MongoDB Dynamic Secrets

Once you have installed the DSV Engine, you can use DSV to create dynamic secrets.

Base Secret

Base secret data defines how to establish a connection with a MongoDB server. All values are required and will be used to build a connection string in a URL format. A type must be set in attributes of a base secret. For MongoDB, the type field in attributes should always be mongo.

Create a file named mongodb_base.json, substituting your values:

Copy 
{
  "host": "your.host",
  "port": 8081,
  "username": "mongodb",
  "password": "myp@ssword"
}

Create a secret using the CLI at a path of your choosing:

Copy 
dsv secret create \
    --path db:mongodb:root \
    --data @mongodb_base.json \
    --attributes '{"type": "mongo"}'

Dynamic Secret

A dynamic secret will be linked to the base secret. One base secret can have many dynamic secrets linked to it.

Create a file named mongodb_dynamic1.json, substituting your values:

Copy 
{
  "linkConfig": {
    "linkType": "dynamic",
    "linkedSecret": "db:mongodb:root"
  },
  "grantPermissions": {
    "what": "readWrite",
    "where": "mydb"
  },
  "pool": "pool1",
  "ttl": 1000,
  "userPrefix": "usr"
}

Create a dynamic secret using the CLI at a path of your choosing:

Copy 
dsv secret create --path db:mongodb:dynamic1 --attributes @mongodb_dynamic1.json

when creating a dynamic secret the data field should be empty.

Attributes description:

  1. linkConfig: denotes that it is a dynamic secret with a link to a base secret:

    • linkType: should always be dynamic
    • linkedSecret: sets a path to base secret

  2. grantPermissions: defines access privileges

    • what: a specific MongoDB role name, e.g. read, readWrite
    • where: a database name
  3. pool: a pool name to use
  4. ttl: a number of seconds before the engine automatically deletes new credentials, must be set at or above 900
  5. userPrefix: an optional field that defines a prefix for a new username

To create a new user and assign privileges, the db.createUser() method is used.

Sending a MongoDB task to an engine

Read the MongoDB dynamic secret. A randomly chosen engine in the engine pool should receive the task and perform it. The engine attempts to create a MongoDB account and reports back success or failure. On success, the user also receives the new working credentials. As long as there is at least one running engine in a given pool, an engine will receive a MongoDB account revocation task and delete the account once its TTL expires.

List MongoDB Base Secrets

To find all base secrets that are related to MongoDB run:

Copy 
dsv secret search --query "mongo" --search-field "attributes.type"

List Dynamic Secrets

To find all dynamic secrets that are linked to a specific base secret run:

Copy 
dsv secret search --query "db:mongodb:root" --search-links

Read Dynamic Secret Attributes

Using the secret read CLI command to read a dynamic secret will initiate a creation of a new credentials. To read a dynamic secret use the secret describe CLI command instead.

Example:

Copy 
dsv secret describe db:mongodb:dynamic1

The secret describe does not return the secret data field, but for dynamic secrets it is always empty.

Third Party Reference

For server configuration details, refer to MongoDB Database Documentation.