Sign up to the Arctiq Newsletter to stay up to date on the latest blogs, events and news
Subscribe to Newsletter
An outlined icon of an X
left arrow icon
Back to Blogs

Avoid resource sprawling using dynamic credential templating in Hashicorp Boundary


  • Is your organization using Hashicorp Boundary as a PAM (privileged access management) solution for thousands of hosts residing in private network?
  • Are you using Hashicorp Vault for generating dynamic secrets for multiple users and hosts?
  • Have you faced a challenge of maintaining user specific targets and credential libraries in Boundary and eventually ended up in a resource sprawl?

In this article, I am going to highlight the solution using dynamic credential templating in Hashicorp Boundary which will help in avoiding resource sprawl.

Problem Statement

  • In Boundary, a credential store is a resource that can retrieve, store, and potentially generate credentials (like Hashicorp Vault).
  • Credential Store will contain credential libraries pointing to specific paths within Vault.
  • These credential libraries are then mapped to Boundary targets which allows a Boundary user to connect to a host residing in private network.

Now, if Vault is making use of a secret engine where we have defined user-specific roles like SSH-OTP (for linux servers) or LDAP (for Windows servers), in Boundary, we end up creating user-specific credential libraries pointing to user-specific Vault paths as shown below. This leads to resource sprawl within Boundary, resulting in hundreds to thousands of individual credential libraries at scale.

No alt text provided for this image

How do we solve resource sprawling?

In Boundary 0.12, support for credential templating within credential libraries was added. This allows Boundary administrators to configure one target with one credential library that generates per-user credentials. Hence, you don't need to maintain a target for each user as shown below. The paths in these credential libraries can be mapped to Boundary user's or account's information as highlighted here. The user's/account's information is dynamically populated while accessing credentials.

No alt text provided for this image

Code Snippet & Snapshots (Before vs After)

Before : Using Static Credential Libraries and Targets

No alt text provided for this image
User-specific credential libraries
No alt text provided for this image
User-specific target mapped to user-specific credential library

After : Using dynamic credential libraries and targets

No alt text provided for this image
Dynamic Credential Library ampped to Boundary User's name
No alt text provided for this image
Dynamic Team specific target mapped to single dynamic credential library


Due to dynamic credential templating, you can very easily create managed groups in Boundary and assign team-specific targets mapped to dynamic host catalogs and single dynamic credential library path using user's information as shown in the above code snippet.

No alt text provided for this image
Workflow of PAM use case for linux machines

See Zero Trust Security in action !

If you are new to Hashicorp Boundary and would like to understand how Boundary-Vault integration helps us in achieving Zero Trust Security, you can watch my HashiTalk where I explain the traditional workflow of privileged access management (PAM), its challenges and how we solved couple of PAM use-cases for Windows and Linux servers.



Japneet Sahni

DevOps Consultant
View Author Profile

Related Posts