Transcript
Thanks for showing up for our session on Boundary. So my name is Robin. I'm the senior product education engineer dedicated to Boundary. So I work on most of the documentation and tutorials for this product. Glad to have you here today. And I also want to introduce again our wonderful TAs. They're going to be pretty active in helping you in this particular session, which is going to be a slightly different format than other sessions we've run. So get to know Yoko, Pradeep, and Dan. They all kind of work on these products, and they're all going to be really happy to help you as we work through some content today. So I want to just give you an overview. This session is going to be a little different than other LearnLabs. If you attended any today or you've been to ones in the past at HashiConf, we're not going to necessarily work through a new feature or set one particular thing up today. We're instead going to give you the chance to play around and learn Boundary at your own pace by giving you access to an enterprise sandbox. So pretty excited to essentially allow you to choose your own adventure today, learn about Boundary at any level that you feel comfortable with. And that's what we're going to explore right after we discuss what is Boundary. So we'll talk about what Boundary is. We'll look at some reference architecture for Boundary, understand some of the different components that it contains, and then we'll discuss the hands-on lab and also an opportunity for you to win a certification exam raffle that we'll be putting on at the end of this session. So as was mentioned at the beginning of the session, Wi-Fi is a little limited at the conference as you're probably noticing. So you don't have to do this. The sandbox environment has everything you need in it. However, if you do want to unlock a couple other additional pretty neat workflows for Boundary, you are welcome to go ahead and install a couple of these tools on your local machine if you want to try them out. I'm going to be showing you what this looks like during the session. And so if you kind of want the best experience with Boundary, please feel free to head over to our installer page. You can go to developer.hashicorp.com, just search for Boundary, and you'll see the install banner right there at the top. And you can grab the desktop client and the CLI if you're interested. If not, the sandbox has everything you need in it. So with that, we want to discuss a little bit about what Boundary is for those of you that are completely new to the product. How many of you have worked on Boundary or played with it at all? One, two? Two people? All right. Well, there you go. You're in the right place. So we should talk a little bit about what Boundary is first, then. So let's walk through the problem space that Boundary solves. When we talk about Boundary, we're talking about access management and typically accessing human-to-machine resources remotely. And typically what this has looked like in a traditional kind of access management workflow is that users will connect to a VPN, then use an SSH to get on a Bastion or a Jumpbox, that gives them access, to go through a firewall and finally get access to their hosts or services they're trying to connect with. And there's a number of challenges with this workflow, particularly onboarding and offboarding processes. So if any of you have ever done any of this, you'll understand that this is often a manual process where you're onboarding new employees, offboarding them, and it can create a real administration bottleneck at times. And, you know, setting up routing, access lists, all that kind of stuff is a really cumbersome process. And in a traditional access model, once a user has been authenticated using a VPN, they then SSH onto that Jumpbox, which itself needs to be maintained, and you increase your attack service by exposing, usually, the entire network to them. Firewalls are often put in place in front of targets and jump hosts to ensure that access is only granted from the Jumpbox. And the issue is that these firewalls often operate on IP and port identities. And that doesn't often scale in dynamic infrastructure where IPs can be ephemeral. So when a user finally reaches the database or other target that they need to complete their task, they have already probably obtained static credentials, and those might often be pulled from something like an Excel spreadsheet. And this just, in the long run, contributes to credential sprawl and increases your attack service quite generally. So this is kind of the problem space that Boundary fits into. So Boundary automates access to critical infrastructure for users wherever it resides. You can think of it as a Jumpbox replacement in most cases. First, the user is going to log in using their identity provider. So this could be Azure AD, it could be Okta, GitHub. This integrates with Boundary to help authenticate users using your IDP that you already work with every single day. So this is going to eliminate a lot of the onboarding and offboarding challenges that we see with network access because you're using your identity provider. And this granular user authentication is going to help authorize users to systems that they should only have access to. So essentially, you can provide access, that level of access, that the user should receive based on their role within your organization. So developers should get access to a particular set of infrastructure, operations folks, maybe another set of infrastructure, and you can control that through your identity provider. And Boundary is then going to automate the connection through to hosts for users through continuous service discovery and access configuration for workloads that are deployed and updated over time. So Boundary is able to present you with a list or a catalog of applications or hosts that you should have access to and keep that list up to date over time. So if your infrastructure primarily resides in AWS or Azure is maybe a multi-cloud deployment, you can keep that list of