MongoDB Atlas

MongoDB Atlas (MongoDB) is the cloud version of the MongoDB NoSQL database provided by the makers of MongoDB. It includes an Administration API that facilitates database user password rotation.

Requirements

• Understand the Doppler rotation methodology
• Ability to create MongoDB Administration API keys with the Organization Owner role
• Ability to create MongoDB users
• Familiarity with Doppler rotation strategy

Overview

Doppler leverages a two secret strategy to rotate MongoDB user passwords. The rotation is facilitated by an Administrative API key that acts as the managing user.

Configuration

There are two steps to configure MongoDB rotation

1. Create an Administrative API key
2. Create two MongoDB users

Begin rotated secret creation

1. Navigate to the Doppler config you would like to add a rotated secret to
2. Click the dropdown next to Add Secret and select Add Rotated Secret

3. Select MongoDB from the catalog

4. In a new browser tab, complete the steps below

Create an Administration API key

❗️

The key requires the Organization Owner role, which is highly privileged. A key should be created solely for the purpose of secret rotation - it should be used and stored nowhere else.

1. Select the Access Manager button in the top left of the MongoDB Atlas dashboard and select the organization that contains the database instances to rotate passwords for

2. In the top right, select Create API Key
3. Provide a description such as DopplerRotationKey. Ensure the Organization Owner permission is selected. Hit next
4. Copy over the Public Key and Private Key to the rotated secret configuration modal that was previously initiated. Don't save them anywhere else.

Create MongoDB users

It is recommended to configure rotation with a new set of users. This allows for incremental adoption of rotation, as you can taper off of the existing MongoDB users.

1. In the MongoDB dashboard, navigate to the Database Access section within the applicable MongoDB project.
2. Select Add New Database User and configure it appropriately. Grab the generated password and enter it in the Doppler rotated configuration screen.
3. Repeat the above step to create the second user. Hit next to complete the setup

🚧

Doppler will verify that the provided MongoDB users exist but cannot verify that the supplied passwords are accurate

Injected Secrets

The following secrets are available whenever the config is fetched

• MONGODB_ATLAS_USERNAME
• MONGODB_ATLAS_PASSWORD