How To: Hashicorp Vault Integration with MongoDB

How To: Hashicorp Vault Integration with MongoDB

1. Install Go programming language
1.1 Download the tar file from https://dl.google.com/go/go1.11.linux-amd64.tar.gz
1.2 Extract it to /usr/local, creating Go tree in /usr/local/go using the following command:

tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz

1.3 Add /usr/local/go/bin to the PATH environment variable. You can do this by adding this line to your /etc/profile (for a system-wide installation) or $HOME/.profile:

export PATH=$PATH:/usr/local/go/bin

1.4 Edit your ~/.bash_profile to add the following line:

export GOPATH=$HOME/go

1.5 Save and exit your editor. Then, source your ~/.bash_profile.

source ~/.bash_profile

2. Install Vault
2.1 Download the appropriate file for your system from here
2.2 Unzip it into any directory and run the executable file

Vault

3. Implement MongoDB Database Secrets Engine
3.1 Enable the database secrets engine

vault secrets enable database

It should return status “Success! Enabled the database secrets engine at: database/”

3.2 Configure Vault with the proper plugin and connection information

vault write database/config/my-mongodb-database \
     plugin_name=mongodb-database-plugin \
     allowed_roles="my-role" \
  connection_url="mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true" \
     username="admin" \
     password="Password!"

3.3 Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential:

vault write database/roles/my-role \
     db_name=my-mongodb-database \
     creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
     default_ttl="1h" \
     max_ttl="24h"
 Success! Data written to: database/roles/my-role

4. Usage

After the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials.

4.1 Generate a new credential by reading from the /creds endpoint with the name of the role:

vault read database/creds/my-role
 Key                Value
 ---                -----
 lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
 lease_duration     1h
 lease_renewable    true
 password           8cab931c-d62e-a73d-60d3-5ee85139cd66
 username           v-root-e2978cd0-

5. Connect Vault with MongoDB

In order to connect to the Mongo shell, please use the following commands

./vault mount -path database database

./vault write database/config/mongodb \
     plugin_name=mongodb-database-plugin \
     connection_url="mongodb://vault:vault.8@127.0.0.1:27017,/admin?replicaSet=replset" \
     allowed_roles="*"
./vault write database/roles/adm \
     db_name=database \
     creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
     default_ttl="1h" \
     max_ttl="24h"