resources up to date within Boundary dynamically. When a user then decides to access a host or a service, the native integration with Vault makes for a really nice kind of just-in-time access procedure where you can request a credential from Vault on the fly and it's generated at that moment and passed back to the user. And, you know, this in and of itself is going to avoid credential spall because the credentials only valid often for that session that you're trying to use it for. So Boundary in and of itself has a few different deployment options just like a lot of our products. In general, we have a fully managed service called HCP Boundary. We've got a lot of great tutorials that can walk you through using HCP for the first time where you don't have to manage the boundary control plane or any of the workers that are used to provide access to targets. We also have a kind of a hybrid deployment where you can deploy workers, which we'll talk about in a second, on your own infrastructure if you want to really keep your data private and not flow through any of our servers. Then there's the Boundary Enterprise, which you'll be playing with today, which is a fully, you know, self-managed deployment of Boundary that has access to all of our enterprise features. And then there's the Boundary Community Edition, which has a more limited feature set and is also self-managed. So this is a three different kind of flavors of Boundary that you're going to see and that you can experiment with. And what are the benefits of kind of those enterprise level offerings for Boundary Enterprise and HCP? Well, particularly, you're going to get access to something called passwordless authentication. And this is a feature within Boundary called credential injection. There's two primary features you'll hear us talk about today, credential brokering and credential injection. The difference between the two is whether or not the end user, the client, ever has access to the credentials used to log into a target system. In credential brokering, the credentials get passed right back to the client and the client can then use them in whatever way they want. This is a typical, I need a credential, I am this person, and the server returns the authenticate through a proxy. In credential injection, we don't trust the end client. We say, I don't care who you are or if you're authenticated, I don't want you to see the And so Boundary is able to inject the credential directly into their session to where they never have to handle it. It's a passwordless experience that is facilitated through Vault. So you'll get to see that in action today in one of the exercises. And then there's other really great features as well, like automated service discovery. We won't play with this today, but I'll point you to a bunch of great tutorials if you want to try importing your hosts from AWS or Azure and watching them dynamically update as changes are made. Lastly, we have granular session visibility through a feature called session recording. And this is something that you can definitely try out in today's lab. So session recording is, again, an enterprise-level feature. And with it, you can really get a system of record for what's happening within a session. You can get insight into user actions over time. You can see what they're actually doing on the instances and within the sessions themselves. And you can review security incidents and malicious behavior by looking at playback for what happened during a session. This is really great for logging, auditing, compliance over time. And it's one of these kind of premium features you get with the enterprise version you'll be using today, and really great for regulatory compliance. And those of you that have worked with Boundary before might want to play with this later on. So kind of understanding that broad sweep of what's available in Boundary Enterprise, I want to talk to you briefly about what a worker is. And within the Boundary control plane itself, the architecture is going to consist of a data plane that has controllers, as we call them, a data plane that's made up of workers, and then the clients that are going to be installed on those end user devices that are going to connect to the targets in the long run. So controllers are what users are going to authenticate to using a client. And they contain the Boundary resources and permissions that that user should have. In addition, controllers are going to communicate with external components like databases, KMS, vaults, identity providers, and plugins, because Boundary is also a plugin-based system similar to Vault. Workers are primarily used as network proxies for Boundary sessions. And they're going to allow you to access private targets that are buried inside of your networks that shouldn't be exposed to the outside. So instead of exposing an entire private network to the public or allowing users to have access to the entire private network, workers are going to create a direct network tunnel between users and targets. And with Boundary Enterprise or HCP, you have the option to set up what are called multi-hop sessions, where workers can take multiple hops to connect users to the targets they're trying to access deep within a network enclave. So in this sense, a user on the outside is going to say, hey, Boundary. And it's communicating with the controller, I am this person. Can I connect to a target? And the controller says, sure. And it tells a worker to establish a connection with the client that then forwards them through a reverse proxy to the targets inside of the network enclave. In Boundary, you're going to hear about this term with the different workers that we have, the ingress worker that provides that periphery level access to the network, so the first level of ingress into a network. And then there are any number of intermediate workers that then help you complete the next hop into the network until you finally reach the egress worker, which has access to the target. So just like networking, you're familiar with these terms, the