search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.85k stars 289 forks source link

Error during authorize-session against a host in dynamic host set #4692

Open japneet-sahni opened 7 months ago

japneet-sahni commented 7 months ago

Describe the bug Getting error from controller when performing authorize-session action against given target

To Reproduce Steps to reproduce the behavior:

  1. Create couple of Azure machines with a tag (has a public IP address).

    image

  2. Created a dynamic catalog in Boundary with provider as Azure

  3. Created a dynamic host set plugin using filter : tagName eq 'tier' and tagValue eq 'app-server'

  4. The hosts in the host set are populated correctly

    image

  5. Created a target with host-source as dynamic host-set.

    image

  6. But when I try to connect to this target, I get below error:

    
boundary connect ssh -target-id=ttcp_zEm6TWgBtq
Error from controller when performing authorize-session action against given target

Error information: Kind: FailedPrecondition Message: No egress workers can handle this session, as they have all been filtered out. Status: 400 context: Error from controller when performing authorize-session action against given target



**Expected behavior**
The target should be connected. If I create a target with a static host set using same host, it works fine.

**Additional context**
Somehow, I feel that the Boundary worker is trying to connect to the private IP address of the host instead of public IP address. I understand that this can be solved using egress/ingress workers when there is required network configurations between worker, target, and clients. But for demo purposes, this should work without any errors. Unfortunately, even the [tutorials](https://developer.hashicorp.com/boundary/tutorials/host-management/azure-host-catalogs), don't cover the connection part.

<img width="522" alt="image" src="https://github.com/hashicorp/boundary/assets/10338163/811010cc-12eb-477b-93ee-bde576456eaf">

I am using HCP Boundary
anando-chatterjee commented 6 months ago

Hi @japneet-sahni the dynamic host catalog returns 2 IP addresses (as you can see in your screenshot) and what is most likely happening is that the HCP worker is attempting to use the private IP and it does not have access to it. With self-managed workers running on the same network this won't be an issue.

To resolve this and to use HCP managed workers, you need to enter a preferred endpoint with a subnet mask of the public address (example screenshot below).

image

If this still doesn't fix your issue, please log a support ticket and one of our support engineers should be able to walk you through this.