MongoDB admin password
This tutorial will teach you how to provision MongoDB credentials using Vault.
Setup MongoDB to be ready for Vault
Connect to the MongoDB instance
You can use the MongoDB shell to connect to your instance:
mongo
You can see the following warning when you enter their shell. Now you know you haven't provisioned a secret admin password.
WARNING: Access control is not enabled for the database.
Read and write access to data and configuration is unrestricted.
Switch to the admin database
Once you are connected to the MongoDB shell, switch to the admin database:
use admin
Create the administrative user
Create a new administrative user for Vault by running the following command:
db.createUser({
user: "vaultuser",
pwd: "your_password_here",
roles: [ { role: "root", db: "admin" } ]
})
This will create a new administrative user with the username vaultuser
and password your_password_here
. You can replace your_password_here
with a strong password of your choice. The command should respond with Successfully added user ...
.
Exit the MongoDB shell
Once you have created the administrative user, exit the MongoDB shell by running the following command:
exit
Restart MongoDB with authentication enabled
To enable authentication, you need to set auth = true
in /etc/mongodb.conf
cat /etc/mongodb.conf | grep auth
sudo tee -a /etc/mongodb.conf <<< "auth = true"
cat /etc/mongodb.conf | grep auth
Now you can restart MongoDB. The exact steps for doing this will depend on your operating system and how you installed MongoDB. For example, on Linux systems that use systemd, you can use the following command:
sudo systemctl restart mongodb
Setup Vault Database Secrets Engine for MongoDB
Starting the Dev Server
Start a Vault server in development mode (dev server). The dev server is a built-in, pre-configured server that is not very secure but useful for playing with Vault locally.
vault server -dev
Set environment variables
Then execute the following commands:
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="$(cat ~/.vault-token)"
Verify the Server is Running
Verify the server is running by running the vault status
{{exec}} command. If it runs successfully, the output should look like the following:
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.13.1
Build Date 2023-03-23T12:51:35Z
Storage Type inmem
Cluster Name vault-cluster-141bcf10
Cluster ID df9845ca-a0c1-d2b0-3eb7-45a845adfaee
HA Enabled false
If the output looks completely different, restart the dev server and try again.
Congratulations! You've started your first Vault server.
Setup Database Secrets Engine for MongoDB
1. Enable the database secrets engine
vault secrets enable database
2. Configure Vault with the proper plugin and connection information
vault write database/config/my-mongodb-database \
plugin_name=mongodb-database-plugin \
allowed_roles="my-role" \
connection_url="mongodb://{{username}}:{{password}}@127.0.0.1:27017/admin" \
username="vaultuser" \
password="your_password_here"
3. Configure a role that maps a name in Vault to a MongoDB command that executes and creates the database credential
vault write database/roles/my-role \
db_name=my-mongodb-database \
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }] }' \
default_ttl="1h" \
max_ttl="24h"
If all of the above steps output with Success! ...
, congratulations! You have now finished the Database Secrets Engine setup for MongoDB.
Verify everything works by login using Vault Secrets
Get credentials
After the secrets engine is configured and a user has a Vault token with the proper permission, it can generate credentials:
vault read database/creds/my-role
Connect to the MongoDB instance with generated credentials
Now you can use the generated credentials in order to perform administrative tasks.
We first get a usable credential from the command we just used above.
cat credential.txt
username=$(cat credential.txt | grep username | tr -s ' ' | cut -d' ' -f2)
password=$(cat credential.txt | grep password | tr -s ' ' | cut -d' ' -f2)
echo $username
echo $password
Then we can authenticate into the MongoDB database using the credential.
mongo -u "$username" -p "$password" --authenticationDatabase admin
Once you are authenticated, you can perform administrative tasks using the MongoDB shell, like creating a collection in the admin database:
use admin
db.createCollection("test2")
The command should work without any issues (respond with { "ok" : 1 }
).
Verify that we need authentication
Now, let's try to perform administrative tasks without authentication. Try to create a collection again in the admin database.
exit
mongo
use admin
db.createCollection("test3")
Since we didn't authenticate ourselves to the database, The command should fail with the following response:
{
"ok" : 0,
"errmsg" : "there are no users authenticated",
"code" : 13,
"codeName" : "Unauthorized"
}
Last updated