ingress worker into the network, egress with access to the target. Anyone have any questions about that so far? You'll get to experiment with this today. So if it's unclear at all, you'll get a chance to take a look at how these are configured. But this is a pretty important concept within Boundary. So I want to make sure that you understand up front what workers are for. So looking at the reference architecture for today's sandbox environment, we have this environment set up on Instruct, which is a platform that allows us to pre-provision all the infrastructure that you'll need. And what you'll see is that inside of Instruct, we have a couple of different workers and the Boundary controller itself. So the two things that have access to the user, or that the user can actually connect to in the end, are really the controller. The controller is what the user is going to connect to, request sessions to targets, et cetera. And then the worker is going to contact that client that requested the session and then forward the connection into the egress worker that lives inside of the Instruct network. So this is kind of the process that we should be keeping in mind whenever we're thinking about how workers communicate with targets. In the end, the user needs to be able to talk to two things. The controller in and of itself needs to be able to talk to the user, and then the ingress worker needs to be able to contact the client. Other than that, the worker is going to forward those connections, again, through a reverse proxy to the targets that it's trying to reach. And some other things that you'll be noticing in today's session is that we also have Vault set up and a MinIO storage backend. Now, MinIO, in this case, is just S3-compatible storage. It is the ability for Boundary to have a backend where it can store the recordings of sessions that are created. So that could be Amazon S3, or it could be any other S3-compatible storage bucket that Boundary can store those sessions recordings inside of. So that's the two components that you'll see inside the sandbox. Vault for brokering credentials, if you choose to use it. and then MinIO for storing session recordings if they're set up for targets. Any questions about the reference architecture? So, in theory, could console be used as a storage backend for Boundary? No. Yeah, that's a great question. Console in and of itself is not gonna be a storage backend for session recordings. Typically we're thinking about microservices in that case, not like a database storage backend. Great question. Yes, sir. In this reference architecture, is there an intermediary? Is there an intermediary? Yeah, there's missing this diagram. Yeah, so you can have as many or as few intermediaries as you want. In this case, I only have two workers set up. So the one that's providing ingress into the network and then the immediate egress. The reason for that is because Instruct doesn't actually have separate network enclaves I can store everything in. It's one large network. But in general, in more complex Boundary deployments, you're essentially gonna have multiple workers forwarding the connection deeper into the network. But in this case, we only have two workers. So in a real world, the intermediary would be in the DMV? Probably. Yeah, there's any number of ways that you can set it up. But really we should just be thinking about the number of availability zones that we're gonna be forwarding connections into and having a worker in each of those. The important thing is, can the worker contact a target? That's the question you have to keep in mind. And what does that depend on? It depends on what kind of protocols you're setting up for those targets. Are they SSH targets? Are they RDP targets? Are they going to be some other web-based target or TCP-based target? So can the worker communicate with that target on the protocol and the port they're trying to establish a connection on? Great question, yeah. Is the architecture such that you always have separate ingress and egress workers? Or is it whatever it is that you just have one worker doing all the things? Great question, yeah. So in the Community Edition of Boundary, you only get access to egress workers. And that's one of the bigger selling points for the enterprise version is this multi-hop kind of scenario. So if you ever experiment with Boundary Community Edition, you're only gonna be working with egress workers. And that kind of gives you a sense for how that works. The problem often in that case is you have to expose the egress worker to the public. So clients outside of your network may have to go ahead and use that egress worker's public address to connect to anything. Yeah, great question. Yeah, great question. So targets can provide, there can be as many number of targets inside of that network as you want communicating with one worker. The question is, does the worker have enough resources to handle all the sessions being passed or routed through it? So in this case, I have a bunch of targets set up that are being handled by one worker. So that's kind of a question of scale is like how much load is each worker going to take? And so that's more of the architecture question of how many workers should be deployed. But Boundary has this intelligent system of understanding how many workers are being utilized. And so if you have a pool of workers, it will distribute the load amongst them. What protocols can the workers connect to? Anything on TCP. Yeah, and then we have additional protocols set up within Boundary to handle targets that are SSH and RDP. And that's particularly for getting to thinking about credential injection, this passwordless experience. And eventually on the backend session recording as well. How do we record that activity and then play it back later? But Boundary is really only concerned from a worker perspective with what protocol and what port and TCP being the kind of main player there. Can workers be created on demand and then spawned? Yes. They can absolutely be created up in the same way that