# HashiCorp Vault Demo for MongoDB database secrets engine

The database secrets engine generates database credentials dynamically based on configured roles. It works with a number of different databases through a plugin interface. There are a number of built-in database types, and an exposed framework for running custom database types for extendability. This means that services that need to access a database no longer need to hardcode credentials.

This demo shows how HashiCorp Vault can be used to:
- Generate short-lived credentials on demand.  This is referred to as "dynamic secrets" and utilizes "dynamic roles".
- Manage and rotate passwords for fixed database user accounts.  This utilizes "static roles". 

Ref:
- https://developer.hashicorp.com/vault/docs/secrets/databases/mongodb
- https://developer.hashicorp.com/vault/tutorials/db-credentials/database-creds-rotation

<img src="images/vault-demo-mongodb-dynamic-secrets.png">

## Setup of the Demo

This setup is tested on MacOS and is meant to simulate a distributed setup.  The components used in this demo are:
- Vault Enterprise installed on docker (to simulate an external Vault)
- You have the Vault CLI installed

This assumes your Vault server is installed using docker and already running on http://127.0.0.1:8200
and you have set your VAULT_ADDR and VAULT_TOKEN variables.

As part of this demo, we will be setting up a 3 node MongoDB replica set on docker.  To demonstrate the database read only permissions for the dynamic credentials, we will be configuring this replica set with authorization enabled.

## Requirements to Run This Demo
You will need Visual Studio Code to be installed with the Jupyter plugin.  To run this notebook in VS Code, chose the Jupyter kernel and then Bash.
- To run the current cell, use Ctrl + Enter.
- To run the current cell and advance to the next, use Shift+Enter.

# Setup Pre-requisites (One-time)

Assumes you have docker installed and brew installed

- https://docs.docker.com/desktop/install/mac-install/
- https://brew.sh/

In [None]:
# Install openssl.  This is used for the setup of the MongoDB replicaset with KeyFile authentication.
# Ref: https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set-with-keyfile-access-control/
brew install openssl

# Setting up HashiCorp Vault

In [None]:
# Create a docker network so that the Vault server and MongoDB nodes can communicate with each other using DNS resolution.
# The default network does not have built-in DNS resolution.
export DOCKER_NETWORK=mongo-cluster-nw
docker network create $DOCKER_NETWORK

In [None]:
# Optional.  The following are some sample commands for running Vault Enterprise in docker.
# Expose the Vault API port to the host machine and use the docker network created earlier
export VAULT_PORT=8200
export VAULT_ADDR="http://127.0.0.1:${VAULT_PORT}"
export VAULT_TOKEN="root"
# Change the path to your license file
export VAULT_LICENSE=$(cat $HOME/vault-enterprise/vault_local/data/vault.hclic)
docker run -d --rm --net $DOCKER_NETWORK --name vault-enterprise --cap-add=IPC_LOCK \
-e "VAULT_DEV_ROOT_TOKEN_ID=${VAULT_TOKEN}" \
-e "VAULT_DEV_LISTEN_ADDRESS=:${VAULT_PORT}" \
-e "VAULT_LICENSE=${VAULT_LICENSE}" \
-p ${VAULT_PORT}:${VAULT_PORT} hashicorp/vault-enterprise:latest

# Set Up MongoDB

For this demo, we will be simulating a 3 Node Cluster with Replica Set.

In [None]:
# Use latest 7.0 MongoDB Enterprise docker image.  This supports both linux/amd64 and linux/arm64
# Ref: https://hub.docker.com/r/mongodb/mongodb-enterprise-server/tags
export MONGODB_TAG=7.0-ubuntu2204

# As we are setting up on the same docker host (same host IP), we will be simulating 3 MongoDB nodes using different port numbers
# On a distributed setup, you can use the same port 27017 on different host servers (different host IP).
export MONGODB_PORT=27017
export MONGODB_PORT2=27018
export MONGODB_PORT3=27019
# Replica Set name
export RS_NAME=rs0

