Vault
MongoDB atlas database plugin HTTP API
The MongoDB Atlas plugin is one of the supported plugins for the Database Secrets Engine. This plugin generates MongoDB Atlas Database User credentials dynamically based on configured roles.
Configure connection
In addition to the parameters defined by the Database Backend, this plugin has a number of parameters to further configure a connection.
Method | Path |
---|---|
POST | /database/config/:name |
Parameters
public_key
(string: <required>)
– The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.private_key
(string: <required>)
- The Private Programmatic API Key used to connect with MongoDB Atlas API.project_id
(string: <required>)
- The Project ID the Database User should be created within.username_template
(string)
- Template describing how dynamic usernames are generated.
Sample payload
{
"plugin_name": "mongodbatlas-database-plugin",
"allowed_roles": "readonly",
"public_key": "aPublicKey",
"private_key": "aPrivateKey",
"project_id": "aProjectID"
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/database/config/mongodbatlas
Statements
Statements are configured during Vault role creation and are used by the plugin to determine what is sent to MongoDB Atlas upon user creation, renewal, and revocation. For more information on configuring roles see the Role API in the Database Secrets Engine docs.
Parameters
The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type.
creation_statements
(string: <required>)
– Specifies the database statements executed to create and configure a user. Must be a serialized JSON object, or a base64-encoded serialized JSON object. The object can optionally contain adatabase_name
, the name of the authentication database to log into MongoDB. In Atlas deployments of MongoDB, the options for the authentication database include admin (default) and $external database. The object must also contain aroles
array, and from Vault version 1.6.0 (plugin version 0.2.0) may optionally contain ascopes
array. Theroles
array contains objects that hold a series of rolesroleName
, an optionaldatabaseName
andcollectionName
value. Thescopes
array determines which clusters and data lakes the user has access to, and defaults to all scopes if omitted. For more information regarding theroles
andscopes
fields, refer to MongoDB Atlas documentation.default_ttl
(string/int): 0
- Specifies the TTL for the leases associated with this role. Accepts time suffixed strings (1h
) or an integer number of seconds. Defaults to system/engine default TTL time.max_ttl
(string/int): 0
- Specifies the maximum TTL for the leases associated with this role. Accepts time suffixed strings (1h
) or an integer number of seconds. Defaults tosys/mounts
default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also The TTL General Case.
Sample creation statement
{
"database_name": "admin",
"roles": [
{
"databaseName": "admin",
"roleName": "atlasAdmin"
},
{
"collectionName": "acollection",
"roleName": "read"
}
],
"scopes": [
{
"name": "a-cluster",
"type": "CLUSTER"
}
]
}