any other ephemeral instance can be spun up or spun down based on demand. The question is, how are you load balancing to those workers and then also each worker is really gonna be configured to where it can auto register with Boundary. So once it's spun up, it can be configured to automatically reach out and register itself. And then those resources can be spun down as well pretty easily. If you want to take a look at the worker configuration in today's sandbox, you'll see that it has a KMS set up with the worker to where it automatically can reach out and register itself using a pre-shared key. And that could be in AWS, it could be in any other KMS system that you use. But yeah, we have a number of ways to register workers with Boundary. And so it makes a lot of auto scaling deployments possible. Question. Yeah, last question here. Yes. Great question. Vault can absolutely be a target. So you can kind of dog food itself there in the sense that Vault can be set up as a target to where you can provide access to it. And in this case, what you'll find is that we have to configure a worker to pass credentials for the target. And that worker has to be able to speak to Vault. So workers are not just proxies to connect to targets, they're also proxies to connect to other components that Boundary is speaking with. In this case, the storage backend and Vault. So in a more real world deployment, you'd have several different workers speaking to your Vault clusters and several different workers speaking to storage backends to ensure that you have enough storage for all your session recordings. So workers in and of themselves are just proxies to access the resources Boundary wants to speak to. And Boundary doesn't actually care what it's talking to. So you can absolutely set up a Vault target within Boundary. All right. So I wanna make sure you have some time to play around and experiment. So I wanna introduce the sandbox to you and show you some of the exercises we're gonna be speaking about today. And then I'll continue answering questions and coming around and helping you as we work through this. So I'm gonna jump into a short demo of what the lab looks like. And right here, you're gonna see the list of exercises that we've put together for you to experiment with today. These exercises are designed to be independent of each other. So you can kind of choose your own adventure here. You don't have to work through them in order. But if you are new to Boundary, completely new, I recommend that you do because they are in an order of increasing difficulty. And there's no way you're gonna finish them all in today's session. You will have access to this after today's session. So you can try this at home. And if you head to the set of tutorials we have on our developer platform, you'll see that there's a community edition sandbox available to you. Today for this group, we are premiering our enterprise version of the sandbox. So you're the first ones that are gonna see it and provide some feedback on it. And then you'll see that it will be public facing for those of you on YouTube in the future as well. But for all of you here today, you'll have access to this and get a chance to keep working on it until it's put on the tutorials website where you can check it out anytime. So these exercises are going to be essentially one, can you connect to a target? What does that look like? What's going on inside of Boundary? The second exercise is experimenting with target credentials. How do I set up credentials within Boundary which has its own credential management system? You don't have to use Vault. Your world's just gonna be a lot more fun if you do. Exercise three, this is where you get to create a target and then experiment with connecting with it. And you can also try creating your own SSH session recordings. Exercise four, session recording storage policies. Let's say you have to be HIPAA compliant. How do you set up storage policies to where they retain those session recordings for the appropriate amount of time to comply with your regulatory requirements? Session five is taking a look at the lab architecture. How are the workers configured? How is the controller configured? What do you need to do in order to set up those pieces from a networking perspective? And the bonus exercise, if you're super experienced with Boundary, you can try this, which is bring your own targets. And again, you'll have a chance to try this after today's session, so don't stress. You can really work through this at a later time too. All right, so quick lab environment demo. So this is the tutorial page that you're gonna be able to pull up on your laptop in just a moment. And essentially, this is where you can read all the exercises and launch the sandbox. If you scroll down on this page, you're gonna see all the different exercises that I just mentioned, and some suggestions on how to connect to targets, how you can access Boundary, the target names, and how you can connect to these targets. So this is kind of your step-by-step, try it out. And as you go through the exercises, what you'll see is that you can select this dropdown and click on an exercise. When you go to this website, you're probably gonna see it in light mode. Not sure if that's easier for you to read or not. On this page at the top, you'll see this button that says Launch the Boundary Enterprise Sandbox. Clicking on it, it's gonna take you to the Instruct page, and from here, you can click the Launch button in the upper right-hand corner. Now, some of you are going to probably be able to launch it very quickly because of some of the Wi-Fi and Hot Start and that kind of stuff that we're seeing today. So you might get in really quickly. Otherwise, it might take you a couple minutes to launch the sandbox. All right, after it finishes, you'll see this blinking Start button. Clicking on it, it's gonna launch this. Yeah, absolutely. It's starting to go that long. Great, great, yeah. The reason I haven't shown you this yet is because people tend to stop watching once I