HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

MongoDB Atlas automatic secret rotation

Plus tier

This feature is available in HCP Vault Secrets Plus tier.

MongoDB Atlas allows developers to programmatically integrate user accounts with their applications. These accounts use usernames and passwords for secure authentication and authorization, controlling access to developers' databases.

HCP Vault Secrets can automatically rotate MongoDB Atlas Database username and passwords.

Prerequisites

  • HCP Vault Secrets standard or plus tier
  • Project level HCP service principal with a service principal key and the HCP viewer role or higher.
  • Environment variables set for the HCP organization ID, project ID, application name, secret name, service principal client ID, and service principal client secret.
  • Access to a MongoDB Atlas Project and database.
  • A MongoDB Atlas API Key created in your Project with the permissions set to Project Owner. (Refer to the MongoDB Atlas API Key documentation).

Create a rotating secret

  1. Navigate to an application you would like to add a rotated secret to.

  2. Click Create new secret and select Auto-rotating secret. Create new rotating secret

  3. Select the MongoDB Atlas username and password from the Integration Provider pulldown menu.

  4. Enter a unique name for the auto-rotating secret in the Secret Name field.

  5. Click + Add new integration next to the Integration pulldown menu and enter the following: Setup new MongoDB Atlas Integration

    • Integration Name: Provide a unique name for the connection.
    • Mongo DB Atlas public API key: Enter the Project Public key found from the Access Manager section inside your desired Project in the MongoDB Atlas Console.
    • Mongo DB Atlas private API key: The Project Private API Key Secret.

  6. Click Save to return to the new secret form.

  7. Enter the MongoDB Project ID found under the settings tab inside Project Settings.

  8. Enter the Mongo DB Database/Cluster Name for the database you'd like to provision the credentials for.

  9. Click the MongoDB Roles pulldown menu and select the desired roles to be attached to the credentials to be rotated. You can add roles that are not in the list by simply typing one in and hitting enter on your keyboard.

  10. Click the Rotation frequency pulldown menu and select the desired rotation frequency from the 3 options available - 30 days, 60 days, and 90 days.

  11. Click Save.

    The setup is complete and your rotating secret has been created.

Delete a MongoDB Atlas rotation integration

  1. Generate an OAuth token to authenticate with the HCP API.

  2. Delete an existing MongoDB Atlas rotation integration.

    $ curl \
    --location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/${HCP_ORG_ID}/projects/${HCP_PROJ_ID}/integrations/rotation/mongodb-atlas/${INTEGRATION_NAME}" \
    --request DELETE \
    --header "Authorization: Bearer ${HCP_API_TOKEN}" | jq

Additional resources