search

hashicorp / vault-plugin-database-mongodbatlas

Mozilla Public License 2.0
10 stars 8 forks source link

MongoDB Atlas - Add username customization #26

Closed fairclothjm closed 3 years ago

fairclothjm commented 3 years ago

Overview

Adds the ability to customize username generation for dynamic users in MongoDB Atlas.

Uses the new field username_template with the go template language.

Contributor Checklist

fairclothjm commented 3 years ago

Test

Setup vault

Run the following scrip from the vault directory

#!/usr/bin/env bash

#
# setup and test a vault plugin
# 
# usage:
#   ./setup_plugin.sh <plugin> <branch>
#
# example usage:
#   ./setup_plugin.sh vault-plugin-database-mongodbatlas custom-username-temp
#

if [[ -z "$1" ]]; then
  echo "[ERROR] plugin is a required arg"
  exit 1
fi

if [[ -z "$2" ]]; then
  echo "[ERROR] git branch is a required arg"
  exit 1
fi

plugin_name="$1"
git_branch="$2"

git_repo="git@github.com:hashicorp/$plugin_name.git"
vault_dir="$(pwd)"

# clone plugin branch and build
git clone \
  --single-branch \
  --branch $git_branch \
  $git_repo /tmp/$plugin_name

cd /tmp/$plugin_name
make dev

# cd to vault branch and build
cd $vault_dir
make dev

# setup vault with the plugin
cp $GOPATH/bin/$plugin_name $vault_dir/pkg/darwin_amd64/
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root
cat > vault.hcl <<EOF
plugin_directory = "pkg/darwin_amd64/"
EOF

# run vault
VAULT_DEV_ROOT_TOKEN_ID=root vault server -dev -config=vault.hcl &

Manual tests

NOTE: You must allowlist your IP address via the MongoDB Atlas dashboard

# configure vault with the plugin
plugin="pkg/darwin_amd64/vault-plugin-database-mongodbatlas"
SHASUM=$(shasum -a 256 $plugin | cut -d " " -f1)

vault write sys/plugins/catalog/mongodbatlas \
  sha_256=$SHASUM \
  command=vault-plugin-database-mongodbatlas

vault secrets enable database

vault write database/config/my-mdba \
  plugin_name=mongodbatlas \
  allowed_roles="*" \
  public_key=$ATLAS_PUBLIC_KEY \
  private_key="$ATLAS_PRIVATE_KEY" \
  project_id="$ATLAS_PROJECT_ID" \
  username_template="whatisthematrix-{{.RoleName}}-{{unix_time}}-{{random 8}}"

vault write database/roles/my-role \
  db_name=my-mdba \
  creation_statements='{"database_name": "admin","roles": [{"databaseName":"admin","roleName":"atlasAdmin"}]}' \
  default_ttl="3m" \
  max_ttl="24h"

vault read database/creds/my-role
# Succeeds
mongo $ATLAS_CONN_URL -u $username1 -p $password1
sleep 180

# Fails
mongo $ATLAS_CONN_URL -u $username1 -p $password1

vault write database/static-roles/my-static-role username=$existing_username rotation_period=1h db_name=my-mdba
vault read database/static-creds/my-static-role
# Succeeds
mongo $ATLAS_CONN_URL -u $existing_username -p $password2
vault write -f database/rotate-role/my-static-role
vault read database/static-creds/my-static-role
# Succeeds
mongo $ATLAS_CONN_URL -u $existing_username -p $password3