HashiCorp Developer AI Private beta now available Sign up today
Boundary
Boundary Home

connect rdp

Command: boundary connect rdp

The connect rdp command authorizes a session against a target and invokes an RDP client for the connection. The command fills in the local address and port.

You also have access to some templated values that are substituted into the command arguments, and these values are additionally injected as environment variables in the executed command:

  • {{boundary.ip}} (BOUNDARY_PROXIED_IP): The IP address of the listening socket that boundary connect has opened.
  • {{boundary.port}} (BOUNDARY_PROXIED_PORT): The port of the listening socket that boundary connect has opened.
  • {{boundary.addr}} (BOUNDARY_PROXIED_ADDR): The host:port format of the address. This is essentially equivalent to {{boundary.ip}}:{{boundary.port}}.

Examples

The following example authorizes a session to a target with the ID ttcp_1234567890 and invokes an RDP session with the built-in Windows RDP client, mstsc:

$ boundary connect rdp \
   -target-id ttcp_1234567890

The following example authorizes a session to a target with the ID ttcp_123457890 and invokes a custom command for the RDP macOS client:

$ boundary connect rdp \
   -target-id ttcp_1234567890
   -exec bash \
   -- -c "open rdp://full%20address=s={{boundary.addr}} && sleep 600"

Usage

$ boundary connect rdp [options] [args]

This command performs a target authorization or consumes an existing authorization token, and launches a proxied RDP connection.

Connect command options:

  • -authz-token (string: "") - The authorization string returned from the Boundary controller via an authorize-session action against a target. This option is only required if you don't set a -target-id. If you set the value to -, the command attempts to read in the authorization string from standard input. You can also specify the authorization string using the BOUNDARY_CONNECT_AUTHZ_TOKEN environment variable.

  • -exec (string: "") - If set, specifies that the given binary should be executed after connecting to the worker, if set. This value should be a binary on your path or an absolute path. If all command flags are followed by -- (space, two hyphens, space), then any arguments after that are sent directly to the binary. You can also specify a binary using the BOUNDARY_CONNECT_EXEC environment variable.

  • -host-id (string: "") - The ID of a specific host to connect to out of the target's host sets. If you do not indicate a specific host, Boundary chooses one at random.

  • -target-id (string: "") - The ID of the target to authorize against. You cannot use this option with -authz-token.

  • -target-name (string: "") - The target name, if you authorize the session using scope parameters and target name.

  • -target-scope-id (string: "") - The target scope ID, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-name. You can also specify the target scope ID using the BOUNDARY_CONNECT_TARGET_SCOPE_ID environment variable.

  • -target-scope-name (string: "") - The target scope name, if you authorize the session using scope parameters and target name. This value is mutually exclusive with -scope-id. You can also specify the target scope name using the BOUNDARY_CONNECT_TARGET_SCOPE_NAME environment variable.

RDP options:

  • -style (string: "") - How the CLI attempts to invoke an RDP client. This value also sets a suitable default for -exec, if you did not specify a value. The currently-understood value is mstsc, which is the default on Windows and launches the Windows client. It is also the default on Mac, and launches an rdp://URL. You can also specify how the CLI attempts to invoke an RDP client using the BOUNDARY_CONNECT_RDP_STYLE environment variable.

CLI options

In addition to the command specific options, there are options common to all CLI commands and subcommands:

Edit this page on GitHub