do. So once you get into the sandbox here, the only things I really wanna show you is that one, you have a list of all the different boundary components across the top that you can access. In particular, everything you're gonna wanna try and do is gonna be from the workstation. That's your client. That's where Boundary's installed. If you open up this Get Started folder here off to the left, you're gonna see a lot of the architecture diagrams inside of here. You're gonna see the public controller address and the Exercises folder, which is just a duplication of the exercises on that Tutorials page. And then in the second tab, this is where you're going to execute any commands you would like to run. So what's the first thing you're gonna do? You're gonna authenticate to Boundary. Inside of the instructions, you'll see that you do this by running boundary authenticate. It's gonna then ask you for the login name, which is admin. The password is password. And after you get logged in, you're on the command line and you can begin asking Boundary questions like Boundary, give me a list of your targets and recursively list them for me inside of all of your scopes, which is something you'll learn about. So here we have a list of targets. You're probably gonna wanna play around using the admin UI though. That's gonna be a much more pleasant experience to browse all of Boundary and see how it works. But you can do everything from the UI or from the CLI. Again, admin, password. And once you're logged in, this is the Boundary admin interface. So inside of here, this is where admins will go through and set up targets, credentials, all of that stuff. This is the admin interface that you can interact with. You can do all those things through Terraform or the CLI. And as you click through here, some interesting things can happen. But what I wanna show you is firstly, what happens if you try to connect to a target. So I have a target here. I have a target name. And you can also set up what are called aliases inside of Boundary to make it really easy to connect to a target. So I have a target here named Priya. From my Boundary workstation, I'm gonna say Boundary connect. And I'm gonna tell it I wanna connect to this target using SSH. This is called a connect helper. I'm then gonna type in the name or the alias of the target. And I'm gonna establish a connection to Priya. It immediately injected the credential from Vault into that session and I'm immediately logged in. I can say hello from Priya. And I can exit the session. What has happened on the back end? Well, if you have it set up inside of Boundary, I can head to the global scope. And from here, I can click on session recordings. You'll see I have a new completed session recording. I can click the view button. And I can play back that session, including a video of it that we'll go through and show you what I did inside of that session, including saying echo hello. So that's some of the types of fun you can have with Boundary. This is a sandbox, so you can do as much as you want. You can set up dynamic host catalogs. But again, I recommend you work through those exercises in order and try them out. The other components you have access to are things like the controller. Again, this is what sets up Boundary. This is what also allows you to set up a communication to workers. So how do I have this configured? This is exercise five. If you're familiar with Terraform, I set all of this up with Terraform. So if you want to learn a little bit more about how Boundary is set up with Terraform, the Boundary Terraform provider, head on to the controller, open up any of these files to learn how we configured the targets, how we set them up. how we set up. And then if you want to check the logs on the worker or the controller, you can head over here and check the logs. You can look at the journal of Boundary, et cetera, all that stuff for the worker. So those are some of the types of things you have access to. And the last thing I'm going to say about this is that we also have a raffle. So today, you have the option to enter a raffle for a pro Terraform or Vault certification exam. How many of you know Vault? Pretty well. All right. How about Terraform? Excellent. So this might be of interest to you if you're not certified at the pro level yet. It's a voucher for either of those exams that you can take by the end of the year. And ideally, I just want you to work through some of the exercises in the sandbox. What I have here is that exercise number three has a pretty fun exercise where you set up an SSH target, you attach some Vault credentials to it, and you log in, just like you watched me do. If you really want to have fun, the last thing that you can do is open the workstation and grab the public controller address. So this is the public facing address of this controller. I can then open the Boundary app. Now, this is the desktop app I mentioned installing at the beginning of the session. Let me know if you need help getting this installed. I can click Submit with that public controller address and log in with admin or password. And once you're logged in, you'll have the option to establish connections to sessions. This is inside of Instruct. If I look at that same target I saw here called Priya, the second one, thank you. The alias is Priya. If I click Connect, the Boundary desktop app actually has a built-in Shell session that I can click here. So it has an SSH client built in. If I click Shell, it's going to launch that session right here and connect me to the target from my local machine. So this is the end user experience. This is how people should be using Boundary to connect to targets and establish sessions and do session recording, et cetera. So those are your options, your tasks. You can enter the raffle. And I recommend working on exercise or through exercise three if you want to try. And now we can give you access to this. Here is the short link. You can type into your browser. This will take you to that tutorial page you saw me pull up a moment ago. And