MongoDB Atlas (MongoDB) is the cloud version of the MongoDB NoSQL database provided by the makers of MongoDB. It includes an Administration API that facilitates database user password rotation.
- Understand the Doppler rotation methodology
- Ability to create MongoDB Administration API keys with the Organization Owner role
- Ability to create MongoDB users
- Familiarity with Doppler rotation strategy
Doppler leverages a two secret strategy to rotate MongoDB user passwords. The rotation is facilitated by an Administrative API key that acts as the managing user.
There are two steps to configure MongoDB rotation
- Create an Administrative API key
- Create two MongoDB users
Begin rotated secret creation
- Navigate to the Advanced Secrets tab in the Doppler config that the rotated secret is being added to
- Click New Rotated Secret. Select MongoDB from the catalog
- In a new browser tab, complete the steps below
Create an Administration API key
The key requires the Organization Owner role, which is highly privileged. A key should be created solely for the purpose of secret rotation - it should be used and stored nowhere else.
- Select the Access Manager button in the top left of the MongoDB Atlas dashboard and select the organization that contains the database instances to rotate passwords for
- In the top right, select Create API Key
- Provide a description such as DopplerRotationKey. Ensure the Organization Owner permission is selected. Hit next
- Copy over the Public Key and Private Key to the rotated secret configuration modal that was previously initiated. Don't save them anywhere else.
Create MongoDB users
It is recommended to configure rotation with a new set of users. This allows for incremental adoption of rotation, as you can taper off of the existing MongoDB users.
- In the MongoDB dashboard, navigate to the Database Access section within the applicable MongoDB project.
- Select Add New Database User and configure it appropriately. Grab the generated password and enter it in the Doppler rotated configuration screen.
- Repeat the above step to create the second user. Hit next to complete the setup
Doppler will verify that the provided MongoDB users exist but cannot verify that the supplied passwords are accurate
The following secrets are available whenever the config is fetched
Updated 27 days ago