Error with provisioning users using Vault Plugin

Kishore_Kumar_Kota · December 25, 2020, 5:32am

Running into below error when trying to create a user using Vault Mongo DB plug-in. Using Free Cluster, not sure if that is the limitation. I have done all the steps to set up vault configuration pointing to my Atlas Cluster - but does not allow me create users.

Here are the commands run.
vault write database/roles/my-role db_name=my-mongodb-database creation_statements=‘{ “db”: “admin”, “roles”: [{ “role”: “readWriteAnyDatabase” }] }’

and then

vault read database/creds/my-role ( to provision the user )

Vault Mongo DB Steps

1 error occurred:
- (AtlasError) (Unauthorized) not authorized on admin to execute command { createUser: “v-root-my-role-2Bm3dGlXcLUuiOYWnH9o-1608868364”, pwd: “5SmigEJy-5XdWD8kPVHf”, roles: [readWriteAnyDatabase], lsid: { id: {4 [47 83 197 251 22 245 68 196 158 92 40 152 189 22 242 218]} }, $clusterTime: { clusterTime: {1608868356 2}, signature: { hash: {0 [111 108 164 134 246 202 230 244 69 101 241 172 112 18 239 176 163 153 146 202]}, keyId: 6909548871030931456.000000 } }, $db: “admin”, $readPreference: { mode: “primary” } }

Pavel_Duchovny · December 25, 2020, 5:58am

Hi @Kishore_Kumar_Kota,

Welcome to MongoDB community.

Atlas database users are only allowed to br created from UI or api.

You cannot use createUser commands.
This is why this plugin fails.

Thanks
Pavel

Pavel_Duchovny · December 25, 2020, 1:27pm

Hi @Kishore_Kumar_Kota,

Thanks to my colleague @Andrew_Davidson, I was informed that there is a vault api to create the users called “vault secrets”

MongoDB Atlas - Secrets Engines | Vault | HashiCorp Developer

Thanks
Pavel

Kishore_Kumar_Kota · December 26, 2020, 6:11am

Thank you for pointing me to correct documentation on this. I am seeing a different error now.

I did follow the steps - I have installed Vault in my local and set up the config to point to my mongo db atlas account using programmatic access keys.

Error reading mongodbatlas/creds/test: Error making API request.

URL: GET http://127.0.0.1:8200/v1/mongodbatlas/creds/test

Code: 400. Errors:

Error creating programmatic api key: POST https://cloud.mongodb.com/api/atlas/v1.0/orgs/5fe241007d22012e8d7f01d6/apiKeys/5fe6c0b6bc4b5038597e00a7/whitelist: 500 (request “Internal Server Error”) Unexpected error.

Pavel_Duchovny · December 30, 2020, 5:50am

Hi @Kishore_Kumar_Kota,

It might be that either this vault software is out of date and it has not calling the up to date api end points.

It look like it hits a deprecated api whitelist one.

Have a look at this blog

Thanks
Pavel

system · January 4, 2021, 5:50am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.