ssh Target Type With Credential Injection (HCP Boundary only): Boundary has
gained a new ssh target type. Using this type, username/password or SSH
private key credentials can be sourced from vault credential libraries or
static credentials and injected into the SSH session between a client and
end host. This allows users to securely SSH to remote hosts while never being
in possession of a valid credential for that target host.ssh_private_key credential type
that allows submitting a username/private key (and optional passphrase) to
Boundary for use with credential injection or brokering workflows.boundary connect ssh Credential Brokering Enhancements: we have extended
support into the boundary connect ssh helper for brokered credentials of
ssh_private_key type; the command will automatically pass the credentials to
the ssh process (PR).boundary authenticate, boundary accounts: Enables use of env:// and
file:// syntax to specify location of a password
(PR)boundary dev, boundary server
and boundary database init
(Issue,
PR).boundary accounts change-password: Fixed being prompted for confirmation of
the current password instead of the new one
(PR)-token flag in CLI: Passing a token this way can
reveal the token to any user or service that can look at process information.
This flag must now reference a file on disk or an env var. Direct usage of the
BOUNDARY_TOKEN env var is also deprecated as it can show up in environment
information; the env:// format now supported by the -token flag causes the
Boundary process to read it instead of the shell so is safer.
(PR)-password flag in CLI: The same change made above for
-token has also been applied to -password or, for supporting resource
types, -current-password and -new-password.
(PR)Fetched April 8, 2026