | come back into compliance. Moreover, Your grants from a particular 245 | Contributor are reinstated on an ongoing basis if such Contributor 246 | notifies You of the non-compliance by some reasonable means, this is the 247 | first time You have received notice of non-compliance with this License 248 | from such Contributor, and You become compliant prior to 30 days after 249 | Your receipt of the notice. 250 | 251 | 5.2. If You initiate litigation against any entity by asserting a patent 252 | infringement claim (excluding declaratory judgment actions, 253 | counter-claims, and cross-claims) alleging that a Contributor Version 254 | directly or indirectly infringes any patent, then the rights granted to 255 | You by any and all Contributors for the Covered Software under Section 256 | 2.1 of this License shall terminate. 257 | 258 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 259 | end user license agreements (excluding distributors and resellers) which 260 | have been validly granted by You or Your distributors under this License 261 | prior to termination shall survive termination. 262 | 263 | ************************************************************************ 264 | * * 265 | * 6. Disclaimer of Warranty * 266 | * ------------------------- * 267 | * * 268 | * Covered Software is provided under this License on an "as is" * 269 | * basis, without warranty of any kind, either expressed, implied, or * 270 | * statutory, including, without limitation, warranties that the * 271 | * Covered Software is free of defects, merchantable, fit for a * 272 | * particular purpose or non-infringing. The entire risk as to the * 273 | * quality and performance of the Covered Software is with You. * 274 | * Should any Covered Software prove defective in any respect, You * 275 | * (not any Contributor) assume the cost of any necessary servicing, * 276 | * repair, or correction. This disclaimer of warranty constitutes an * 277 | * essential part of this License. No use of any Covered Software is * 278 | * authorized under this License except under this disclaimer. * 279 | * * 280 | ************************************************************************ 281 | 282 | ************************************************************************ 283 | * * 284 | * 7. Limitation of Liability * 285 | * -------------------------- * 286 | * * 287 | * Under no circumstances and under no legal theory, whether tort * 288 | * (including negligence), contract, or otherwise, shall any * 289 | * Contributor, or anyone who distributes Covered Software as * 290 | * permitted above, be liable to You for any direct, indirect, * 291 | * special, incidental, or consequential damages of any character * 292 | * including, without limitation, damages for lost profits, loss of * 293 | * goodwill, work stoppage, computer failure or malfunction, or any * 294 | * and all other commercial damages or losses, even if such party * 295 | * shall have been informed of the possibility of such damages. This * 296 | * limitation of liability shall not apply to liability for death or * 297 | * personal injury resulting from such party's negligence to the * 298 | * extent applicable law prohibits such limitation. Some * 299 | * jurisdictions do not allow the exclusion or limitation of * 300 | * incidental or consequential damages, so this exclusion and * 301 | * limitation may not apply to You. * 302 | * * 303 | ************************************************************************ 304 | 305 | 8. Litigation 306 | ------------- 307 | 308 | Any litigation relating to this License may be brought only in the 309 | courts of a jurisdiction where the defendant maintains its principal 310 | place of business and such litigation shall be governed by laws of that 311 | jurisdiction, without reference to its conflict-of-law provisions. 312 | Nothing in this Section shall prevent a party's ability to bring 313 | cross-claims or counter-claims. 314 | 315 | 9. Miscellaneous 316 | ---------------- 317 | 318 | This License represents the complete agreement concerning the subject 319 | matter hereof. If any provision of this License is held to be 320 | unenforceable, such provision shall be reformed only to the extent 321 | necessary to make it enforceable. Any law or regulation which provides 322 | that the language of a contract shall be construed against the drafter 323 | shall not be used to construe this License against a Contributor. 