MongoDB admin password

This tutorial will teach you how to provision MongoDB credentials using Vault.

Setup MongoDB to be ready for Vault

Connect to the MongoDB instance

You can use the MongoDB shell to connect to your instance:

mongo

You can see the following warning when you enter their shell. Now you know you haven't provisioned a secret admin password.

WARNING: Access control is not enabled for the database.
         Read and write access to data and configuration is unrestricted.

Switch to the admin database

Once you are connected to the MongoDB shell, switch to the admin database:

use admin

Create the administrative user

Create a new administrative user for Vault by running the following command:

db.createUser({
  user: "vaultuser",
  pwd: "your_password_here",
  roles: [ { role: "root", db: "admin" } ]
})

This will create a new administrative user with the username vaultuser and password your_password_here. You can replace your_password_here with a strong password of your choice. The command should respond with Successfully added user ....

Exit the MongoDB shell

Once you have created the administrative user, exit the MongoDB shell by running the following command:

exit

Restart MongoDB with authentication enabled

To enable authentication, you need to set auth = true in /etc/mongodb.conf

cat /etc/mongodb.conf | grep auth
sudo tee -a /etc/mongodb.conf <<< "auth = true"
cat /etc/mongodb.conf | grep auth

Now you can restart MongoDB. The exact steps for doing this will depend on your operating system and how you installed MongoDB. For example, on Linux systems that use systemd, you can use the following command:

sudo systemctl restart mongodb

Setup Vault Database Secrets Engine for MongoDB

Starting the Dev Server

Start a Vault server in development mode (dev server). The dev server is a built-in, pre-configured server that is not very secure but useful for playing with Vault locally.

vault server -dev

Set environment variables

Then execute the following commands:

export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="$(cat ~/.vault-token)"

Verify the Server is Running

Verify the server is running by running the vault status{{exec}} command. If it runs successfully, the output should look like the following:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.13.1
Build Date      2023-03-23T12:51:35Z
Storage Type    inmem
Cluster Name    vault-cluster-141bcf10
Cluster ID      df9845ca-a0c1-d2b0-3eb7-45a845adfaee
HA Enabled      false

If the output looks completely different, restart the dev server and try again.

Congratulations! You've started your first Vault server.

Setup Database Secrets Engine for MongoDB

1. Enable the database secrets engine

vault secrets enable database

2. Configure Vault with the proper plugin and connection information

vault write database/config/my-mongodb-database \
    plugin_name=mongodb-database-plugin \
    allowed_roles="my-role" \
    connection_url="mongodb://{{username}}:{{password}}@127.0.0.1:27017/admin" \
    username="vaultuser" \
    password="your_password_here"

3. Configure a role that maps a name in Vault to a MongoDB command that executes and creates the database credential

vault write database/roles/my-role \
    db_name=my-mongodb-database \
    creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }] }' \
    default_ttl="1h" \
    max_ttl="24h"

If all of the above steps output with Success! ..., congratulations! You have now finished the Database Secrets Engine setup for MongoDB.

Go to the Secrets engine tab, click Enable new engine + , then select Databases to enable a new database engine.
Configure Vault with the proper plugin and connection information by clicking into the database engine and selecting Connect a database.

Type in the necessary information for the connection.

Go back, select the Roles Tab and click on Create role.

Type in the necessary information for the role.

Get credentials

After the secrets engine is configured and a user has a Vault token with the proper permission, it can generate credentials:

vault read database/creds/my-role

Connect to the MongoDB instance with generated credentials

Now you can use the generated credentials in order to perform administrative tasks.

We first get a usable credential from the command we just used above.

cat credential.txt
username=$(cat credential.txt | grep username | tr -s ' ' | cut -d' ' -f2)
password=$(cat credential.txt | grep password | tr -s ' ' | cut -d' ' -f2)
echo $username
echo $password

Then we can authenticate into the MongoDB database using the credential.

mongo -u "$username" -p "$password" --authenticationDatabase admin

Once you are authenticated, you can perform administrative tasks using the MongoDB shell, like creating a collection in the admin database:

use admin
db.createCollection("test2")

The command should work without any issues (respond with { "ok" : 1 }).

Verify that we need authentication

Now, let's try to perform administrative tasks without authentication. Try to create a collection again in the admin database.

exit
mongo
use admin
db.createCollection("test3")

Since we didn't authenticate ourselves to the database, The command should fail with the following response:

{
    "ok" : 0,
    "errmsg" : "there are no users authenticated",
    "code" : 13,
    "codeName" : "Unauthorized"
}

PreviousNamespaces NextVM Disk Encryption Keys

Last updated 8 months ago