Managing Principals (Users and Groups)

Users and Groups in Boundary are collectively known as principals. Assigning grants on Roles is performed through principal IDs; that is, the unique IDs of either users, groups, or both.

This page will walk you through managing users within Boundary. (Groups will be added at a later time.)

Users

Users in Boundary represent an internal notion of a particular entity (human, machine, etc.). Users can be correlated with one or more Account resources via Auth Methods. Accounts represent external notions of a particular entity. Among other use-cases, this mechanism allows for an easy way to switch users to new IdPs within the organization deploying Boundary.

In this example, we’re going to show you how to create an account and user for an auth method to allow that user to login to Boundary. Because an auth method can be at the org and global scopes, we’re going to create an org-scoped auth method in the default generated org in a dev mode server. (If you’re not running dev mode, you’ll need to substitute appropriate generated IDs in the steps below.)

Currently, all auth methods auto-vivify users on authentication; that is, on successful authentication against an account, if there is no user already linked with that account, a user will be automatically created. This may be a nice time-saver, but in other situations (such as when you want Terraform to fully describe the Boundary resources) this may be undesirable, so the steps below walk you through manually making these resources and linking them. A future Boundary update will allow turning off auto-vivification on a per-auth-method basis.

Create an Auth Method

Create a password-type auth method in the generated default org:

CLIAdmin ConsoleTerraform

  1. $ boundary auth-methods create password -scope-id o_1234567890 -name org_auth_method -description 'Org auth method'
  3. Auth Method information:
  4.   Created Time:                Tue, 29 Sep 2020 08:32:04 PDT
  5.   Description:                 Org auth method
  6.   ID:                          ampw_PbE6nNT72a
  7.   Name:                        org_auth_method
  8.   Type:                        password
  9.   Updated Time:                Tue, 29 Sep 2020 08:32:04 PDT
  10.   Version:                     1
  12.   Scope:
  13.     ID:                        o_1234567890
  14.     Name:                      Generated org scope
  15.     Parent Scope ID:           global
  16.     Type:                      org
  18.   Attributes:
  19.     Minimum Login Name Length: 3
  20.     Minimum Password Length:   8
  1. $ boundary auth-methods create password -scope-id o_1234567890 -name org_auth_method -description 'Org auth method'
  2. Auth Method information:  Created Time:                Tue, 29 Sep 2020 08:32:04 PDT  Description:                 Org auth method  ID:                          ampw_PbE6nNT72a  Name:                        org_auth_method  Type:                        password  Updated Time:                Tue, 29 Sep 2020 08:32:04 PDT  Version:                     1
  3.   Scope:    ID:                        o_1234567890    Name:                      Generated org scope    Parent Scope ID:           global    Type:                      org
  4.   Attributes:    Minimum Login Name Length: 3    Minimum Password Length:   8

Create Account

Create an account for the org-scoped auth method. Note that by default, user names must be all lowercase alphanumeric of at least 3 characters and the password must be 8 or more characters. (The minimum lengths can be changed in the attributes for the auth method, if desired.)

CLIAdmin ConsoleTerraform

  1. boundary accounts create password -auth-method-id ampw_PbE6nNT72a -login-name 'myuser' -password supersecure -name my_account -description 'My password account'
  3. Account information:
  4.   Auth Method ID:      ampw_PbE6nNT72a
  5.   Created Time:        Tue, 29 Sep 2020 08:35:02 PDT
  6.   Description:         My password account
  7.   ID:                  acctpw_BOn3EcqQfe
  8.   Name:                my_account
  9.   Type:                password
  10.   Updated Time:        Tue, 29 Sep 2020 08:35:02 PDT
  11.   Version:             1
  13.   Scope:
  14.     ID:                o_1234567890
  15.     Name:              Generated org scope
  16.     Parent Scope ID:   global
  17.     Type:              org
  19.   Attributes:
  20.     Login Name:        myuser
  1. boundary accounts create password -auth-method-id ampw_PbE6nNT72a -login-name 'myuser' -password supersecure -name my_account -description 'My password account'
  2. Account information:  Auth Method ID:      ampw_PbE6nNT72a  Created Time:        Tue, 29 Sep 2020 08:35:02 PDT  Description:         My password account  ID:                  acctpw_BOn3EcqQfe  Name:                my_account  Type:                password  Updated Time:        Tue, 29 Sep 2020 08:35:02 PDT  Version:             1
  3.   Scope:    ID:                o_1234567890    Name:              Generated org scope    Parent Scope ID:   global    Type:              org
  4.   Attributes:    Login Name:        myuser

Create a User

Next, create a user at the org scope.

CLIAdmin ConsoleTerraform

First, create the user resource:

  1. $ boundary users create -name "myuser" -description "My user resource" -scope-id o_1234567890
  3. User information:
  4.   Created Time:        Tue, 29 Sep 2020 06:37:12 PDT
  5.   Description:         My user resource
  6.   ID:                  u_yXhZpt5PX3
  7.   Name:                myuser
  8.   Updated Time:        Tue, 29 Sep 2020 06:37:12 PDT
  9.   Version:             1
  11.   Scope:
  12.     ID:                o_1234567890
  13.     Name:              Generated org scope
  14.     Parent Scope ID:   global
  15.     Type:              org
  1. $ boundary users create -name "myuser" -description "My user resource" -scope-id o_1234567890
  2. User information:  Created Time:        Tue, 29 Sep 2020 06:37:12 PDT  Description:         My user resource  ID:                  u_yXhZpt5PX3  Name:                myuser  Updated Time:        Tue, 29 Sep 2020 06:37:12 PDT  Version:             1
  3.   Scope:    ID:                o_1234567890    Name:              Generated org scope    Parent Scope ID:   global    Type:              org

Then associate the user with the account previously created:

  1. $ boundary users set-accounts -id u_yXhZpt5PX3 -account acctpw_BOn3EcqQfe
  3. User information:
  4.   Created Time:        Tue, 29 Sep 2020 08:43:43 PDT
  5.   Description:         My org user
  6.   ID:                  u_yXhZpt5PX3
  7.   Name:                my_user
  8.   Updated Time:        Tue, 29 Sep 2020 08:54:11 PDT
  9.   Version:             2
  11.   Scope:
  12.     ID:                o_1234567890
  13.     Name:              Generated org scope
  14.     Parent Scope ID:   global
  15.     Type:              org
  17.   Accounts:
  18.     ID:                acctpw_BOn3EcqQfe
  19.     Scope ID:          o_1234567890
  1. $ boundary users set-accounts -id u_yXhZpt5PX3 -account acctpw_BOn3EcqQfe
  2. User information:  Created Time:        Tue, 29 Sep 2020 08:43:43 PDT  Description:         My org user  ID:                  u_yXhZpt5PX3  Name:                my_user  Updated Time:        Tue, 29 Sep 2020 08:54:11 PDT  Version:             2
  3.   Scope:    ID:                o_1234567890    Name:              Generated org scope    Parent Scope ID:   global    Type:              org
  4.   Accounts:    ID:                acctpw_BOn3EcqQfe    Scope ID:          o_1234567890

Login

Now you can test logging in.

CLIAdmin ConsoleTerraform

  1. $ boundary authenticate password -login-name myuser -password supersecure -auth-method-id ampw_PbE6nNT72a
  1. $ boundary authenticate password -login-name myuser -password supersecure -auth-method-id ampw_PbE6nNT72a