324 | 325 | 10. Versions of the License 326 | --------------------------- 327 | 328 | 10.1. New Versions 329 | 330 | Mozilla Foundation is the license steward. Except as provided in Section 331 | 10.3, no one other than the license steward has the right to modify or 332 | publish new versions of this License. Each version will be given a 333 | distinguishing version number. 334 | 335 | 10.2. Effect of New Versions 336 | 337 | You may distribute the Covered Software under the terms of the version 338 | of the License under which You originally received the Covered Software, 339 | or under the terms of any subsequent version published by the license 340 | steward. 341 | 342 | 10.3. Modified Versions 343 | 344 | If you create software not governed by this License, and you want to 345 | create a new license for such software, you may create and use a 346 | modified version of this License if you rename the license and remove 347 | any references to the name of the license steward (except to note that 348 | such modified license differs from this License). 349 | 350 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 351 | Licenses 352 | 353 | If You choose to distribute Source Code Form that is Incompatible With 354 | Secondary Licenses under the terms of this version of the License, the 355 | notice described in Exhibit B of this License must be attached. 356 | 357 | Exhibit A - Source Code Form License Notice 358 | ------------------------------------------- 359 | 360 | This Source Code Form is subject to the terms of the Mozilla Public 361 | License, v. 2.0. If a copy of the MPL was not distributed with this 362 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 363 | 364 | If it is not possible or desirable to put the notice in a particular 365 | file, then You may include the notice in a location (such as a LICENSE 366 | file in a relevant directory) where a recipient would be likely to look 367 | for such a notice. 368 | 369 | You may add additional accurate notices of copyright ownership. 370 | 371 | Exhibit B - "Incompatible With Secondary Licenses" Notice 372 | --------------------------------------------------------- 373 | 374 | This Source Code Form is "Incompatible With Secondary Licenses", as 375 | defined by the Mozilla Public License, v. 2.0. 376 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Boundary and Vault Integration Quickstart 2 | 3 | New repo here: https://github.com/hashicorp-education/learn-boundary-vault-quickstart 4 | 5 | This directory contains an example deployment of Boundary using docker-compose and Terraform. The lab environment is meant to accompany the Hashicorp Learn [Boundary Vault integration quickstart tutorial](https://learn.hashicorp.com/tutorials/boundary/vault-cred-brokering-quickstart). 6 | 7 | In this example, a demo postgres database target is deployed. A dev Vault server is then configured using the database secrets engine and policies allowing Boundary to request credentials for two roles, a DBA and an "analyst". Boundary is then run in dev mode, and the DBA and analyst targets are configured using a credential store that contains credential libraries for both targets. This enables credential brokering via Vault, which is demonstrated using the `boundary connect postgres` command. 8 | 9 | 1. Setup PostgreSQL Northwind demo database 10 | 2. Setup Vault 11 | 3. Setup Boundary 12 | 4. Use Boundary to connect to the Northwind demo database 13 | 14 | ## Setup PostgreSQL Northwind demo database 15 | 16 | 17 | ```shell 18 | export PG_DB="northwind";export PG_URL="postgres://postgres:secret@localhost:16001/${PG_DB}?sslmode=disable" 19 | docker run -d -e POSTGRES_PASSWORD=secret -e POSTGRES_DB="${PG_DB}" --name ${PG_DB} -p 16001:5432 postgres 20 | psql -d $PG_URL -f northwind-database.sql 21 | psql -d $PG_URL -f northwind-roles.sql 22 | ``` 23 | 24 | ## Setup Vault 25 | 26 | ### Run Vault in dev mode 27 | 28 | ```shell 29 | export VAULT_ADDR="http://127.0.0.1:8200"; export VAULT_TOKEN="groot" 30 | vault