How To: Hashicorp Vault Integration with MongoDB

How To: Hashicorp Vault Integration with MongoDB

1. Install Go programming language

1.1 Download the tar file from https://dl.google.com/go/go1.11.linux-amd64.tar.gz
1.2 Extract it to /usr/local , creating Go tree in /usr/local/go using the following command :

tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz

1.3 Add /usr/local/go/bin to the PATH environment variable. You can do this by adding this line to your /etc/profile (for a system-wide installation) or $HOME/.profile:

export PATH=$PATH:/usr/local/go/bin

1.4 Edit your ~/.bash_profile to add the following line:

export GOPATH=$HOME/go

1.5 Save and exit your editor. Then, source your ~/.bash_profile.

source ~/.bash_profile

2. Install Vault

2.1 Download the appropriate file for your system from here – https://www.vaultproject.io/downloads.html

2.2 Unzip it into any directory and run the executable file

Vault

3. Implement MongoDB Database Secrets Engine
3.1 Enable the database secrets engine

vault secrets enable database

It should return status “Success! Enabled the database secrets engine at: database/”

3.2 Configure Vault with the proper plugin and connection information

vault write database/config/my-mongodb-database \
plugin_name=mongodb-database-plugin \
allowed_roles="my-role" \
connection_url="mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true" \
username="admin" \
password="Password!"

3.3 Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential:

vault write database/roles/my-role \
db_name=my-mongodb-database \
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
default_ttl="1h" \
max_ttl="24h"
Success! Data written to: database/roles/my-role

4. Usage

After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials.

4.1 Generate a new credential by reading from the /creds endpoint with the name of the role:

vault read database/creds/my-role
Key Value
--- -----
lease_id database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
lease_duration 1h
lease_renewable true
password 8cab931c-d62e-a73d-60d3-5ee85139cd66
username v-root-e2978cd0-

5. Connect Vault with MongoDB

In order to connect to the Mongo shell, please use the following commands

./vault mount -path database database

./vault write database/config/mongodb \
plugin_name=mongodb-database-plugin \
connection_url="mongodb://vault:vault.8@127.0.0.1:27017,/admin?replicaSet=replset" \
allowed_roles="*"

./vault write database/roles/adm \
db_name=database \
creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
default_ttl="1h" \
max_ttl="24h"

No Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.