Connect MongoDB replica set with Vault

I have a MongoDB replica set cluster with one primary node and two secondary nodes. I created a user inside admin db of my primary node using the below command
db.createUser(
{
user: “myUserAdmin”,
pwd: “abc123”,
roles: [ { role: “readWrite”, db: “admin” } ]
}
)

After this when I try to establish connection to this cluster from vault using the below URI, I am not able to establish connection

mongodb://{{username}}:{{password}}@primary_node:port,secondary_node_1:port,secondary_node_2:port/admin?tls=false&serverSelectionTimeoutMS=2000&replicaSet=rs0

I also gave my admin db user creds which is myUserAdmin, abc123 for verifying the connection. Still not able to connect.

Hi @Ajay_Ganesan

Are you getting an error in Vault logs? If so what is it?

Can you connect from the same host where vault is using mongosh ?

Once you get Vault connected you will definitely require greater privileges as Vault will be creating and revoking users. Use userAdmin if not root .

Hi @chris is this connection URI correct,

mongodb://{{username}}:{{password}}@primary_node:port,secondary_node_1:port,secondary_node_2:port/admin?tls=false&serverSelectionTimeoutMS=2000&replicaSet=rs0

vault is saying unable to verfiy. Also i have created “userAdmin” and “root” users inside admin db

In my case all the nodes of this cluster are standalone servers running in port 27017. Will that be a problem?

Yes this looks okay.

Try connecting from that vault host with mongosh to verify connectivity.

Alternatively turn vault log level up to debug or trace and see if better diagnostic information is available.

Hi @chris what is the meaning directConnection=true flag in the below connection URI

mongodb://{{username}}:{{password}}@primary_node:port,secondary_node_1:port,secondary_node_2:port/admin?tls=false&serverSelectionTimeoutMS=2000&replicaSet=rs0&directConnection=true

Is it like this will force read write operations only on primary node. if thats the case what if the primary node goes down?

It is a node.js option, I don’t find references to it otherwise, it will likely be ignored by Vault as that is a golang application.

Hi @chris vault is able to establish connection only with that flag in the connection URI for a single standalone mongo server

I guess my searching is bad I see that option for the golang mongodriver too: options package - go.mongodb.org/mongo-driver/mongo/options - pkg.go.dev

I’m thinking the names in your replicaset are not resolvable/reachable from the vault server. Which is one reason why I have asked “Can you connect from the same host where vault is using mongosh ?”, I should have further specified “with the same connection string”.

The names you see from db.hello().hosts is what the driver will use for the replicaset, allowing it to connect to the next primary if the current one fails or steps down. The hosts you define in a connection string are seed hosts, hosts that the driver can connect to and discover the replica set.

In the case of direct, the driver is connecting only to one host.

Vault’s -log-level trace option will show the problems it is encountering.
An example when names in the replcaset are not resolvable.

Vault’s (v1.8.2) pop up error:

There was a verification error for this connection. Check the Vault logs for more information.

Trace Log:

2021-09-15T14:20:33.334-0400 [TRACE] secrets.database.database_cd8797eb.mongodb-database-plugin: initialize: transport=builtin status=finished verify=true err=“failed to verify connection: server selection error: server selection timeout, current topology: { Type: ReplicaSetNoPrimary, Servers: [{ Addr: 0b8a7bf72092:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : dial tcp: lookup 0b8a7bf72092 on 192.168.1.254:53: no such host }, { Addr: f0aa1ac332d7:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : dial tcp: lookup f0aa1ac332d7 on 192.168.1.254:53: no such host }, { Addr: 19f3bb7a0948:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : dial tcp: lookup 19f3bb7a0948 on 192.168.1.254:53: no such host }, ] }” took=4.001731259s

hi @chris from the vault server i am able to ping all the external ip’s of the members of replicaset and vice versa. Also when i try to establish connection individually to each of the nodes like below its working
mongodb://{{username}}:{{password}}@primary/admin?tls=false&directConnection=true&serverSelectionTimeoutMS=2000

mongodb://{{username}}:{{password}}@secondary_1/admin?tls=false&directConnection=true&serverSelectionTimeoutMS=2000

the problem is when i give it together. Also i am using vault 1.7.2 and mongo 5.0.2

That doesn’t matter. You need the names that are in the replicaset configuration to resolve. I’ve mentioned where they are, I’ve told you how to enable TRACE logging on vault. Without those things I cannot help you further.

Hi @chris the vault in my case is running in remote server and it was started long back without log level TRACE option, so not possible to restart it from my side as it is in production. I am trying to replicate the scenario in local docker. I have raised this issue in stack overflow. if you could help please have a look at it.

Hi @Ajay_Ganesan,

I do all my mongodb efforts in one place, here on the forums. Once the replica set is working you should have better luck with vault.

2 Likes