Closed fairclothjm closed 3 years ago
Run the following scrip from the vault directory
#!/usr/bin/env bash
#
# setup and test a vault plugin
#
# usage:
# ./setup_plugin.sh <plugin> <branch>
#
# example usage:
# ./setup_plugin.sh vault-plugin-database-mongodbatlas custom-username-temp
#
if [[ -z "$1" ]]; then
echo "[ERROR] plugin is a required arg"
exit 1
fi
if [[ -z "$2" ]]; then
echo "[ERROR] git branch is a required arg"
exit 1
fi
plugin_name="$1"
git_branch="$2"
git_repo="git@github.com:hashicorp/$plugin_name.git"
vault_dir="$(pwd)"
# clone plugin branch and build
git clone \
--single-branch \
--branch $git_branch \
$git_repo /tmp/$plugin_name
cd /tmp/$plugin_name
make dev
# cd to vault branch and build
cd $vault_dir
make dev
# setup vault with the plugin
cp $GOPATH/bin/$plugin_name $vault_dir/pkg/darwin_amd64/
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root
cat > vault.hcl <<EOF
plugin_directory = "pkg/darwin_amd64/"
EOF
# run vault
VAULT_DEV_ROOT_TOKEN_ID=root vault server -dev -config=vault.hcl &
NOTE: You must allowlist your IP address via the MongoDB Atlas dashboard
# configure vault with the plugin
plugin="pkg/darwin_amd64/vault-plugin-database-mongodbatlas"
SHASUM=$(shasum -a 256 $plugin | cut -d " " -f1)
vault write sys/plugins/catalog/mongodbatlas \
sha_256=$SHASUM \
command=vault-plugin-database-mongodbatlas
vault secrets enable database
vault write database/config/my-mdba \
plugin_name=mongodbatlas \
allowed_roles="*" \
public_key=$ATLAS_PUBLIC_KEY \
private_key="$ATLAS_PRIVATE_KEY" \
project_id="$ATLAS_PROJECT_ID" \
username_template="whatisthematrix-{{.RoleName}}-{{unix_time}}-{{random 8}}"
vault write database/roles/my-role \
db_name=my-mdba \
creation_statements='{"database_name": "admin","roles": [{"databaseName":"admin","roleName":"atlasAdmin"}]}' \
default_ttl="3m" \
max_ttl="24h"
vault read database/creds/my-role
# Succeeds
mongo $ATLAS_CONN_URL -u $username1 -p $password1
sleep 180
# Fails
mongo $ATLAS_CONN_URL -u $username1 -p $password1
vault write database/static-roles/my-static-role username=$existing_username rotation_period=1h db_name=my-mdba
vault read database/static-creds/my-static-role
# Succeeds
mongo $ATLAS_CONN_URL -u $existing_username -p $password2
vault write -f database/rotate-role/my-static-role
vault read database/static-creds/my-static-role
# Succeeds
mongo $ATLAS_CONN_URL -u $existing_username -p $password3
Overview
Adds the ability to customize username generation for dynamic users in MongoDB Atlas.
Uses the new field
username_template
with the go template language.Contributor Checklist