README
¶
MongoDB Atlas Database Secrets Engine
This plugin provides unique, short-lived credentials for MongoDB Atlas. It is to be used with Hashicorp Vault.
Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at security@hashicorp.com.
Quick Links
Getting Started
This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.
Otherwise, first read this guide on how to get started with Vault.
To learn specifically about how plugins work, see documentation on Vault plugins.
Installation
This plugin is bundled in Vault version 1.4.0 or later. It may also be built and mounted externally with earlier versions of Vault. For details on this process please see the documentation for Vault's plugin system.
Setup
-
Enable the database secrets engine if it is not already enabled:
$ vault secrets enable database Success! Enabled the database secrets engine at: database/The secrets engine will be enabled at the default path which is name of the engine. To enable the secrets engine at a different path use the
-pathargument. -
Configure Vault with the proper plugin and connection information:
$ vault write database/config/my-mongodbatlas-database \ plugin_name=mongodbatlas-database-plugin \ allowed_roles="my-role" \ public_key="a-public-key" \ private_key="a-private-key!" \ project_id="a-project-id" -
Configure a role that maps a name in Vault to a MongoDB Atlas command that executes and creates the Database User credential:
$ vault write database/roles/my-role \ db_name=my-mongodbatlas-database \ creation_statements='{ "database_name": "admin", "roles": [{"databaseName":"admin","roleName":"atlasAdmin"}]}' \ default_ttl="1h" \ max_ttl="24h" Success! Data written to: database/roles/my-role
Usage
After the secrets engine is configured and a user/machine has a Vault token with the proper permissions, it can generate credentials.
-
Generate a new credential by reading from the
/credsendpoint with the name of the role:$ vault read database/creds/my-role Key Value --- ----- lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6 lease_duration 1h lease_renewable true password A1a-QwxApKgnfCp1AJYN username v-5WFTBKdwOTLOqWLgsjvH-1565815206
For more details on configuring and using the plugin, refer to the Database Secrets Engine for MongoDB Atlas documentation.
Documentation
¶
Index ¶
- func New() (interface{}, error)
- func Run(apiTLSConfig *api.TLSConfig) error
- type MongoDBAtlas
- func (c MongoDBAtlas) Close() error
- func (c MongoDBAtlas) Connection(_ context.Context) (interface{}, error)
- func (m *MongoDBAtlas) CreateUser(ctx context.Context, statements dbplugin.Statements, ...) (username string, password string, err error)
- func (c MongoDBAtlas) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (map[string]interface{}, error)
- func (c MongoDBAtlas) Initialize(ctx context.Context, conf map[string]interface{}, verifyConnection bool) error
- func (m *MongoDBAtlas) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, ...) error
- func (m *MongoDBAtlas) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error
- func (m *MongoDBAtlas) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error)
- func (m *MongoDBAtlas) SetCredentials(ctx context.Context, statements dbplugin.Statements, ...) (username, password string, err error)
- func (m *MongoDBAtlas) Type() (string, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type MongoDBAtlas ¶
type MongoDBAtlas struct {
credsutil.CredentialsProducer
// contains filtered or unexported fields
}
func (MongoDBAtlas) Close ¶
func (c MongoDBAtlas) Close() error
Close terminates the database connection.
func (MongoDBAtlas) Connection ¶
func (*MongoDBAtlas) CreateUser ¶
func (m *MongoDBAtlas) CreateUser(ctx context.Context, statements dbplugin.Statements, usernameConfig dbplugin.UsernameConfig, expiration time.Time) (username string, password string, err error)
func (MongoDBAtlas) Init ¶
func (c MongoDBAtlas) Init(ctx context.Context, conf map[string]interface{}, verifyConnection bool) (map[string]interface{}, error)
Initialize parses connection configuration.
func (MongoDBAtlas) Initialize ¶
func (*MongoDBAtlas) RenewUser ¶
func (m *MongoDBAtlas) RenewUser(ctx context.Context, statements dbplugin.Statements, username string, expiration time.Time) error
RenewUser is not supported on MongoDB, so this is a no-op.
func (*MongoDBAtlas) RevokeUser ¶
func (m *MongoDBAtlas) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error
RevokeUser drops the specified user from the authentication database. If none is provided in the revocation statement, the default "admin" authentication database will be assumed.
func (*MongoDBAtlas) RotateRootCredentials ¶
func (m *MongoDBAtlas) RotateRootCredentials(ctx context.Context, statements []string) (map[string]interface{}, error)
RotateRootCredentials is not currently supported on MongoDB
func (*MongoDBAtlas) SetCredentials ¶
func (m *MongoDBAtlas) SetCredentials(ctx context.Context, statements dbplugin.Statements, staticUser dbplugin.StaticUserConfig) (username, password string, err error)
SetCredentials uses provided information to set/create a user in the database. Unlike CreateUser, this method requires a username be provided and uses the name given, instead of generating a name. This is used for creating and setting the password of static accounts, as well as rolling back passwords in the database in the event an updated database fails to save in Vault's storage.
func (*MongoDBAtlas) Type ¶
func (m *MongoDBAtlas) Type() (string, error)
Type returns the TypeName for this backend
Source Files