--- layout: 'api' page_title: 'MongoDB Atlas - Database - Secrets Engines - HTTP API' description: |- The MongoDB Atlas plugin for Vault's Database Secrets Engine generates MongoDB Database User credentials for MongoDB Atlas. --- # MongoDB Atlas Database Plugin HTTP API The MongoDB Atlas plugin is one of the supported plugins for the Database Secrets Engine. This plugin generates MongoDB Atlas Database User credentials dynamically based on configured roles. ## Configure Connection In addition to the parameters defined by the [Database Backend](/api/secret/databases#configure-connection), this plugin has a number of parameters to further configure a connection. | Method | Path | | :----- | :----------------------- | | `POST` | `/database/config/:name` | ### Parameters - `public_key` `(string: )` – The Public Programmatic API Key used to authenticate with the MongoDB Atlas API. - `private_key` `(string: )` - The Private Programmatic API Key used to connect with MongoDB Atlas API. - `project_id` `(string: )` - The [Project ID](https://docs.atlas.mongodb.com/api/#project-id) the Database User should be created within. ### Sample Payload ```json { "plugin_name": "mongodbatlas-database-plugin", "allowed_roles": "readonly", "public_key": "aPublicKey", "private_key": "aPrivateKey", "project_id": "aProjectID" } ``` ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/database/config/mongodbatlas ``` ## Statements Statements are configured during Vault role creation and are used by the plugin to determine what is sent to MongoDB Atlas upon user creation, renewal, and revocation. For more information on configuring roles see the [Role API](/api/secret/databases#create-role) in the Database Secrets Engine docs. ### Parameters The following are the statements used by this plugin. If not mentioned in this list the plugin does not support that statement type. - `creation_statements` `(string: )` – Specifies the database statements executed to create and configure a user. Must be a serialized JSON object, or a base64-encoded serialized JSON object. The object can optionally contain a `database_name`, the name of the authentication database to log into MongoDB. In Atlas deployments of MongoDB, the authentication database is always the admin database. The object must also contain a `roles` array, and from Vault version 1.6.0 (plugin version 0.2.0) may optionally contain a `scopes` array. The `roles` array contains objects that hold a series of roles `roleName`, an optional `databaseName` and `collectionName` value. The `scopes` array determines which clusters and data lakes the user has access to, and defaults to all scopes if omitted. For more information regarding the `roles` and `scopes` fields, refer to [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/reference/api/database-users-create-a-user/). - `default_ttl` `(string/int): 0` - Specifies the TTL for the leases associated with this role. Accepts time suffixed strings (`1h`) or an integer number of seconds. Defaults to system/engine default TTL time. - `max_ttl` `(string/int): 0` - Specifies the maximum TTL for the leases associated with this role. Accepts time suffixed strings (`1h`) or an integer number of seconds. Defaults to system/mount default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](/docs/concepts/tokens#the-general-case). ### Sample Creation Statement ```json { "database_name": "admin", "roles": [ { "databaseName": "admin", "roleName": "atlasAdmin" }, { "collectionName": "acollection", "roleName": "read" } ], "scopes": [ { "name": "a-cluster", "type": "CLUSTER" } ] } ```