search

mongodb / vault-plugin-secrets-mongodbatlas

ARCHIVED - Hashicorp Vault MongoDB Atlas Secrets Engine - Now hosted at https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/
Mozilla Public License 2.0
15 stars 11 forks source link

Readme is confusing regarding vault version, and plugin does not seem packaged with vault 1.2.3 as said in the Readme. #20

Closed JnMik closed 4 years ago

JnMik commented 4 years ago

Hello guys !

Here's what the readme says If you are using Vault 11.0.1 or above, both plugins are packaged with Vault. The MongoDB Atlas Secrets Engine can be enabled by running: Vault secrets enable mongodbatlas

Vault latest version is 1.2.3, so it's kinda far behind 11.0.1 Maybe you meant 0.11.1 ?

Also, I currently have a running version of Vault 1.2.3 and don't see any mongo-db-atlas plugin in the result of $ vault plugin list command.

Trying to enable the secrets anyway give me this error

vault secrets enable mongodbatlas
Error enabling: Error making API request.

URL: POST https://127.0.0.1:8200/v1/sys/mounts/mongodbatlas
Code: 400. Errors:

* plugin not found in the catalog: mongodbatlas

I will try to package it and install it manually, but i'm not sure why it says that it's supposed to be packaged with vault ?

Also, both of these quicklinks (in the README) leads to 404 pages

  1. MongoDB Atlas Secrets Engine Docs
  2. Database Secrets Engine for MongoDB Atlas

Thanks for clarifying things out !

JnMik commented 4 years ago

Ah just realized i'm not the only one that found the version typo https://github.com/mongodb/vault-plugin-secrets-mongodbatlas/pull/18

I'll keep my thread open for the "Supposed to be packaged with vault" issue.

themantissa commented 4 years ago

@JnMik apologizes for the delay as we have been working on getting this completed/

In regard to the version we'll get that updated once finalized. The README is written to be forward looking. We are working with HashiCorp for a review of the code and so once verified the statements will become valid. That is why at the top of the README we have the disclaimer:

IMPORTANT: This plugin is currently under development. Feel free to test it out following the instructions under the Developing section below, however consider this beta until it is verified by HashiCorp. Once verified and released versions will be documented in a CHANGELOG

Once the review is completed we'll update the information on how to use this plugin until it's included in the next version of Vault.

heprotecbuthealsoattac commented 4 years ago

Any ETA on that? MLab is pushing to migrate off to atlas however the ops experience when it comes to atlas <-> vault integration is terrible. This is causing us major headache right now.

JnMik commented 4 years ago

@heprotecbuthealsoattac The plugin is not packaged with vault, however you can manually install it if your application is resilient to autoretry conection when it fails to authenticate. Because it will happen (See my other issue).

In my case I couldn't have that so The simpliest way I found is manage atlas user through terraform (with the mongodbatlas provider user resource) and forward the generated users credentials to vault (still with terraform, with the vault provider) in a "secret kv put" equivalent resource.

It's a working idea, see if it could work for you :) Credentials lease renewal will have to be scripted manually.

Cheers

JnMik commented 4 years ago

I'll close the issue since mongo's people seems aware of the innacurate readme and will fix it later.