How to hide password in mongosh script

lin_choong · January 19, 2024, 3:37am

Hi All,

I would like to automate my script using mongosh but its show password in plaintext

mongosh --host XX --port XX --username XX --password XX --eval “use DBNAME” --eval “db.dropDatabase()”

I tried to use window authentication but its prompted password too.I am currently using mongodb 6.0 and i would like to seek advise on how to hide password in script above.

Kobe_W · January 19, 2024, 4:44am

If you don’t want to specify the secret in plain text in the script file, then you have to pass the secret to the script from “somewhere”. That somewhere can be standard input or other external sources. Which is out of the scope of mongodb tool. (e.g. use a dedicated machine with admin/special access to run this script).

You want to store the raw secret at a safe place and then use a special mechanism to fetch it (e.g. encryption, access control).

steevej · January 19, 2024, 2:15pm

On unix based system such as linux, it would be kind of trivial to do that with sudo.

You create your script as owned by root and then you give it read and executable permissions only to root. You would then create a sudoer entry for each user you want to give the right to run the script. The user would be able to execute the script but not read it.

Sorry but with Windows, I have no clue.

chris · January 19, 2024, 10:08pm

mongosh can run a series of scripts, so something like the below is possible.

mongosh has file methods too, its a basic javascript REPL environment, so reading credentials from a file is possible too,

17:01 $ ls -1 0*.js 
01login.js
02dropDummy.js

files

## 01login.js ##
db.getSiblingDB('admin').auth('cdellaway','solarwinds123')
print(db.runCommand({connectionStatus:1}))

## 02dropDummy.js ##
print(db.getSiblingDB('dummyDB').dropDatabase())

mongosh "mongodb+srv://cluster0.9qfvh.mongodb.net/mgo"  --quiet  01login.js  02dropDummy.js 
{
  authInfo: {
    authenticatedUsers: [ { user: 'cdellaway', db: 'admin' } ],
    authenticatedUserRoles: [
      { role: 'atlasAdmin', db: 'admin' },
      { role: 'clusterMonitor', db: 'admin' }
    ]
  },
  ok: 1
}
{ ok: 1, dropped: 'dummyDB' }

steevej · January 20, 2024, 1:57am

I am not sure how this would work to really hide the password.

From what I understand, mongosh need to read the file 01login.js in order to execute it. So what stops the user running the command mongosh, to just cat (or notepad) the file 01login.js and see the password?

chris · January 20, 2024, 2:03pm

Nothing, its not present on the command line however.

Jack_Woehr · January 20, 2024, 11:59pm

You can hide passwords in environment variables for instance.

If your chosen language has the module env (Python, Node, etc.) see that module.

The Design Pattern associated with these sorts of issues is called Dependency Injection

lin_choong · January 22, 2024, 2:50am

Agree with Steeve on it as we still can see the password from login.js. Would like to have it completely hidden for security purpose

lin_choong · January 22, 2024, 3:10am

Appreciated if you can show some sample code on it

Jack_Woehr · January 22, 2024, 5:37am

How many users use this script @lin_choong ?
And what operating system are you using?

lin_choong · January 22, 2024, 6:47am

This will be used for daily automated script to drop the database and i am using window 2019

steevej · January 22, 2024, 1:13pm

I think that

still suffer the issue that they are hidden but still accessible by people with minimal skills.

Your main system might be Windows, but you can easily and cheaply add something like a Raspberry Pi and implement your scripts using sudoers. Then you automate with systemd timers or cron. I used one to automate water recirculating pumps and parking lights for my apartment building. So what ever I do with my main machines do not ever intervene my automation.

A secondary effect, you will be initiated to the wonderful world of linux. You might like it. (oVo)