1. Install Go programming language
1.1 Download the tar file from https://dl.google.com/go/go1.11.linux-amd64.tar.gz
1.2 Extract it to /usr/local, creating Go tree in /usr/local/go using the following command:
tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz
1.3 Add /usr/local/go/bin to the PATH environment variable. You can do this by adding this line to your /etc/profile (for a system-wide installation) or $HOME/.profile:
export PATH=$PATH:/usr/local/go/bin
1.4 Edit your ~/.bash_profile to add the following line:
export GOPATH=$HOME/go
1.5 Save and exit your editor. Then, source your ~/.bash_profile.
source ~/.bash_profile
2. Install Vault
2.1 Download the appropriate file for your system from here
2.2 Unzip it into any directory and run the executable file
Vault
3. Implement MongoDB Database Secrets Engine
3.1 Enable the database secrets engine
vault secrets enable database
It should return status “Success! Enabled the database secrets engine at: database/”
3.2 Configure Vault with the proper plugin and connection information
vault write database/config/my-mongodb-database
plugin_name=mongodb-database-plugin
allowed_roles="my-role"
connection_url="mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true"
username="admin"
password="Password!"
3.3 Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential:
vault write database/roles/my-role
db_name=my-mongodb-database
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }'
default_ttl="1h"
max_ttl="24h"
Success! Data written to: database/roles/my-role
4. Usage
After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials.
4.1 Generate a new credential by reading from the /creds endpoint with the name of the role:
vault read database/creds/my-role
Key Value
--- -----
lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
lease_duration 1h
lease_renewable true
password 8cab931c-d62e-a73d-60d3-5ee85139cd66
username v-root-e2978cd0-
5. Connect Vault with MongoDB
In order to connect to the Mongo shell, please use the following commands
./vault mount -path database database
./vault write database/config/mongodb
plugin_name=mongodb-database-plugin
connection_url="mongodb://vault:vault.8@127.0.0.1:27017,/admin?replicaSet=replset"
allowed_roles="*"
./vault write database/roles/adm
db_name=database
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }'
default_ttl="1h"
max_ttl="24h"
Then click the button below to get started!