2020-02-07 22:09:39 +00:00
|
|
|
|
---
|
2020-04-09 17:56:59 +00:00
|
|
|
|
layout: 'api'
|
|
|
|
|
|
page_title: 'MongoDB Atlas - Database - Secrets Engines - HTTP API'
|
2020-02-07 22:09:39 +00:00
|
|
|
|
description: |-
|
|
|
|
|
|
The MongoDB Atlas plugin for Vault's Database Secrets Engine generates MongoDB Database User credentials for MongoDB Atlas.
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
# MongoDB Atlas Database Plugin HTTP API
|
|
|
|
|
|
|
|
|
|
|
|
The MongoDB Atlas plugin is one of the supported plugins for the Database
|
|
|
|
|
|
Secrets Engine. This plugin generates MongoDB Atlas Database User credentials dynamically based on
|
|
|
|
|
|
configured roles.
|
|
|
|
|
|
|
|
|
|
|
|
## Configure Connection
|
|
|
|
|
|
|
|
|
|
|
|
In addition to the parameters defined by the [Database
|
2023-01-26 00:12:15 +00:00
|
|
|
|
Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
|
2020-02-07 22:09:39 +00:00
|
|
|
|
has a number of parameters to further configure a connection.
|
|
|
|
|
|
|
2020-04-09 17:56:59 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
|
| :----- | :----------------------- |
|
|
|
|
|
|
| `POST` | `/database/config/:name` |
|
2020-02-07 22:09:39 +00:00
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
|
|
- `public_key` `(string: <required>)` – The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
|
|
|
|
|
|
- `private_key` `(string: <required>)` - The Private Programmatic API Key used to connect with MongoDB Atlas API.
|
|
|
|
|
|
- `project_id` `(string: <required>)` - The [Project ID](https://docs.atlas.mongodb.com/api/#project-id) the Database User should be created within.
|
2023-01-26 00:12:15 +00:00
|
|
|
|
- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
|
2021-11-01 20:17:55 +00:00
|
|
|
|
dynamic usernames are generated.
|
|
|
|
|
|
|
2020-02-07 22:09:39 +00:00
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
|
{
|
|
|
|
|
|
"plugin_name": "mongodbatlas-database-plugin",
|
|
|
|
|
|
"allowed_roles": "readonly",
|
|
|
|
|
|
"public_key": "aPublicKey",
|
|
|
|
|
|
"private_key": "aPrivateKey",
|
|
|
|
|
|
"project_id": "aProjectID"
|
|
|
|
|
|
}
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-02-07 22:09:39 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
|
--request POST \
|
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
|
http://127.0.0.1:8200/v1/database/config/mongodbatlas
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## Statements
|
|
|
|
|
|
|
|
|
|
|
|
Statements are configured during Vault role creation and are used by the plugin to
|
|
|
|
|
|
determine what is sent to MongoDB Atlas upon user creation, renewal, and
|
2023-01-26 00:12:15 +00:00
|
|
|
|
revocation. For more information on configuring roles see the [Role API](/vault/api-docs/secret/databases#create-role)
|
2020-02-07 22:09:39 +00:00
|
|
|
|
in the Database Secrets Engine docs.
|
|
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
|
|
The following are the statements used by this plugin. If not mentioned in this
|
|
|
|
|
|
list the plugin does not support that statement type.
|
|
|
|
|
|
|
|
|
|
|
|
- `creation_statements` `(string: <required>)` – Specifies the database
|
|
|
|
|
|
statements executed to create and configure a user. Must be a
|
|
|
|
|
|
serialized JSON object, or a base64-encoded serialized JSON object.
|
|
|
|
|
|
The object can optionally contain a `database_name`, the name of
|
|
|
|
|
|
the authentication database to log into MongoDB. In Atlas deployments of
|
2020-10-27 13:24:51 +00:00
|
|
|
|
MongoDB, the authentication database is always the admin database. The object
|
|
|
|
|
|
must also contain a `roles` array, and from Vault version 1.6.0 (plugin
|
|
|
|
|
|
version 0.2.0) may optionally contain a `scopes` array. The `roles` array
|
|
|
|
|
|
contains objects that hold a series of roles `roleName`, an optional
|
2020-12-17 21:53:33 +00:00
|
|
|
|
`databaseName` and `collectionName` value. The `scopes` array determines
|
2020-10-27 13:24:51 +00:00
|
|
|
|
which clusters and data lakes the user has access to, and defaults to all
|
|
|
|
|
|
scopes if omitted. For more information regarding the `roles` and `scopes`
|
|
|
|
|
|
fields, refer to [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/reference/api/database-users-create-a-user/).
|
2020-02-07 22:09:39 +00:00
|
|
|
|
- `default_ttl` `(string/int): 0` - Specifies the TTL for the leases associated with this role.
|
|
|
|
|
|
Accepts time suffixed strings (`1h`) or an integer number of seconds. Defaults to system/engine default TTL time.
|
|
|
|
|
|
- `max_ttl` `(string/int): 0` - Specifies the maximum TTL for the leases associated with this role. Accepts time
|
2021-12-20 20:07:59 +00:00
|
|
|
|
suffixed strings (`1h`) or an integer number of seconds. Defaults to `sys/mounts` default TTL time; this value
|
2020-02-07 22:09:39 +00:00
|
|
|
|
is allowed to be less than the mount max TTL (or, if not set, the system max TTL),
|
2023-01-26 00:12:15 +00:00
|
|
|
|
but it is not allowed to be longer. See also [The TTL General Case](/vault/docs/concepts/tokens#the-general-case).
|
2020-02-07 22:09:39 +00:00
|
|
|
|
|
|
|
|
|
|
### Sample Creation Statement
|
|
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
|
{
|
2020-04-09 17:56:59 +00:00
|
|
|
|
"database_name": "admin",
|
|
|
|
|
|
"roles": [
|
|
|
|
|
|
{
|
|
|
|
|
|
"databaseName": "admin",
|
|
|
|
|
|
"roleName": "atlasAdmin"
|
|
|
|
|
|
},
|
|
|
|
|
|
{
|
|
|
|
|
|
"collectionName": "acollection",
|
|
|
|
|
|
"roleName": "read"
|
|
|
|
|
|
}
|
2020-10-27 13:24:51 +00:00
|
|
|
|
],
|
|
|
|
|
|
"scopes": [
|
|
|
|
|
|
{
|
|
|
|
|
|
"name": "a-cluster",
|
|
|
|
|
|
"type": "CLUSTER"
|
|
|
|
|
|
}
|
2020-04-09 17:56:59 +00:00
|
|
|
|
]
|
2020-02-07 22:09:39 +00:00
|
|
|
|
}
|
|
|
|
|
|
```
|