# Create folders for the MongoDB volumes
mkdir data1
mkdir data2
mkdir data3

# Create the 3 MongoDB nodes and use the docker network created earlier.
# We will be enabling authorization later so we will be persisting the MongoDB servers to local volumes
docker run -d --rm --volume=./data1:/data/db -p $MONGODB_PORT:$MONGODB_PORT --net $DOCKER_NETWORK --name mongo1 \
mongodb/mongodb-enterprise-server:$MONGODB_TAG --replSet $RS_NAME --port $MONGODB_PORT --bind_ip "0.0.0.0"
docker run -d --rm --volume=./data2:/data/db -p $MONGODB_PORT2:$MONGODB_PORT --net $DOCKER_NETWORK --name mongo2 \
mongodb/mongodb-enterprise-server:$MONGODB_TAG --replSet $RS_NAME --port $MONGODB_PORT --bind_ip "0.0.0.0"
docker run -d --rm --volume=./data3:/data/db -p $MONGODB_PORT3:$MONGODB_PORT --net $DOCKER_NETWORK --name mongo3 \
mongodb/mongodb-enterprise-server:$MONGODB_TAG --replSet $RS_NAME --port $MONGODB_PORT --bind_ip "0.0.0.0"

In [None]:
# Check that the Vault Server and all 3 mongodb nodes are running
docker ps

In [None]:
# Initialize the replica set for the 3 nodes
# Ref: https://www.mongodb.com/docs/manual/reference/method/rs.initiate/
# As the 3 nodes are on the same docker host, use the internal container names and port for the configuration
# You should see a { ok: 1 } being returned.
echo "MongoDB Port: $MONGODB_PORT"
echo
docker exec -it mongo1 mongosh --eval \
"rs.initiate(
    {
        _id:'$RS_NAME',
        version: 1,
        members: [
            { _id: 0, host : \"mongo1:$MONGODB_PORT\"},
            { _id: 1, host : \"mongo2:$MONGODB_PORT\"},
            { _id: 2, host : \"mongo3:$MONGODB_PORT\"}
        ]
    }
)"

In [None]:
# View the status of your replica set.  See "health" of each node.  1 is "Up" and 0 is "Down".
# - https://www.mongodb.com/docs/v4.2/reference/command/replSetGetStatus/
docker exec -it mongo1 mongosh --eval "rs.status()"

## Enable Authorization on the MongoDB Replica Set

By default MongoDB authorization is not turned on.  Notice that no credentials were required to execute any of the mongosh commands.  To enable authorization on a replica set, this requires deploying the replica set with keyfile authentication.

Ref:
- https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set-with-keyfile-access-control
- https://lizarddapp.medium.com/setup-mongodb-replica-set-with-authentication-using-docker-aac0c5f7583c


In [None]:
# set mongosh alias to make it easier to execute mongosh commands to the first MongoDB docker container
# Use the connection string for the replica set.  This will allow write operations to go to the primary node.
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"
alias mongosh="docker exec -it mongo1 mongosh \"mongodb://mongo1:$MONGODB_PORT,mongo2:$MONGODB_PORT2,mongo3:$MONGODB_PORT3/admin?replicaSet=$RS_NAME\""

In [None]:
# Before turning on authorization, create the root admin user
mongosh --eval "use admin" \
--eval "db.createUser(
  {
    user: \"root\",
    pwd: \"Password123\",
    roles: [ { role: \"root\", db: \"admin\" } ]
  }
)"

In [None]:
# Verify that the root admin user is created
mongosh --eval "use admin" \
--eval "db.getUsers()"

In [None]:
# Create a keyfile for MongoDB keyfile authentication
# Store it on MongoDB node 1 volume
openssl rand -base64 756 > ./data1/key
# Provide read permissions for the file owner only
chmod 400 ./data1/key
# Copy the same key to the other two nodes
cp ./data1/key ./data2/key
cp ./data1/key ./data3/key

In [None]:
# Stop MongoDB nodes
docker stop mongo1
docker stop mongo2
docker stop mongo3

