Skip to main content
Skip table of contents

Configure Vault for MongoDB Dynamic Database Credentials

Check if all the vault pods are unsealed

CODE 
kubectl -n vault exec -it vault-0 -- vault status
kubectl -n vault exec -it vault-1 -- vault status
kubectl -n vault exec -it vault-2 -- vault status
kubectl -n vault exec -it vault-3 -- vault status
kubectl -n vault exec -it vault-4 -- vault status

If the output says Sealed true then unseal them using this guide. Do not follow the initialization steps, as those are required only for the first time when the vault is deployed.

Check if mongo-mongodb-ca is present in vault namespace

CODE 
kubectl get secrets -n vault

If it’s not present, run the following command to copy it from ef-external namespace

CODE 
kubectl get secret mongo-mongodb-ca -n ef-external  -o yaml | sed 's/namespace: ef-external/namespace: vault/' | kubectl create -f -

Exec into the vault pod

CODE 
kubectl -n vault exec -it vault-0 -- sh

Login using root token

CODE 
vault login

Enable database engine

CODE 
vault secrets enable database

Configure mongoDB database plugin

CODE 
vault write database/config/mongodb-database \
  plugin_name="mongodb-database-plugin" \
  allowed_roles="mongodb-role" \
  username="root" \
  password="Expertflow123" \
  connection_url="mongodb://{{username}}:{{password}}@mongo-mongodb.ef-external.svc.cluster.local:27017/?authSource=admin&tls=true&tlsCAFile=/vault/userconfig/mongo-mongodb-ca/mongodb-ca-cert&tlsCertificateKeyFile=/vault/userconfig/mongo-mongodb-ca/client-pem&tlsAllowInvalidHostnames=true"

Set TTLs for database engine (by default they are at 768h), if you want the role TTLs to be greater than 768h.

CODE 
vault secrets tune -default-lease-ttl=2160h -max-lease-ttl=2160h database/

Configure role for mongoDB

CODE 
vault write database/roles/mongodb-role \
    db_name=mongodb-database \
    creation_statements='{ "db": "admin", "roles": [{ "role": "root", "db": "admin" }] }' \
    default_ttl="2160h" \
    max_ttl="2160h"

Write policy for the role

CODE 
vault policy write ef-policy - <<EOF
path "/transit/export/*" {
  capabilities = ["read"]
}
path "database/creds/*" {
 capabilities = ["read"]
}
EOF

Attach policy to the role

CODE 
vault write auth/approle/role/expertflow policies="ef-policy"
CODE 
exit


How to change TTL of credentials

Exec into the vault pod

CODE 
kubectl -n vault exec -it vault-0 -- sh

Set TTLs for database engine (by default they are at 768h), if you want the role TTLs to be greater than 768h.

CODE 
vault secrets tune -default-lease-ttl=2160h -max-lease-ttl=2160h database/

Change default_ttl and max_ttl for the role in the below command:

CODE 
vault write database/roles/mongodb-role \
    db_name=mongodb-database \
    creation_statements='{ "db": "admin", "roles": [{ "role": "root", "db": "admin" }] }' \
    default_ttl="2160h" \
    max_ttl="2160h"
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close