luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/secrets/databases/mongodb.html.md
Calvin Leung Huang 9fd39a0681 Mongodb plugin (#2698) 
* WIP on mongodb plugin

* Add mongodb plugin

* Add tests

* Update mongodb.CreateUser() comment

* Update docs

* Add missing docs

* Fix mongodb docs

* Minor comment and test updates

* Fix imports

* Fix dockertest import

* Set c.Initialized at the end, check for empty CreationStmts first on CreateUser

* Remove Initialized check on Connection()

* Add back Initialized check

* Update docs

* Move connProducer and credsProducer into pkg for  mongodb and cassandra

* Chage parseMongoURL to be a private func

* Default to admin if no db is provided in creation_statements

* Update comments and docs
2017-05-11 17:38:54 -04:00

1.9 KiB
Raw Blame History

layout page_title sidebar_current description
docs MongoDB Database Plugin docs-secrets-databases-mongodb The MongoDB plugin for Vault's Database backend generates database credentials to access MongoDB.

MongoDB Database Plugin

Name: mongodb-database-plugin

The MongoDB Database Plugin is one of the supported plugins for the Database backend. This plugin generates database credentials dynamically based on configured roles for the MongoDB database.

See the Database Backend docs for more information about setting up the Database Backend.

Quick Start

After the Database Backend is mounted you can configure a MongoDB connection by specifying this plugin as the "plugin_name" argument. Here is an example MongoDB configuration:

$ vault write database/config/mongodb \
    plugin_name=mongodb-database-plugin \
    allowed_roles="readonly" \
    connection_url="mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true" 

The following warnings were returned from the Vault server:
* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.

Once the MongoDB connection is configured we can add a role:

$ vault write database/roles/readonly \
    db_name=mongodb \
    creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
    default_ttl="1h" \
    max_ttl="24h"

Success! Data written to: database/roles/readonly

This role can be used to retrieve a new set of credentials by querying the "database/creds/readonly" endpoint.

API

The full list of configurable options can be seen in the MongoDB database plugin API page.

For more information on the Database secret backend's HTTP API please see the Database secret backend API page.