In [None]:
# Start back up the 3 MongoDB nodes and use the existing volumes created earlier
# This time we will be turning on authorization using the --keyFile flag
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"


# We will be enabling authorization later so we will be persisting the MongoDB servers to local volumes
docker run -d --rm --volume=./data1:/data/db -p $MONGODB_PORT:$MONGODB_PORT --net $DOCKER_NETWORK --name mongo1 \
mongodb/mongodb-enterprise-server:$MONGODB_TAG --replSet $RS_NAME --port $MONGODB_PORT --bind_ip 0.0.0.0 --keyFile /data/db/key
docker run -d --rm --volume=./data2:/data/db -p $MONGODB_PORT2:$MONGODB_PORT --net $DOCKER_NETWORK --name mongo2 \
mongodb/mongodb-enterprise-server:$MONGODB_TAG --replSet $RS_NAME --port $MONGODB_PORT --bind_ip 0.0.0.0 --keyFile /data/db/key
docker run -d --rm --volume=./data3:/data/db -p $MONGODB_PORT3:$MONGODB_PORT --net $DOCKER_NETWORK --name mongo3 \
mongodb/mongodb-enterprise-server:$MONGODB_TAG --replSet $RS_NAME --port $MONGODB_PORT --bind_ip 0.0.0.0 --keyFile /data/db/key

In [None]:
# Check that the Vault Server and all 3 mongodb nodes are running
docker ps

## Setup Demo MongoDB Database

In [None]:
# set mongosh alias to make it easier to execute mongosh commands to the first MongoDB docker container
# Use the connection string for the replica set.  This will allow write operations to go to the primary node.
# As Authorization is turned on, we will be specifying the root admin user credentials in the connection string.
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"
alias mongosh="docker exec -it mongo1 mongosh \"mongodb://root:Password123@mongo1:$MONGODB_PORT,mongo2:$MONGODB_PORT2,mongo3:$MONGODB_PORT3/admin?replicaSet=$RS_NAME\""

In [None]:
# Create database “record”, insert record with random user details (using function makeid), and display table records
# Note: You can run this multiple times to insert more records as required
mongosh --eval "use record" \
--eval "function makeid(length) {
    var result           = '';
    var characters       = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    var charactersLength = characters.length;
    for ( var i = 0; i < length; i++ ) {
      result += characters.charAt(Math.floor(Math.random() * 
 charactersLength));
   }
   return result;
}" \
--eval "db.users.insertOne({username: \"user-\" + makeid(4), password: makeid(20)})" \
--eval "db.users.find()"

In [None]:
# Show table "users" has been created
mongosh --eval "use record" \
--eval "show collections"

In [None]:
# Show database "record" has been created
mongosh --eval "show dbs"

# Configure Vault MongoDB database secrets engine

In [None]:
# Setup MongoDB accounts for the Vault Configuration

# Create Vault user that has permissions to 
mongosh --eval "use admin" \
--eval "db.createUser(
  {
    user: \"vault_user_admin\",
    pwd: \"Password123\",
    roles: [ { role: \"userAdminAnyDatabase\", db: \"admin\" } ]
  }
)"

In [None]:
# Set the name of the MongoDB Database Secret path
export DBPATH=database

# Disable the database engine if it is there
vault secrets disable $DBPATH

# Enable the database secrets engine at the "database/" path
vault secrets enable -path $DBPATH database

In [None]:
# Configure the MongoDB plugin with the connection information 

# Use the connection string for the replica set.  Use the MongoDB user credentials created earlier for Vault.
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"
echo "Database Engine Path is: $DBPATH"

vault write $DBPATH/config/mongodb \
    plugin_name=mongodb-database-plugin \
    connection_url="mongodb://{{username}}:{{password}}@mongo1:$MONGODB_PORT,mongo2:$MONGODB_PORT2,mongo3:$MONGODB_PORT3/admin?replicaSet=$RS_NAME" \
    username="vault_user_admin" \
    password="Password123" \
    allowed_roles="*"

## Demonstrate Dynamic Role

This will demonstrate how Vault can be used to generate a new set of credentials with:
- Read only permissions on the "users" tables in the "record" database.
- A specific time-to-live (TTL) period before expiring.