then you can click the Launch button to access the Enterprise Sandbox. First person that's able to hit that link, let me know that it All right, great. So at this point, we're all going to walk around and help you out with any questions you have. If you have questions, raise your hand now, and I'll come over to you. But we also have our great TAs that are going to be answering questions and walking you through the exercises if you have any concerns or particular things you want to set up. Do you have a question about the lab? Is there an hospital to get a copy of your deck? Absolutely. Yeah, I'll publish that for you, and I'll put that up on the screen. Thank you. Yeah, great question. I'll publish the slides was the question. All right, let's turn you loose. Have fun. And if you do work through it for a little while, raise your hand near the end of the session, and we'll come by with a raffle ticket for you. And we'll get you interested, entered into that pro-certification exam raffle. With boundary, I want to, for anyone that wants to stay, I'm just going to show you a little bit about exercise three for those of you that made it this far. Did anyone finish exercise number three? Couple of you? All right. Good work. So this is a pretty easy exercise. Once you get to know your way around boundary, it's something that you would do every day or all the time or programmatically do using something like Terraform. Popping over into my boundary admin console here, I'm inside of targets. Now, how did I get here? People often have questions about scopes inside of boundary. What are scopes? They're a way for us to limit permissions and grants within boundary. So they're a way for us to decide what our users should have access to and the scope of things that they're allowed to do. So within boundaries global scope over here, we have orgs. That's the first level of scope. So we could have a marketing org, an engineering org, an operations org. And inside of here, we have projects, which is an additional level of scopes that we can use to set up these permissions within boundary. Clicking on my project, I then see the left-hand interface changes to say, OK, inside of this project, you have these targets, you have a set of hosts, you have credentials, and you have any sessions that might be running. And so this is where you begin to get into management within boundary. And you can see the list of pre-configured targets I've set up with Terraform. Exercise three had you go through and click on a new target here or choose to do this using the CLI. Now, the instructions had you go through and create a new target for Khalid. If I copy his name here, we wanted an SSH target, port 22. And we also wanted to set up a egress worker filter for this target. We wanted to connect to the Ubuntu host. And then we want to attach a static credential called Ubuntu Khalid. Lastly, we can create an alias for this target. If I pop back over to here, I'll give this a name again of Khalid. I'll set a type of SSH. Scrolling down further, I'll provide a target address. Within boundary, as you begin learning about this, you'll find that there's a number of ways to select from hosts. We can do so from a pool of hosts called a host catalog, or we can directly enter addresses for targets. This is kind of a quick way to enter an address, which is going to be Ubuntu-host. But generally, in a more production-like scenario, you're going to use host catalogs with boundary. The default port for SSH is 22. We'll leave that there. And lastly, we can set a alias, which I'll call sandbox.khalid. I'll click Add for that alias. You can have multiple ones. And click Save. Now the target exists. But it's saying I can't connect without injected application credentials. So clicking on Injected Application Credentials, I'll click the Add button. And there's already a set of credentials inside of here. And this Ubuntu-Khalid one comes from Vault. So if you do try this out later, check out the Vault integration. See how I've integrated Vault, set up the permissions for it, and defined the credentials for these users. Clicking the Add Injected Application Credentials button, I've now almost finished setting up this host, this target. The last thing is to tell it what worker to use to contact this target. Remember, workers provide connections to the targets. We can provide ingress and egress. That's really what Boundary cares about, what worker should provide initial access to the host network, and then what worker should be used on the exit when we actually connect to these targets. Clicking on Add Worker Filter, there's a filter generator in here to help you find your way around how to use the filters. We can tag our workers with any tags or any filters that we'd like. This particular filter says I want to select a worker called egress that's been tagged that way. Poke around the sandbox. Find out how I tagged that worker. That's your next exercise. And clicking Save, I've finished setting up this target. And looking back at the global scope, I'll see I have a new alias for this target called sandbox.halid. Oh, and the last cute thing you can do is at the org level, you can also, for this target, enable session recording by clicking the Enable Recording button. I click on Record Sessions for this target. I select the session recording bucket. And I click Apply. And now I should be able to connect to this target. Let's see if I still have Boundary running locally. Looks like I do. And if I click on Targets, I see Halid. I can click Connect. And clicking on Shell, it should inject that credential for me. And this is just a silly little QR code that I put inside of the message of the day. It takes you to a nice Boundary GIF. And that's exercise three. So I hope you get a chance to try that. That's where I hope everyone can get to by the end of playing with this sandbox. Your sandbox will stay up for another hour, I think. And then you'll just have to relaunch it if you want to continue playing around with the exercises. All right. Thank you so much.
