releases.shpreview
HashiCorp/Boundary/v0.4.0

v0.4.0

June 30, 2021BoundaryView original ↗
$npx -y @buildinternet/releases show rel_X8DBwzOBvpLyqJuwWIF-J

0.4.0 (2021/06/29)

New and Improved

  • Credential Stores: This release introduces Credential Stores, with the first implementation targeting Vault. A credential store can be created that accepts a Vault periodic token (which it will keep refreshed) and connection information allowing it to make requests to Vault.
  • Credential Libraries: This release introduces Credential Libraries, with the first implementation targeting Vault. Credential libraries describe how to make a request to fetch a credential from the credential store. The first credential library is the generic type that takes in a user-defined request body to send to Vault and thus can work for any type of Vault secrets engine. When a credential library is used to fetch a credential, if the credential contains a lease, Boundary will keep the credential refreshed, and revoke the credential when the session that requested it is finished.
  • Credential Brokering: Credential libraries can be attached to targets; when a session is authorized against that target, a credential will be fetched from the library that is then relayed to the client. The client can then use this information to make a connection, allowing them to gain the benefit of dynamic credential generation from Vault, but without needing their own Vault login/token (see NOTE below).
  • boundary connect Credential Brokering Integration: Additionally, we have started integration into the boundary connect helpers, starting in this release with the Postgres helper; if the credential contains a username/password and boundary connect postgres is the helper being used, the command will automatically pass the credentials to the psql process.
  • The worker will now close any existing proxy connections it is handling when it cannot make a status request to the worker. The timeout for this behavior is currently 15 seconds.

NOTE: When using credential brokering, remember that if the user can connect directly to the end resource, they can use the brokered username and password via that direct connection to skip Boundary. This isn't any different from normal Boundary behavior (if a user can directly connect, they can bypass Boundary) but it's worth repeating.

Bug Fixes

  • scheduler: removes a Postgres check constraint, on the length of the controller name, causing an error when the scheduler attempts to run jobs (issue, PR).

Fetched April 8, 2026