Ref: https://developer.hashicorp.com/vault/docs/secrets/databases/mongodb#capabilities

In [None]:
# Create a role in Vault that maps to the MongoDB read role for the record database
# Note MongoDB users are normally created in the admin database
# Put the TTL to 30s for testing
# Ref: 
# - https://www.mongodb.com/docs/manual/reference/built-in-roles/
# - https://developer.hashicorp.com/vault/docs/secrets/databases/mongodb
export DBROLE=record-readonly

vault write $DBPATH/roles/$DBROLE \
    db_name=mongodb \
    creation_statements='{ "db": "admin", "roles": [{"role": "read", "db": "record"}] }' \
    default_ttl="30s" \
    max_ttl="24h"

In [None]:
# Read credentials from the readonly database role
results=$(vault read -format=json $DBPATH/creds/$DBROLE)
echo $results | jq

In [None]:
# Use the connection string for the replica set.  Use the MongoDB user credentials created earlier for Vault.
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"

# Use the dynamic credentials
export DBPASSWORD=$(echo $results | jq .data.password -r)
export DBUSER=$(echo $results | jq .data.username -r)
echo "Dynamic MongoDB username: $DBUSER"
echo "Dynamic MongoDB password: $DBPASSWORD"

# View the details of the connected user
docker exec -it mongo1 mongosh "mongodb://$DBUSER:$DBPASSWORD@mongo1:$MONGODB_PORT,mongo2:$MONGODB_PORT2,mongo3:$MONGODB_PORT3/admin?replicaSet=$RS_NAME" \
--eval "db.getUser('$DBUSER')"

# Try executing this step after 30s to show that the credentials has expired.
# i.e. You should see an "Authenticationn failed" message

In [None]:
# Use the connection string for the replica set.  Use the MongoDB user credentials created earlier for Vault.
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"

# Read credentials from the readonly database role
results=$(vault read -format=json $DBPATH/creds/$DBROLE)
echo $results | jq

# Use the dynamic credentials
export DBPASSWORD=$(echo $results | jq .data.password -r)
export DBUSER=$(echo $results | jq .data.username -r)
echo "Dynamic MongoDB username: $DBUSER"
echo "Dynamic MongoDB password: $DBPASSWORD"

# Try inserting a record into the "users" table.
# You should see an error as the dynamic credentials is using a read only role.
docker exec -it mongo1 mongosh "mongodb://$DBUSER:$DBPASSWORD@mongo1:$MONGODB_PORT,mongo2:$MONGODB_PORT2,mongo3:$MONGODB_PORT3/admin?replicaSet=$RS_NAME" \
--eval "use record" \
--eval "db.users.insertOne({username: \"user-test\", password: \"12345678\"})"

In [None]:
# Use the connection string for the replica set.  Use the MongoDB user credentials created earlier for Vault.
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"

# Read credentials from the readonly database role
results=$(vault read -format=json $DBPATH/creds/$DBROLE)
echo $results | jq

# Use the dynamic credentials
export DBPASSWORD=$(echo $results | jq .data.password -r)
export DBUSER=$(echo $results | jq .data.username -r)
echo "Dynamic MongoDB username: $DBUSER"
echo "Dynamic MongoDB password: $DBPASSWORD"

# Show that the dynamic credentials is able to read the users table
docker exec -it mongo1 mongosh "mongodb://$DBUSER:$DBPASSWORD@mongo1:$MONGODB_PORT,mongo2:$MONGODB_PORT2,mongo3:$MONGODB_PORT3/admin?replicaSet=$RS_NAME" \
--eval "use record" \
--eval "db.users.find()"

## Demonstrate Static Role

This will demonstrate how Vault can be used to rotate a static database user's password.