server -dev -dev-root-token-id=${VAULT_TOKEN} 31 | ``` 32 | 33 | ### Create boundary-controller policy 34 | 35 | ```shell 36 | vault policy write boundary-controller boundary-controller-policy.hcl 37 | ``` 38 | 39 | ### Configure database secrets engine 40 | 41 | 1. Enable the database secrets engine: 42 | 43 | ```shell 44 | vault secrets enable database 45 | ``` 46 | 47 | 1. Configure Vault with the proper plugin and connection information: 48 | 49 | ```shell 50 | vault write database/config/northwind \ 51 | plugin_name=postgresql-database-plugin \ 52 | connection_url="postgresql://{{username}}:{{password}}@localhost:16001/postgres?sslmode=disable" \ 53 | allowed_roles=dba,analyst \ 54 | username="vault" \ 55 | password="vault-password" 56 | ``` 57 | 58 | 1. Create the DBA role that creates credentials with `dba.sql.hcl`: 59 | 60 | ```shell 61 | vault write database/roles/dba \ 62 | db_name=northwind \ 63 | creation_statements=@dba.sql.hcl \ 64 | default_ttl=3m \ 65 | max_ttl=60m 66 | ``` 67 | 68 | Request DBA credentials from Vault to confirm: 69 | 70 | ```shell 71 | vault read database/creds/dba 72 | ``` 73 | 74 | 1. Create the analyst role that creates credentials with `analyst.sql.hcl`: 75 | 76 | ```shell 77 | vault write database/roles/analyst \ 78 | db_name=northwind \ 79 | creation_statements=@analyst.sql.hcl \ 80 | default_ttl=3m \ 81 | max_ttl=60m 82 | ``` 83 | 84 | Request analyst credentials from Vault to confirm: 85 | 86 | ```shell 87 | vault read database/creds/analyst 88 | ``` 89 | 90 | ### Create northwind-database policy 91 | 92 | ```shell 93 | vault policy write northwind-database northwind-database-policy.hcl 94 | ``` 95 | 96 | ### Create vault token for Boundary credential store 97 | 98 | ```shell 99 | vault token create \ 100 | -no-default-policy=true \ 101 | -policy="boundary-controller" \ 102 | -policy="northwind-database" \ 103 | -orphan=true \ 104 | -period=20m \ 105 | -renewable=true 106 | ``` 107 | 108 | ## Setup Boundary 109 | 110 | ### Run Boundary in dev mode 111 | 112 | ```shell 113 | boundary dev 114 | ``` 115 | 116 | ### Authenticate to Boundary 117 | 118 | ```shell 119 | boundary authenticate password \ 120 | -auth-method-id=ampw_1234567890 \ 121 | -login-name=admin \ 122 | -password=password 123 | ``` 124 | 125 | ### Configure Database Target 126 | 127 | #### Option 1: Edit existing target 128 | 129 | ```shell 130 | boundary targets update tcp -id=ttcp_1234567890 -default-port=16001 131 | ``` 132 | 133 | #### Option 2: Create new target 134 | 135 | 1. Create target for analyst 136 | 137 | ```shell 138 | boundary targets create tcp \ 139 | -scope-id "p_1234567890" \ 140 | -default-port=16001 \ 141 | -session-connection-limit=-1 \ 142 | -name "Northwind Analyst Database" 143 | ``` 144 | 145 | ID: `ttcp_MugI59YN6b` 146 | 147 | 1. Create target for DBA 148 | 149 | ```shell 150 | boundary targets create tcp \ 151 | -scope-id "p_1234567890" \ 152 | -default-port=16001 \ 153 | -session-connection-limit=-1 \ 154 | -name "Northwind DBA Database" 155 | ``` 156 | 157 | ID: `ttcp_4J24foaobT` 158 | 159 | 1. Add host set to both 160 | 161 | ```shell 162 | boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_MugI59YN6b 163 | boundary targets add-host-sets -host-set=hsst_1234567890 -id=ttcp_4J24foaobT 164 | ``` 165 | 166 | ### Connect to Database 167 | 168 | ```shell 169 | boundary connect postgres -target-id ttcp_1234567890 -username postgres 170 | ``` 171 | 172 | Password is `secret`. 173 | 174 | ### Create Vault Credential Store 175 | 176 | ```shell 177 | boundary credential-stores create vault -scope-id "p_1234567890" \ 178 | -vault-address "http://127.0.0.1:8200" \ 179 | -vault-token "s.kGa7MXH1YXvrFWNunGgppnnk" 180 | ``` 181 | 182 | ### Create Credential Libraries 183 | 184 | 1. Create library for analyst credentials 185 | 186 | ```shell 187 | boundary credential-libraries create vault \ 188 | -credential-store-id ${CS_ID} \ 189 | -vault-path "database/creds/analyst" \ 190 | -name "northwind analyst" 191 | ``` 192 | 193 | Analyst Library ID: `clvlt_3zCNiY66lG` 194 | 195 | 1. Create library for DBA credentials 196 | 197 | ```shell 198 | boundary credential-libraries create vault \ 199 | -credential-store-id ${CS_ID} \ 200 | -vault-path "database/creds/dba" \ 201 | -name "northwind dba" 202 | ``` 203 | 204 | DBA Library ID: `clvlt_vaaDNUTZmi` 205 | 206 | ### Add Credential Libraries to Targets 207 | 208 | 1. Analyst target 209 | 210 | ```shell 211 | boundary targets add-credential-libraries \ 212 | -id=ttcp_MugI59YN6b \ 213 | -application-credential-library=clvlt_3zCNiY66lG 214 | ``` 215 | 216 | 1. DBA target 217 | 218 | ```shell 219 | boundary targets add-credential-libraries \ 220 | -id=ttcp_4J24foaobT \ 221 | -application-credential-library=clvlt_vaaDNUTZmi 222 | ``` 223 | ## Use Boundary to connect to the Northwind demo database 224 | 225 | 1. Analyst target 226 | 227 | ```shell 228 | boundary connect postgres -target-id ttcp_MugI59YN6b -dbname northwind 229 | ``` 230 | -------------------------------------------------------------------------------- /analyst.sql.hcl: -------------------------------------------------------------------------------- 1 | -- Copyright (c) HashiCorp, Inc. 2 | -- SPDX-License-Identifier: MPL-2.0 3 | 4 | create role "{{name}}" 5 | with login password '{{password}}' 6 | valid until '{{expiration}}' inherit; 7 | grant northwind_analyst to "{{name}}"; 8 | -------------------------------------------------------------------------------- /boundary-controller-policy.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | path "auth/token/lookup-self" { 5 | capabilities = ["read"] 6 | } 7 | 8 | path "auth/token/renew-self" { 9 | capabilities = ["update"] 10 | } 11 | 12 | path "auth/token/revoke-self" { 13 | capabilities = ["update"] 14 | } 15 | 16 | path "sys/leases/renew" { 17 | capabilities = ["update"] 18 | } 19 | 20 | path "sys/leases/revoke" { 21 | capabilities = ["update"] 22 | } 23 | 24 | path "sys/capabilities-self" { 25 | capabilities = ["update"] 26 | } 27 | -------------------------------------------------------------------------------- /dba.sql.hcl: -------------------------------------------------------------------------------- 1 | -- Copyright (c) HashiCorp, Inc. 2 | -- SPDX-License-Identifier: MPL-2.0 3 | 4 | create role "{{name}}" 5 | with login password '{{password}}' 6 | valid until '{{expiration}}' inherit; 7 | grant northwind_dba to "{{name}}"; 8 | -------------------------------------------------------------------------------- /northwind-database-policy.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | path "database/creds/analyst" { 5 | capabilities = ["read"] 6 | } 7 | 8 | path "database/creds/dba" { 9 | capabilities = ["read"] 10 | } 11 | -------------------------------------------------------------------------------- /northwind-roles.sql: -------------------------------------------------------------------------------- 1 | -- Copyright (c) HashiCorp, Inc. 2 | -- SPDX-License-Identifier: MPL-2.0 3 | 4 | begin; 5 | 6 | revoke all on schema public from public; 7 | 8 | create role northwind_analyst noinherit; 9 | grant usage on schema public to northwind_analyst; 10 | grant select on all tables in schema public to northwind_analyst; 11 | grant usage on all sequences in schema public to northwind_analyst; 12 | grant execute on all functions in schema public to northwind_analyst; 13 | 14 | create role northwind_dba noinherit; 15 | grant all privileges on database northwind to northwind_dba; 16 | 17 | -- CREATE ROLE admin WITH CREATEDB CREATEROLE; 18 | -- create database vault owner vault; 19 | -- grant all privileges on database vault to vault; 20 | -- alter user vault password 'vault-password'; 21 | -- alter role vault with superuser; 22 | 23 | -- Vault 24 | create role vault with superuser login createrole password 'vault-password'; 25 | commit; 26 | 27 | -------------------------------------------------------------------------------- /worker.hcl: -------------------------------------------------------------------------------- 1 | # Copyright (c) HashiCorp, Inc. 2 | # SPDX-License-Identifier: MPL-2.0 3 | 4 | disable_mlock = true 5 | 6 | hcp_boundary_cluster_id = "" 7 | 8 | listener "tcp" { 9 | address = "0.0.0.0:9202" 10 | purpose = "proxy" 11 | } 12 | 13 | worker { 14 | auth_storage_path = "/boundary/worker1" 15 | tags { 16 | type = ["worker", "vault"] 17 | } 18 | } --------------------------------------------------------------------------------