Ref: https://developer.hashicorp.com/vault/docs/secrets/databases/mongodb#capabilities


In [None]:
# Create the fixed MongoDB user account called "user1"
mongosh --eval "use admin" \
--eval "db.createUser(
  {
    user: \"user1\",
    pwd: \"Password123\",
    roles: [ { role: \"read\", db: \"record\" } ]
  }
)"

In [None]:
# Configure the rotation period for user1.  For the demo, we will using 10s.
vault write $DBPATH/static-roles/user1-static \
    db_name=mongodb \
    rotation_statements='' \
    username="user1" \
    rotation_period=10

# View the role details
vault read $DBPATH/static-roles/user1-static

In [None]:
# Read user1's credentials.  You will notice the password gets rotated as the TTL expires.
vault read $DBPATH/static-creds/user1-static

In [None]:
# You can also force rotate the password before the TTL expires
vault write -f $DBPATH/rotate-role/user1-static
echo
# Read user1's credentials.
vault read $DBPATH/static-creds/user1-static

# Cleanup

In [None]:
# Cleanup

# Remove mongsh alias
unalias mongosh

# Disable database secrets engine
vault secrets disable $DBPATH

# Stop Vault container
docker stop vault-enterprise

# Stop MongoDB cluster
docker stop mongo1
docker stop mongo2
docker stop mongo3

# Remove docker volumes
rm -rf data1
rm -rf data2
rm -rf data3

# Remove docker network that was created
docker network rm $DOCKER_NETWORK

# Other Useful Commands

In [None]:
# This example demonstrates how you can build the MongoDB replica set using docker compose
echo "MongoDB Image Used: $MONGODB_TAG"
echo "Docker Network: $DOCKER_NETWORK"
echo "MongoDB Node 1 Port: $MONGODB_PORT"
echo "MongoDB Node 2 Port: $MONGODB_PORT2"
echo "MongoDB Node 3 Port: $MONGODB_PORT3"
echo "MongoDB Replica Set: $RS_NAME"

# Build up the docker-compose file for the MongoDB replica set
tee docker-compose.yml <<EOF
version: "3"
networks:
  $DOCKER_NETWORK:
    external: true
services:
  mongo1:
    hostname: mongo1
    container_name: mongo1
    image: mongodb/mongodb-enterprise-server:$MONGODB_TAG
    expose:
      - $MONGODB_PORT
    ports:
      - $MONGODB_PORT:$MONGODB_PORT
    networks:
      - $DOCKER_NETWORK
    restart: always
    volumes:
      - ./data1:/data/db
    entrypoint: [ "/usr/bin/mongod", "--bind_ip_all", "--replSet", "$RS_NAME", "--port", "$MONGODB_PORT", "--bind_ip", "0.0.0.0" ]
  mongo2:
    hostname: mongo2
    container_name: mongo2
    image: mongodb/mongodb-enterprise-server:$MONGODB_TAG
    expose:
      - $MONGODB_PORT
    ports:
      - $MONGODB_PORT2:$MONGODB_PORT
    networks:
      - $DOCKER_NETWORK
    restart: always
    volumes:
      - ./data2:/data/db
    entrypoint: [ "/usr/bin/mongod", "--bind_ip_all", "--replSet", "$RS_NAME", "--port", "$MONGODB_PORT", "--bind_ip", "0.0.0.0" ]
  mongo3:
    hostname: mongo3
    container_name: mongo3
    image: mongodb/mongodb-enterprise-server:$MONGODB_TAG
    expose:
      - $MONGODB_PORT
    ports:
      - $MONGODB_PORT3:$MONGODB_PORT
    networks:
      - $DOCKER_NETWORK
    restart: always
    volumes:
      - ./data3:/data/db
    entrypoint: [ "/usr/bin/mongod", "--bind_ip_all", "--replSet", "$RS_NAME", "--port", "$MONGODB_PORT", "--bind_ip", "0.0.0.0" ]
EOF


# Run the docker compose command to bring up the 3 MongoDB nodes
# -d is to run it detached
docker compose up -d

In [None]:
docker compose down